Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0331
Vulnerability from certfr_avis - Published: 2026-03-20 - Updated: 2026-03-20
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 25.10",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-36903",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36903"
},
{
"name": "CVE-2025-68234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68234"
},
{
"name": "CVE-2025-40166",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40166"
},
{
"name": "CVE-2025-71075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71075"
},
{
"name": "CVE-2025-40273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40273"
},
{
"name": "CVE-2025-68230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68230"
},
{
"name": "CVE-2025-39992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39992"
},
{
"name": "CVE-2026-23202",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23202"
},
{
"name": "CVE-2025-68324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68324"
},
{
"name": "CVE-2025-39987",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39987"
},
{
"name": "CVE-2025-71086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71086"
},
{
"name": "CVE-2025-39812",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39812"
},
{
"name": "CVE-2025-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40156"
},
{
"name": "CVE-2025-68342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68342"
},
{
"name": "CVE-2025-68374",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68374"
},
{
"name": "CVE-2025-40137",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40137"
},
{
"name": "CVE-2025-22107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22107"
},
{
"name": "CVE-2025-68373",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68373"
},
{
"name": "CVE-2025-39808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39808"
},
{
"name": "CVE-2025-68286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68286"
},
{
"name": "CVE-2025-68749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68749"
},
{
"name": "CVE-2025-40057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40057"
},
{
"name": "CVE-2025-71094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71094"
},
{
"name": "CVE-2025-68788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68788"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-39876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39876"
},
{
"name": "CVE-2025-40314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40314"
},
{
"name": "CVE-2025-40029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40029"
},
{
"name": "CVE-2025-40037",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40037"
},
{
"name": "CVE-2025-40306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40306"
},
{
"name": "CVE-2025-40008",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40008"
},
{
"name": "CVE-2025-39947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39947"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-68292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68292"
},
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-71064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71064"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2025-68200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68200"
},
{
"name": "CVE-2025-39902",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39902"
},
{
"name": "CVE-2025-40043",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40043"
},
{
"name": "CVE-2025-68176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68176"
},
{
"name": "CVE-2025-68741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68741"
},
{
"name": "CVE-2025-68204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68204"
},
{
"name": "CVE-2025-68795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68795"
},
{
"name": "CVE-2025-68349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68349"
},
{
"name": "CVE-2025-39948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39948"
},
{
"name": "CVE-2025-39826",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39826"
},
{
"name": "CVE-2025-68380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68380"
},
{
"name": "CVE-2025-68359",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68359"
},
{
"name": "CVE-2025-39973",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39973"
},
{
"name": "CVE-2025-39881",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39881"
},
{
"name": "CVE-2025-68283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68283"
},
{
"name": "CVE-2021-47599",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47599"
},
{
"name": "CVE-2025-68246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68246"
},
{
"name": "CVE-2025-68339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68339"
},
{
"name": "CVE-2025-40287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40287"
},
{
"name": "CVE-2025-39943",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39943"
},
{
"name": "CVE-2025-39945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39945"
},
{
"name": "CVE-2026-22992",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22992"
},
{
"name": "CVE-2022-49465",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49465"
},
{
"name": "CVE-2025-39883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39883"
},
{
"name": "CVE-2025-68295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68295"
},
{
"name": "CVE-2025-23129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23129"
},
{
"name": "CVE-2025-68728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68728"
},
{
"name": "CVE-2025-68364",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68364"
},
{
"name": "CVE-2025-40100",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40100"
},
{
"name": "CVE-2025-71087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71087"
},
{
"name": "CVE-2025-40285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40285"
},
{
"name": "CVE-2025-39827",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39827"
},
{
"name": "CVE-2025-22106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22106"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-39828",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39828"
},
{
"name": "CVE-2025-40081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40081"
},
{
"name": "CVE-2025-68746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68746"
},
{
"name": "CVE-2025-71133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71133"
},
{
"name": "CVE-2025-40026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40026"
},
{
"name": "CVE-2025-40153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40153"
},
{
"name": "CVE-2025-40103",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40103"
},
{
"name": "CVE-2026-23020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23020"
},
{
"name": "CVE-2025-40294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40294"
},
{
"name": "CVE-2025-68796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68796"
},
{
"name": "CVE-2025-40016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40016"
},
{
"name": "CVE-2025-40121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40121"
},
{
"name": "CVE-2025-40265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40265"
},
{
"name": "CVE-2025-40312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40312"
},
{
"name": "CVE-2025-40204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40204"
},
{
"name": "CVE-2025-68220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68220"
},
{
"name": "CVE-2025-22125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22125"
},
{
"name": "CVE-2025-40171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40171"
},
{
"name": "CVE-2025-68302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68302"
},
{
"name": "CVE-2025-68238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68238"
},
{
"name": "CVE-2025-68297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68297"
},
{
"name": "CVE-2025-68299",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68299"
},
{
"name": "CVE-2025-40221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40221"
},
{
"name": "CVE-2025-68804",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68804"
},
{
"name": "CVE-2025-68769",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68769"
},
{
"name": "CVE-2025-39811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39811"
},
{
"name": "CVE-2025-40056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40056"
},
{
"name": "CVE-2025-39911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39911"
},
{
"name": "CVE-2025-40125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40125"
},
{
"name": "CVE-2025-40350",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40350"
},
{
"name": "CVE-2025-40309",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40309"
},
{
"name": "CVE-2025-40349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40349"
},
{
"name": "CVE-2025-40052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40052"
},
{
"name": "CVE-2025-68334",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68334"
},
{
"name": "CVE-2025-40343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40343"
},
{
"name": "CVE-2025-68173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68173"
},
{
"name": "CVE-2025-22103",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22103"
},
{
"name": "CVE-2025-68307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68307"
},
{
"name": "CVE-2025-40308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40308"
},
{
"name": "CVE-2025-40187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40187"
},
{
"name": "CVE-2025-40315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40315"
},
{
"name": "CVE-2025-37860",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37860"
},
{
"name": "CVE-2025-39913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39913"
},
{
"name": "CVE-2025-68231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68231"
},
{
"name": "CVE-2025-39950",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39950"
},
{
"name": "CVE-2025-40092",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40092"
},
{
"name": "CVE-2025-71098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71098"
},
{
"name": "CVE-2025-40251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40251"
},
{
"name": "CVE-2025-71078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71078"
},
{
"name": "CVE-2025-39967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39967"
},
{
"name": "CVE-2025-68184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68184"
},
{
"name": "CVE-2025-40107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40107"
},
{
"name": "CVE-2025-71083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71083"
},
{
"name": "CVE-2025-40115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40115"
},
{
"name": "CVE-2025-68813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68813"
},
{
"name": "CVE-2026-23047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23047"
},
{
"name": "CVE-2025-22121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22121"
},
{
"name": "CVE-2025-68265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68265"
},
{
"name": "CVE-2025-71085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71085"
},
{
"name": "CVE-2025-39920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39920"
},
{
"name": "CVE-2025-40058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40058"
},
{
"name": "CVE-2025-68344",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68344"
},
{
"name": "CVE-2025-40347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40347"
},
{
"name": "CVE-2025-71154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71154"
},
{
"name": "CVE-2025-40198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40198"
},
{
"name": "CVE-2025-39942",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39942"
},
{
"name": "CVE-2025-68310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68310"
},
{
"name": "CVE-2025-68179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68179"
},
{
"name": "CVE-2025-68229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68229"
},
{
"name": "CVE-2025-68257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68257"
},
{
"name": "CVE-2025-39929",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39929"
},
{
"name": "CVE-2025-39949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39949"
},
{
"name": "CVE-2025-71084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71084"
},
{
"name": "CVE-2025-40173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40173"
},
{
"name": "CVE-2025-68321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68321"
},
{
"name": "CVE-2025-68347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68347"
},
{
"name": "CVE-2025-40010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40010"
},
{
"name": "CVE-2025-39944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39944"
},
{
"name": "CVE-2025-39923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39923"
},
{
"name": "CVE-2025-68235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68235"
},
{
"name": "CVE-2025-39866",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39866"
},
{
"name": "CVE-2025-39843",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39843"
},
{
"name": "CVE-2025-40311",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40311"
},
{
"name": "CVE-2025-68814",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68814"
},
{
"name": "CVE-2025-40237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40237"
},
{
"name": "CVE-2025-68780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68780"
},
{
"name": "CVE-2025-39953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39953"
},
{
"name": "CVE-2025-71081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71081"
},
{
"name": "CVE-2025-68738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68738"
},
{
"name": "CVE-2025-40167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40167"
},
{
"name": "CVE-2025-38105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38105"
},
{
"name": "CVE-2025-39969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39969"
},
{
"name": "CVE-2025-71121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71121"
},
{
"name": "CVE-2025-40194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40194"
},
{
"name": "CVE-2025-40333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40333"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2025-40245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40245"
},
{
"name": "CVE-2025-39899",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39899"
},
{
"name": "CVE-2025-68754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68754"
},
{
"name": "CVE-2025-40360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40360"
},
{
"name": "CVE-2025-71136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71136"
},
{
"name": "CVE-2025-22105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22105"
},
{
"name": "CVE-2025-68354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68354"
},
{
"name": "CVE-2025-68801",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68801"
},
{
"name": "CVE-2025-21833",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21833"
},
{
"name": "CVE-2025-40104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40104"
},
{
"name": "CVE-2025-68258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68258"
},
{
"name": "CVE-2025-39853",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39853"
},
{
"name": "CVE-2025-40001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40001"
},
{
"name": "CVE-2025-39871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39871"
},
{
"name": "CVE-2025-39857",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39857"
},
{
"name": "CVE-2025-38709",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38709"
},
{
"name": "CVE-2025-40035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40035"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-39988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39988"
},
{
"name": "CVE-2025-40313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40313"
},
{
"name": "CVE-2025-39865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39865"
},
{
"name": "CVE-2025-40233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40233"
},
{
"name": "CVE-2025-40172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40172"
},
{
"name": "CVE-2025-40020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40020"
},
{
"name": "CVE-2025-40188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40188"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2025-68306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68306"
},
{
"name": "CVE-2025-39877",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39877"
},
{
"name": "CVE-2026-22991",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22991"
},
{
"name": "CVE-2025-38502",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38502"
},
{
"name": "CVE-2025-68300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68300"
},
{
"name": "CVE-2025-39886",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39886"
},
{
"name": "CVE-2025-68763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68763"
},
{
"name": "CVE-2025-68294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68294"
},
{
"name": "CVE-2025-40290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40290"
},
{
"name": "CVE-2025-68308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68308"
},
{
"name": "CVE-2025-40249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40249"
},
{
"name": "CVE-2025-40242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40242"
},
{
"name": "CVE-2025-39838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39838"
},
{
"name": "CVE-2025-39823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39823"
},
{
"name": "CVE-2025-68198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68198"
},
{
"name": "CVE-2025-39864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39864"
},
{
"name": "CVE-2025-40013",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40013"
},
{
"name": "CVE-2025-68190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68190"
},
{
"name": "CVE-2025-40169",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40169"
},
{
"name": "CVE-2025-39824",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39824"
},
{
"name": "CVE-2026-23207",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23207"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-68218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68218"
},
{
"name": "CVE-2025-40049",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40049"
},
{
"name": "CVE-2025-68255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68255"
},
{
"name": "CVE-2025-68322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68322"
},
{
"name": "CVE-2026-22980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22980"
},
{
"name": "CVE-2025-39927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39927"
},
{
"name": "CVE-2025-40024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40024"
},
{
"name": "CVE-2025-40238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40238"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-40070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40070"
},
{
"name": "CVE-2025-40106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40106"
},
{
"name": "CVE-2025-40272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40272"
},
{
"name": "CVE-2025-39842",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39842"
},
{
"name": "CVE-2025-40047",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40047"
},
{
"name": "CVE-2025-71093",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71093"
},
{
"name": "CVE-2025-71102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71102"
},
{
"name": "CVE-2025-68759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68759"
},
{
"name": "CVE-2026-23019",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23019"
},
{
"name": "CVE-2025-39815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39815"
},
{
"name": "CVE-2025-40345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40345"
},
{
"name": "CVE-2025-40205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40205"
},
{
"name": "CVE-2025-39849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39849"
},
{
"name": "CVE-2025-40033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40033"
},
{
"name": "CVE-2025-68733",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68733"
},
{
"name": "CVE-2025-39894",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39894"
},
{
"name": "CVE-2025-39861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39861"
},
{
"name": "CVE-2025-68215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68215"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-68228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68228"
},
{
"name": "CVE-2025-68335",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68335"
},
{
"name": "CVE-2025-71079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71079"
},
{
"name": "CVE-2025-62626",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62626"
},
{
"name": "CVE-2025-39940",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39940"
},
{
"name": "CVE-2025-68338",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68338"
},
{
"name": "CVE-2025-68304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68304"
},
{
"name": "CVE-2025-68370",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68370"
},
{
"name": "CVE-2025-39977",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39977"
},
{
"name": "CVE-2025-68330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68330"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2025-39885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39885"
},
{
"name": "CVE-2025-68180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68180"
},
{
"name": "CVE-2025-68343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68343"
},
{
"name": "CVE-2025-68726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68726"
},
{
"name": "CVE-2025-21780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21780"
},
{
"name": "CVE-2025-68201",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68201"
},
{
"name": "CVE-2025-40289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40289"
},
{
"name": "CVE-2025-68785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68785"
},
{
"name": "CVE-2024-37354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37354"
},
{
"name": "CVE-2025-68808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68808"
},
{
"name": "CVE-2025-68748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68748"
},
{
"name": "CVE-2025-68223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68223"
},
{
"name": "CVE-2025-68783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68783"
},
{
"name": "CVE-2025-39970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39970"
},
{
"name": "CVE-2025-40292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40292"
},
{
"name": "CVE-2025-71147",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71147"
},
{
"name": "CVE-2025-40032",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40032"
},
{
"name": "CVE-2025-39981",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39981"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2025-39994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39994"
},
{
"name": "CVE-2022-48875",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48875"
},
{
"name": "CVE-2025-68797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68797"
},
{
"name": "CVE-2025-38627",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38627"
},
{
"name": "CVE-2024-49968",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49968"
},
{
"name": "CVE-2025-68358",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68358"
},
{
"name": "CVE-2025-40206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40206"
},
{
"name": "CVE-2025-40218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40218"
},
{
"name": "CVE-2025-40088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40088"
},
{
"name": "CVE-2025-40220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40220"
},
{
"name": "CVE-2025-39845",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39845"
},
{
"name": "CVE-2025-68237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68237"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-68259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68259"
},
{
"name": "CVE-2025-71125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71125"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2025-71069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71069"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2025-68284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68284"
},
{
"name": "CVE-2025-40062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40062"
},
{
"name": "CVE-2025-68194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68194"
},
{
"name": "CVE-2025-68356",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68356"
},
{
"name": "CVE-2025-40067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40067"
},
{
"name": "CVE-2025-40109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40109"
},
{
"name": "CVE-2025-40101",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40101"
},
{
"name": "CVE-2025-40006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40006"
},
{
"name": "CVE-2025-40038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40038"
},
{
"name": "CVE-2025-68183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68183"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-68774",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68774"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-40353",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40353"
},
{
"name": "CVE-2025-40011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40011"
},
{
"name": "CVE-2025-40085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40085"
},
{
"name": "CVE-2025-71180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71180"
},
{
"name": "CVE-2025-68244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68244"
},
{
"name": "CVE-2025-40231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40231"
},
{
"name": "CVE-2024-46830",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46830"
},
{
"name": "CVE-2024-47666",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47666"
},
{
"name": "CVE-2025-40278",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40278"
},
{
"name": "CVE-2025-22113",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22113"
},
{
"name": "CVE-2025-40176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40176"
},
{
"name": "CVE-2025-40342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40342"
},
{
"name": "CVE-2025-71128",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71128"
},
{
"name": "CVE-2025-71082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71082"
},
{
"name": "CVE-2025-68222",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68222"
},
{
"name": "CVE-2025-68743",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68743"
},
{
"name": "CVE-2025-68765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68765"
},
{
"name": "CVE-2025-23143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23143"
},
{
"name": "CVE-2025-71132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71132"
},
{
"name": "CVE-2025-40193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40193"
},
{
"name": "CVE-2025-71077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71077"
},
{
"name": "CVE-2024-36927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36927"
},
{
"name": "CVE-2025-40279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40279"
},
{
"name": "CVE-2025-68328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68328"
},
{
"name": "CVE-2025-40201",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40201"
},
{
"name": "CVE-2025-40084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40084"
},
{
"name": "CVE-2025-22111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22111"
},
{
"name": "CVE-2025-68232",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68232"
},
{
"name": "CVE-2025-68311",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68311"
},
{
"name": "CVE-2025-71114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71114"
},
{
"name": "CVE-2025-68348",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68348"
},
{
"name": "CVE-2025-68744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68744"
},
{
"name": "CVE-2025-71182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71182"
},
{
"name": "CVE-2025-68320",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68320"
},
{
"name": "CVE-2025-40341",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40341"
},
{
"name": "CVE-2025-40183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40183"
},
{
"name": "CVE-2026-22990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22990"
},
{
"name": "CVE-2025-68376",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68376"
},
{
"name": "CVE-2025-68172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68172"
},
{
"name": "CVE-2025-39998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39998"
},
{
"name": "CVE-2025-68821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68821"
},
{
"name": "CVE-2025-40134",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40134"
},
{
"name": "CVE-2025-68325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68325"
},
{
"name": "CVE-2025-39968",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39968"
},
{
"name": "CVE-2025-40358",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40358"
},
{
"name": "CVE-2025-40165",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40165"
},
{
"name": "CVE-2025-68341",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68341"
},
{
"name": "CVE-2025-68296",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68296"
},
{
"name": "CVE-2025-68361",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68361"
},
{
"name": "CVE-2025-40328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40328"
},
{
"name": "CVE-2025-68332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68332"
},
{
"name": "CVE-2025-39986",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39986"
},
{
"name": "CVE-2025-71104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71104"
},
{
"name": "CVE-2026-22978",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22978"
},
{
"name": "CVE-2025-39901",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39901"
},
{
"name": "CVE-2025-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40283"
},
{
"name": "CVE-2025-39955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39955"
},
{
"name": "CVE-2025-40324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40324"
},
{
"name": "CVE-2025-68378",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68378"
},
{
"name": "CVE-2025-68752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68752"
},
{
"name": "CVE-2025-38129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38129"
},
{
"name": "CVE-2025-40250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40250"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2025-40255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40255"
},
{
"name": "CVE-2025-40246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40246"
},
{
"name": "CVE-2025-68367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68367"
},
{
"name": "CVE-2025-40226",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40226"
},
{
"name": "CVE-2025-40078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40078"
},
{
"name": "CVE-2025-68820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68820"
},
{
"name": "CVE-2025-68756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68756"
},
{
"name": "CVE-2025-40321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40321"
},
{
"name": "CVE-2025-68360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68360"
},
{
"name": "CVE-2025-40116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40116"
},
{
"name": "CVE-2025-39895",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39895"
},
{
"name": "CVE-2025-68249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68249"
},
{
"name": "CVE-2025-68740",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68740"
},
{
"name": "CVE-2025-39934",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39934"
},
{
"name": "CVE-2025-39978",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39978"
},
{
"name": "CVE-2025-40179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40179"
},
{
"name": "CVE-2025-68742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68742"
},
{
"name": "CVE-2025-40127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40127"
},
{
"name": "CVE-2025-40282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40282"
},
{
"name": "CVE-2025-39996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39996"
},
{
"name": "CVE-2025-40053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40053"
},
{
"name": "CVE-2025-39951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39951"
},
{
"name": "CVE-2025-40120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40120"
},
{
"name": "CVE-2025-68816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68816"
},
{
"name": "CVE-2025-39914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39914"
},
{
"name": "CVE-2025-68192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68192"
},
{
"name": "CVE-2025-39697",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39697"
},
{
"name": "CVE-2025-68379",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68379"
},
{
"name": "CVE-2025-68256",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68256"
},
{
"name": "CVE-2025-68777",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68777"
},
{
"name": "CVE-2025-68254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68254"
},
{
"name": "CVE-2025-39938",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39938"
},
{
"name": "CVE-2025-40243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40243"
},
{
"name": "CVE-2025-40196",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40196"
},
{
"name": "CVE-2025-39982",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39982"
},
{
"name": "CVE-2025-40129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40129"
},
{
"name": "CVE-2025-39965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39965"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-68171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68171"
},
{
"name": "CVE-2025-39932",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39932"
},
{
"name": "CVE-2025-40301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40301"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2025-39810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39810"
},
{
"name": "CVE-2026-22982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22982"
},
{
"name": "CVE-2025-68298",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68298"
},
{
"name": "CVE-2025-40207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40207"
},
{
"name": "CVE-2025-40095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40095"
},
{
"name": "CVE-2025-68747",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68747"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2025-39860",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39860"
},
{
"name": "CVE-2025-40286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40286"
},
{
"name": "CVE-2025-68327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68327"
},
{
"name": "CVE-2025-40318",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40318"
},
{
"name": "CVE-2025-40266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40266"
},
{
"name": "CVE-2025-68241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68241"
},
{
"name": "CVE-2025-40118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40118"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2025-39839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39839"
},
{
"name": "CVE-2025-68734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68734"
},
{
"name": "CVE-2025-68776",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68776"
},
{
"name": "CVE-2025-71066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71066"
},
{
"name": "CVE-2025-39848",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39848"
},
{
"name": "CVE-2025-68799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68799"
},
{
"name": "CVE-2025-68345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68345"
},
{
"name": "CVE-2025-40044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40044"
},
{
"name": "CVE-2025-71097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71097"
},
{
"name": "CVE-2025-40105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40105"
},
{
"name": "CVE-2025-68288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68288"
},
{
"name": "CVE-2025-68739",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68739"
},
{
"name": "CVE-2025-39916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39916"
},
{
"name": "CVE-2025-40112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40112"
},
{
"name": "CVE-2025-40079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40079"
},
{
"name": "CVE-2025-40260",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40260"
},
{
"name": "CVE-2025-40310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40310"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-71111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71111"
},
{
"name": "CVE-2025-39971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39971"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2025-40331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40331"
},
{
"name": "CVE-2025-68337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68337"
},
{
"name": "CVE-2025-40093",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40093"
},
{
"name": "CVE-2025-39825",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39825"
},
{
"name": "CVE-2025-71131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71131"
},
{
"name": "CVE-2025-39852",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39852"
},
{
"name": "CVE-2025-71116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71116"
},
{
"name": "CVE-2025-40235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40235"
},
{
"name": "CVE-2025-39991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39991"
},
{
"name": "CVE-2025-68281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68281"
},
{
"name": "CVE-2025-68729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68729"
},
{
"name": "CVE-2025-68208",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68208"
},
{
"name": "CVE-2025-68362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68362"
},
{
"name": "CVE-2025-68236",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68236"
},
{
"name": "CVE-2025-68333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68333"
},
{
"name": "CVE-2025-39806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39806"
},
{
"name": "CVE-2025-68290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68290"
},
{
"name": "CVE-2025-40280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40280"
},
{
"name": "CVE-2025-40099",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40099"
},
{
"name": "CVE-2025-40031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40031"
},
{
"name": "CVE-2025-40180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40180"
},
{
"name": "CVE-2025-40293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40293"
},
{
"name": "CVE-2025-68751",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68751"
},
{
"name": "CVE-2025-68803",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68803"
},
{
"name": "CVE-2025-39851",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39851"
},
{
"name": "CVE-2025-68331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68331"
},
{
"name": "CVE-2025-40126",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40126"
},
{
"name": "CVE-2025-39972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39972"
},
{
"name": "CVE-2026-22976",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22976"
},
{
"name": "CVE-2025-68760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68760"
},
{
"name": "CVE-2025-68305",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68305"
},
{
"name": "CVE-2025-68352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68352"
},
{
"name": "CVE-2025-68214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68214"
},
{
"name": "CVE-2025-40320",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40320"
},
{
"name": "CVE-2025-39870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39870"
},
{
"name": "CVE-2025-40247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40247"
},
{
"name": "CVE-2025-68375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68375"
},
{
"name": "CVE-2025-68753",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68753"
},
{
"name": "CVE-2025-68369",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68369"
},
{
"name": "CVE-2025-39807",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39807"
},
{
"name": "CVE-2025-71112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71112"
},
{
"name": "CVE-2025-22022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22022"
},
{
"name": "CVE-2025-40192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40192"
},
{
"name": "CVE-2025-40200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40200"
},
{
"name": "CVE-2025-68818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68818"
},
{
"name": "CVE-2025-40124",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40124"
},
{
"name": "CVE-2025-39880",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39880"
},
{
"name": "CVE-2025-40094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40094"
},
{
"name": "CVE-2025-40160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40160"
},
{
"name": "CVE-2025-40284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40284"
},
{
"name": "CVE-2025-40077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40077"
},
{
"name": "CVE-2024-41014",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41014"
},
{
"name": "CVE-2025-40071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40071"
},
{
"name": "CVE-2025-68329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68329"
},
{
"name": "CVE-2025-68366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68366"
},
{
"name": "CVE-2025-40305",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40305"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-39846",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39846"
},
{
"name": "CVE-2025-68815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68815"
},
{
"name": "CVE-2025-40215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40215"
},
{
"name": "CVE-2025-40307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40307"
},
{
"name": "CVE-2025-40111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40111"
},
{
"name": "CVE-2025-68346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68346"
},
{
"name": "CVE-2025-40211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40211"
},
{
"name": "CVE-2025-40068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40068"
},
{
"name": "CVE-2025-68315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68315"
},
{
"name": "CVE-2025-39850",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39850"
},
{
"name": "CVE-2022-49072",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49072"
},
{
"name": "CVE-2025-40042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40042"
},
{
"name": "CVE-2025-40155",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40155"
},
{
"name": "CVE-2025-71096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71096"
},
{
"name": "CVE-2025-39844",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39844"
},
{
"name": "CVE-2025-71105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71105"
},
{
"name": "CVE-2025-68266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68266"
},
{
"name": "CVE-2025-68771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68771"
},
{
"name": "CVE-2025-39961",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39961"
},
{
"name": "CVE-2025-68363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68363"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2026-22984",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22984"
},
{
"name": "CVE-2024-49927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49927"
},
{
"name": "CVE-2025-68303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68303"
},
{
"name": "CVE-2025-39863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39863"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-68757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68757"
},
{
"name": "CVE-2025-71068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71068"
},
{
"name": "CVE-2025-23130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23130"
},
{
"name": "CVE-2025-40329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40329"
},
{
"name": "CVE-2025-39957",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39957"
},
{
"name": "CVE-2025-39931",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39931"
},
{
"name": "CVE-2026-22977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22977"
},
{
"name": "CVE-2025-39937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39937"
},
{
"name": "CVE-2025-68766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68766"
},
{
"name": "CVE-2025-39817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39817"
},
{
"name": "CVE-2025-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40060"
},
{
"name": "CVE-2025-39891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39891"
},
{
"name": "CVE-2025-40059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40059"
},
{
"name": "CVE-2025-68168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68168"
},
{
"name": "CVE-2025-39897",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39897"
},
{
"name": "CVE-2025-68326",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68326"
},
{
"name": "CVE-2025-68372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68372"
},
{
"name": "CVE-2025-22124",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22124"
},
{
"name": "CVE-2025-68313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68313"
},
{
"name": "CVE-2025-71137",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71137"
},
{
"name": "CVE-2025-40123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40123"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2025-39854",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39854"
},
{
"name": "CVE-2025-68217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68217"
},
{
"name": "CVE-2025-40178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40178"
},
{
"name": "CVE-2025-68212",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68212"
},
{
"name": "CVE-2025-68289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68289"
},
{
"name": "CVE-2025-40363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40363"
},
{
"name": "CVE-2025-39869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39869"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-39985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39985"
},
{
"name": "CVE-2025-68245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68245"
},
{
"name": "CVE-2025-68730",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68730"
},
{
"name": "CVE-2025-68213",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68213"
},
{
"name": "CVE-2025-39952",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39952"
},
{
"name": "CVE-2025-40317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40317"
},
{
"name": "CVE-2025-68233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68233"
},
{
"name": "CVE-2025-71120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71120"
},
{
"name": "CVE-2025-68282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68282"
},
{
"name": "CVE-2025-68225",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68225"
},
{
"name": "CVE-2025-68787",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68787"
},
{
"name": "CVE-2025-23133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23133"
},
{
"name": "CVE-2025-68782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68782"
},
{
"name": "CVE-2025-68177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68177"
},
{
"name": "CVE-2025-68758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68758"
},
{
"name": "CVE-2025-68191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68191"
},
{
"name": "CVE-2025-71113",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71113"
},
{
"name": "CVE-2025-71127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71127"
},
{
"name": "CVE-2025-40141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40141"
},
{
"name": "CVE-2025-68340",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68340"
},
{
"name": "CVE-2025-39678",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39678"
},
{
"name": "CVE-2025-68219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68219"
},
{
"name": "CVE-2025-40288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40288"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-40281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40281"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2025-40304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40304"
},
{
"name": "CVE-2025-40110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40110"
},
{
"name": "CVE-2025-40268",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40268"
},
{
"name": "CVE-2025-39980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39980"
},
{
"name": "CVE-2025-40009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40009"
},
{
"name": "CVE-2025-68336",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68336"
},
{
"name": "CVE-2025-40303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40303"
},
{
"name": "CVE-2025-68323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68323"
},
{
"name": "CVE-2025-68178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68178"
},
{
"name": "CVE-2025-40337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40337"
},
{
"name": "CVE-2025-40346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40346"
},
{
"name": "CVE-2025-40036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40036"
},
{
"name": "CVE-2025-68221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68221"
},
{
"name": "CVE-2025-39832",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39832"
},
{
"name": "CVE-2025-40000",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40000"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-68262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68262"
},
{
"name": "CVE-2025-39813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39813"
},
{
"name": "CVE-2025-68819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68819"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-38643",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38643"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-40244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40244"
},
{
"name": "CVE-2025-39995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39995"
},
{
"name": "CVE-2025-68735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68735"
},
{
"name": "CVE-2026-23021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23021"
},
{
"name": "CVE-2025-39847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39847"
},
{
"name": "CVE-2025-39819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39819"
},
{
"name": "CVE-2025-68732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68732"
},
{
"name": "CVE-2025-40323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40323"
},
{
"name": "CVE-2025-39835",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39835"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2025-40096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40096"
},
{
"name": "CVE-2024-56640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56640"
},
{
"name": "CVE-2025-39841",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39841"
},
{
"name": "CVE-2025-68371",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68371"
},
{
"name": "CVE-2025-40275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40275"
},
{
"name": "CVE-2025-39907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39907"
},
{
"name": "CVE-2025-39829",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39829"
},
{
"name": "CVE-2025-71091",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71091"
},
{
"name": "CVE-2025-39909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39909"
},
{
"name": "CVE-2025-68227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68227"
},
{
"name": "CVE-2025-40339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40339"
},
{
"name": "CVE-2025-40140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40140"
},
{
"name": "CVE-2025-40223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40223"
},
{
"name": "CVE-2025-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40061"
},
{
"name": "CVE-2025-68263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68263"
},
{
"name": "CVE-2025-68293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68293"
},
{
"name": "CVE-2025-68800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68800"
},
{
"name": "CVE-2025-68261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68261"
},
{
"name": "CVE-2025-68755",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68755"
},
{
"name": "CVE-2025-68767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68767"
},
{
"name": "CVE-2022-49267",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49267"
},
{
"name": "CVE-2025-39873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39873"
},
{
"name": "CVE-2025-40159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40159"
},
{
"name": "CVE-2025-40319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40319"
},
{
"name": "CVE-2025-68727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68727"
},
{
"name": "CVE-2025-39836",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39836"
},
{
"name": "CVE-2025-40051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40051"
},
{
"name": "CVE-2025-40351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40351"
},
{
"name": "CVE-2025-68264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68264"
},
{
"name": "CVE-2025-40087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40087"
},
{
"name": "CVE-2025-68762",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68762"
},
{
"name": "CVE-2025-68764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68764"
}
],
"initial_release_date": "2026-03-20T00:00:00",
"last_revision_date": "2026-03-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0331",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8096-2",
"url": "https://ubuntu.com/security/notices/USN-8096-2"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8095-1",
"url": "https://ubuntu.com/security/notices/USN-8095-1"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8096-4",
"url": "https://ubuntu.com/security/notices/USN-8096-4"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8098-1",
"url": "https://ubuntu.com/security/notices/USN-8098-1"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8094-2",
"url": "https://ubuntu.com/security/notices/USN-8094-2"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8100-1",
"url": "https://ubuntu.com/security/notices/USN-8100-1"
},
{
"published_at": "2026-03-18",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8107-1",
"url": "https://ubuntu.com/security/notices/USN-8107-1"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8094-1",
"url": "https://ubuntu.com/security/notices/USN-8094-1"
},
{
"published_at": "2026-03-18",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8098-3",
"url": "https://ubuntu.com/security/notices/USN-8098-3"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8095-2",
"url": "https://ubuntu.com/security/notices/USN-8095-2"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8096-3",
"url": "https://ubuntu.com/security/notices/USN-8096-3"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8096-1",
"url": "https://ubuntu.com/security/notices/USN-8096-1"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8095-3",
"url": "https://ubuntu.com/security/notices/USN-8095-3"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8098-2",
"url": "https://ubuntu.com/security/notices/USN-8098-2"
}
]
}
CVE-2025-68287 (GCVE-0-2025-68287)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72246da40f3719af3bfd104a2365b32537c27d83 , < 467add9db13219101f14b6cc5477998b4aaa5fe2
(git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 67192e8cb7f941b5bba91e4bb290683576ce1607 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 47de14d741cc4057046c9e2f33df1f7828254e6c (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < afc0e34f161ce61ad351303c46eb57bd44b8b090 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 7cfb62888eba292fa35cd9ddbd28ce595f60e139 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < fa5eaf701e576880070b60922200557ae4aa54e1 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < e4037689a366743c4233966f0e74bc455820d316 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "467add9db13219101f14b6cc5477998b4aaa5fe2",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "67192e8cb7f941b5bba91e4bb290683576ce1607",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "47de14d741cc4057046c9e2f33df1f7828254e6c",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "afc0e34f161ce61ad351303c46eb57bd44b8b090",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "7cfb62888eba292fa35cd9ddbd28ce595f60e139",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "fa5eaf701e576880070b60922200557ae4aa54e1",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "e4037689a366743c4233966f0e74bc455820d316",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\n\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\n\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\n\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees \u0027out\u0027\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\n\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:08.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2"
},
{
"url": "https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607"
},
{
"url": "https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c"
},
{
"url": "https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090"
},
{
"url": "https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139"
},
{
"url": "https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1"
},
{
"url": "https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316"
}
],
"title": "usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68287",
"datePublished": "2025-12-16T15:06:08.711Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:08.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68249 (GCVE-0-2025-68249)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:32 – Updated: 2025-12-16 14:32
VLAI?
EPSS
Title
most: usb: hdm_probe: Fix calling put_device() before device initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: hdm_probe: Fix calling put_device() before device initialization
The early error path in hdm_probe() can jump to err_free_mdev before
&mdev->dev has been initialized with device_initialize(). Calling
put_device(&mdev->dev) there triggers a device core WARN and ends up
invoking kref_put(&kobj->kref, kobject_release) on an uninitialized
kobject.
In this path the private struct was only kmalloc'ed and the intended
release is effectively kfree(mdev) anyway, so free it directly instead
of calling put_device() on an uninitialized device.
This removes the WARNING and fixes the pre-initialization error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 3509c748e79435d09e730673c8c100b7f0ebc87c
(git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < ad2be44882716dc3589fbc5572cc13f88ead6b24 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < c400410fe0580dd6118ae8d60287ac9ce71a65fd (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 7d851f746067b8ee5bac9c262f326ace0a6ea253 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 4af0eedbdb4df7936bf43a28e31af232744d2620 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < a8cc9e5fcb0e2eef21513a4fec888f5712cb8162 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3509c748e79435d09e730673c8c100b7f0ebc87c",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "ad2be44882716dc3589fbc5572cc13f88ead6b24",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "c400410fe0580dd6118ae8d60287ac9ce71a65fd",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "7d851f746067b8ee5bac9c262f326ace0a6ea253",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "4af0eedbdb4df7936bf43a28e31af232744d2620",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "a8cc9e5fcb0e2eef21513a4fec888f5712cb8162",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: hdm_probe: Fix calling put_device() before device initialization\n\nThe early error path in hdm_probe() can jump to err_free_mdev before\n\u0026mdev-\u003edev has been initialized with device_initialize(). Calling\nput_device(\u0026mdev-\u003edev) there triggers a device core WARN and ends up\ninvoking kref_put(\u0026kobj-\u003ekref, kobject_release) on an uninitialized\nkobject.\n\nIn this path the private struct was only kmalloc\u0027ed and the intended\nrelease is effectively kfree(mdev) anyway, so free it directly instead\nof calling put_device() on an uninitialized device.\n\nThis removes the WARNING and fixes the pre-initialization error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:32:16.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87c"
},
{
"url": "https://git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24"
},
{
"url": "https://git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fd"
},
{
"url": "https://git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95"
},
{
"url": "https://git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253"
},
{
"url": "https://git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620"
},
{
"url": "https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162"
}
],
"title": "most: usb: hdm_probe: Fix calling put_device() before device initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68249",
"datePublished": "2025-12-16T14:32:16.370Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2025-12-16T14:32:16.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68256 (GCVE-0-2025-68256)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < b977eb31802817f4a37da95bf16bfdaa1eeb5fc2
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 30c558447e90935f0de61be181bbcedf75952e00 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < df191dd9f4c7249d98ada55634fa8ac19089b8cb (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c0d93d69e1472ba75b78898979b90a98ba2a2501 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 154828bf9559b9c8421fc2f0d7f7f76b3683aaed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b977eb31802817f4a37da95bf16bfdaa1eeb5fc2",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "30c558447e90935f0de61be181bbcedf75952e00",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "a54e2b2db1b7de2e008b4f62eec35aaefcc663c5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "df191dd9f4c7249d98ada55634fa8ac19089b8cb",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c0d93d69e1472ba75b78898979b90a98ba2a2501",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "154828bf9559b9c8421fc2f0d7f7f76b3683aaed",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser\n\nThe Information Element (IE) parser rtw_get_ie() trusted the length\nbyte of each IE without validating that the IE body (len bytes after\nthe 2-byte header) fits inside the remaining frame buffer. A malformed\nframe can advertise an IE length larger than the available data, causing\nthe parser to increment its pointer beyond the buffer end. This results\nin out-of-bounds reads or, depending on the pattern, an infinite loop.\n\nFix by validating that (offset + 2 + len) does not exceed the limit\nbefore accepting the IE or advancing to the next element.\n\nThis prevents OOB reads and ensures the parser terminates safely on\nmalformed frames."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:09.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2"
},
{
"url": "https://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00"
},
{
"url": "https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5"
},
{
"url": "https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb"
},
{
"url": "https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501"
},
{
"url": "https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed"
}
],
"title": "staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68256",
"datePublished": "2025-12-16T14:44:58.829Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:09.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68764 (GCVE-0-2025-68764)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
When a filesystem is being automounted, it needs to preserve the
user-set superblock mount options, such as the "ro" flag.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2aedb713c284429987dc66c7aaf38decfc8da2a , < a3dc6c40bcab1a888d5c0d134ccc0746b4c98929
(git)
Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < ba1495aefd22fcf0746a2a3025c95d766d7cde4d (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < c09070b4def1b34e473a746c6a5331ccb80902c1 (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < dce10c59211e5cd763a62ea01e79b82a629811e3 (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 612cc98698d667df804792f0c47d4e501e66da29 (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 4b296944e632cf4c6a4cc8e2585c6451eae47b1b (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < df9b003a2ecacc7218486fbb31fe008c93097d5f (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 8675c69816e4276b979ff475ee5fac4688f80125 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3dc6c40bcab1a888d5c0d134ccc0746b4c98929",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "ba1495aefd22fcf0746a2a3025c95d766d7cde4d",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "c09070b4def1b34e473a746c6a5331ccb80902c1",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "dce10c59211e5cd763a62ea01e79b82a629811e3",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "612cc98698d667df804792f0c47d4e501e66da29",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "4b296944e632cf4c6a4cc8e2585c6451eae47b1b",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "df9b003a2ecacc7218486fbb31fe008c93097d5f",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "8675c69816e4276b979ff475ee5fac4688f80125",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags\n\nWhen a filesystem is being automounted, it needs to preserve the\nuser-set superblock mount options, such as the \"ro\" flag."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:09.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3dc6c40bcab1a888d5c0d134ccc0746b4c98929"
},
{
"url": "https://git.kernel.org/stable/c/ba1495aefd22fcf0746a2a3025c95d766d7cde4d"
},
{
"url": "https://git.kernel.org/stable/c/c09070b4def1b34e473a746c6a5331ccb80902c1"
},
{
"url": "https://git.kernel.org/stable/c/dce10c59211e5cd763a62ea01e79b82a629811e3"
},
{
"url": "https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29"
},
{
"url": "https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b"
},
{
"url": "https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f"
},
{
"url": "https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125"
}
],
"title": "NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68764",
"datePublished": "2026-01-05T09:44:12.518Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:09.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40127 (GCVE-0-2025-40127)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
hwrng: ks-sa - fix division by zero in ks_sa_rng_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: ks-sa - fix division by zero in ks_sa_rng_init
Fix division by zero in ks_sa_rng_init caused by missing clock
pointer initialization. The clk_get_rate() call is performed on
an uninitialized clk pointer, resulting in division by zero when
calculating delay values.
Add clock initialization code before using the clock.
drivers/char/hw_random/ks-sa-rng.c | 7 +++++++
1 file changed, 7 insertions(+)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 692a04a1e0cde1d80a33df0078c755cf02cd7268
(git)
Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < d76b099011fa056950f63d05ebb6160991242f6a (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < eec7e0e19c1fa75dc65e25aa6a21ef24a03849af (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < f4238064379a91e71a9c258996acac43c50c2094 (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2 (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2 (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 612b1dfeb414dfa780a6316014ceddf9a74ff5c0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/ks-sa-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "692a04a1e0cde1d80a33df0078c755cf02cd7268",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "d76b099011fa056950f63d05ebb6160991242f6a",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "eec7e0e19c1fa75dc65e25aa6a21ef24a03849af",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "f4238064379a91e71a9c258996acac43c50c2094",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "612b1dfeb414dfa780a6316014ceddf9a74ff5c0",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/ks-sa-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: ks-sa - fix division by zero in ks_sa_rng_init\n\nFix division by zero in ks_sa_rng_init caused by missing clock\npointer initialization. The clk_get_rate() call is performed on\nan uninitialized clk pointer, resulting in division by zero when\ncalculating delay values.\n\nAdd clock initialization code before using the clock.\n\n\n drivers/char/hw_random/ks-sa-rng.c | 7 +++++++\n 1 file changed, 7 insertions(+)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:33.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/692a04a1e0cde1d80a33df0078c755cf02cd7268"
},
{
"url": "https://git.kernel.org/stable/c/d76b099011fa056950f63d05ebb6160991242f6a"
},
{
"url": "https://git.kernel.org/stable/c/eec7e0e19c1fa75dc65e25aa6a21ef24a03849af"
},
{
"url": "https://git.kernel.org/stable/c/f4238064379a91e71a9c258996acac43c50c2094"
},
{
"url": "https://git.kernel.org/stable/c/2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2"
},
{
"url": "https://git.kernel.org/stable/c/55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2"
},
{
"url": "https://git.kernel.org/stable/c/612b1dfeb414dfa780a6316014ceddf9a74ff5c0"
}
],
"title": "hwrng: ks-sa - fix division by zero in ks_sa_rng_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40127",
"datePublished": "2025-11-12T10:23:20.775Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:33.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71077 (GCVE-0-2025-71077)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
tpm: Cap the number of PCR banks
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: Cap the number of PCR banks
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 8ceee7288152bc121a6bf92997261838c78bfe06
(git)
Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 275c686f1e3cc056ec66c764489ec1fe1e51b950 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < ceb70d31da5671d298bad94ae6c20e4bbb800f96 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < d88481653d74d622d1d0d2c9bad845fc2cc6fd23 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < b69492161c056d36789aee42a87a33c18c8ed5e1 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 858344bc9210bea9ab2bdc7e9e331ba84c164e50 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < faf07e611dfa464b201223a7253e9dc5ee0f3c9e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ceee7288152bc121a6bf92997261838c78bfe06",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "275c686f1e3cc056ec66c764489ec1fe1e51b950",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "ceb70d31da5671d298bad94ae6c20e4bbb800f96",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "d88481653d74d622d1d0d2c9bad845fc2cc6fd23",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "b69492161c056d36789aee42a87a33c18c8ed5e1",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "858344bc9210bea9ab2bdc7e9e331ba84c164e50",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "faf07e611dfa464b201223a7253e9dc5ee0f3c9e",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Cap the number of PCR banks\n\ntpm2_get_pcr_allocation() does not cap any upper limit for the number of\nbanks. Cap the limit to eight banks so that out of bounds values coming\nfrom external I/O cause on only limited harm."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:28.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06"
},
{
"url": "https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950"
},
{
"url": "https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96"
},
{
"url": "https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23"
},
{
"url": "https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1"
},
{
"url": "https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50"
},
{
"url": "https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e"
}
],
"title": "tpm: Cap the number of PCR banks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71077",
"datePublished": "2026-01-13T15:31:29.435Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:28.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71147 (GCVE-0-2025-71147)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2219745250f388edacabe6cca73654131c67d0a , < 3fd7df4636d8fd5e3592371967a5941204368936
(git)
Affected: f2219745250f388edacabe6cca73654131c67d0a , < af0689cafb127a8d1af78cc8b72585c9b2a19ecd (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 19166de9737218b77122c41a5730ac87025e089f (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 9b015f2918b95bdde2ca9cefa10ef02b138aae1e (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 62cd5d480b9762ce70d720a81fa5b373052ae05f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fd7df4636d8fd5e3592371967a5941204368936",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "af0689cafb127a8d1af78cc8b72585c9b2a19ecd",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "19166de9737218b77122c41a5730ac87025e089f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9b015f2918b95bdde2ca9cefa10ef02b138aae1e",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9e7c63c69f57b1db1a8a1542359a6167ff8fcef1",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "62cd5d480b9762ce70d720a81fa5b373052ae05f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix a memory leak in tpm2_load_cmd\n\n\u0027tpm2_load_cmd\u0027 allocates a tempoary blob indirectly via \u0027tpm2_key_decode\u0027\nbut it is not freed in the failure paths. Address this by wrapping the blob\ninto with a cleanup helper."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:44.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936"
},
{
"url": "https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd"
},
{
"url": "https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f"
},
{
"url": "https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e"
},
{
"url": "https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1"
},
{
"url": "https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f"
}
],
"title": "KEYS: trusted: Fix a memory leak in tpm2_load_cmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71147",
"datePublished": "2026-01-23T14:15:13.945Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:44.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68777 (GCVE-0-2025-68777)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < a7ff2360431561b56f559d3a628d1f096048d178
(git)
Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 136abe173a3cc2951d70c6e51fe7abdbadbb204b (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 08c0b561823a7026364efb38ed7f4a3af48ccfcd (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < bf95ec55805828c4f2b5241fb6b0c12388548570 (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 84e4d3543168912549271b34261f5e0f94952d6e (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 248d3a73a0167dce15ba100477c3e778c4787178 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7ff2360431561b56f559d3a628d1f096048d178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "136abe173a3cc2951d70c6e51fe7abdbadbb204b",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "08c0b561823a7026364efb38ed7f4a3af48ccfcd",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "bf95ec55805828c4f2b5241fb6b0c12388548570",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "84e4d3543168912549271b34261f5e0f94952d6e",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "40e3042de43ffa0017a8460ff9b4cad7b8c7cb96",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "248d3a73a0167dce15ba100477c3e778c4787178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ti_am335x_tsc - fix off-by-one error in wire_order validation\n\nThe current validation \u0027wire_order[i] \u003e ARRAY_SIZE(config_pins)\u0027 allows\nwire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds\naccess when used as index in \u0027config_pins[wire_order[i]]\u0027.\n\nSince config_pins has 4 elements (indices 0-3), the valid range for\nwire_order should be 0-3. Fix the off-by-one error by using \u003e= instead\nof \u003e in the validation check."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:23.140Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178"
},
{
"url": "https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b"
},
{
"url": "https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd"
},
{
"url": "https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570"
},
{
"url": "https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e"
},
{
"url": "https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96"
},
{
"url": "https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178"
}
],
"title": "Input: ti_am335x_tsc - fix off-by-one error in wire_order validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68777",
"datePublished": "2026-01-13T15:28:53.416Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:23.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68735 (GCVE-0-2025-68735)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
drm/panthor: Prevent potential UAF in group creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Prevent potential UAF in group creation
This commit prevents the possibility of a use after free issue in the
GROUP_CREATE ioctl function, which arose as pointer to the group is
accessed in that ioctl function after storing it in the Xarray.
A malicious userspace can second guess the handle of a group and try
to call GROUP_DESTROY ioctl from another thread around the same time
as GROUP_CREATE ioctl.
To prevent the use after free exploit, this commit uses a mark on an
entry of group pool Xarray which is added just before returning from
the GROUP_CREATE ioctl function. The mark is checked for all ioctls
that specify the group handle and so userspace won't be abe to delete
a group that isn't marked yet.
v2: Add R-bs and fixes tags
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
de85488138247d034eb3241840424a54d660926b , < deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05
(git)
Affected: de85488138247d034eb3241840424a54d660926b , < c646ebff3fa571e7ea974235286fb9ed3edc260c (git) Affected: de85488138247d034eb3241840424a54d660926b , < eec7e23d848d2194dd8791fcd0f4a54d4378eecd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "c646ebff3fa571e7ea974235286fb9ed3edc260c",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "eec7e23d848d2194dd8791fcd0f4a54d4378eecd",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Prevent potential UAF in group creation\n\nThis commit prevents the possibility of a use after free issue in the\nGROUP_CREATE ioctl function, which arose as pointer to the group is\naccessed in that ioctl function after storing it in the Xarray.\nA malicious userspace can second guess the handle of a group and try\nto call GROUP_DESTROY ioctl from another thread around the same time\nas GROUP_CREATE ioctl.\n\nTo prevent the use after free exploit, this commit uses a mark on an\nentry of group pool Xarray which is added just before returning from\nthe GROUP_CREATE ioctl function. The mark is checked for all ioctls\nthat specify the group handle and so userspace won\u0027t be abe to delete\na group that isn\u0027t marked yet.\n\nv2: Add R-bs and fixes tags"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:30.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05"
},
{
"url": "https://git.kernel.org/stable/c/c646ebff3fa571e7ea974235286fb9ed3edc260c"
},
{
"url": "https://git.kernel.org/stable/c/eec7e23d848d2194dd8791fcd0f4a54d4378eecd"
}
],
"title": "drm/panthor: Prevent potential UAF in group creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68735",
"datePublished": "2025-12-24T12:09:34.364Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:30.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68304 (GCVE-0-2025-68304)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c63252490b ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.
Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it. It's better to do the locking so that even if these run
concurrently no UAF is possible.
Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.
syzkaller has reported a crash that appears to be this issue:
[Task hdev->workqueue] [Task 2]
hci_disconnect_all_sync
l2cap_recv_acldata(hcon)
hci_conn_get(hcon)
hci_abort_conn_sync(hcon)
hci_dev_lock
hci_dev_lock
hci_conn_del(hcon)
v-------------------------------- hci_dev_unlock
hci_conn_put(hcon)
conn = hcon->l2cap_data (UAF)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5af1f84ed13a416297ab9ced7537f4d5ae7f329a , < ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93
(git)
Affected: 5af1f84ed13a416297ab9ced7537f4d5ae7f329a , < 79a2d4678ba90bdba577dc3af88cc900d6dcd5ee (git) Affected: cd55c13bbb3d093ae601aa97e588ed4c1390ebb1 (git) Affected: 4d3ca4a9aaf0aa798a6be372dc0fc3a29e37dd57 (git) Affected: 80265dd1d944c3f33e52375b5dbe654980bd2688 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_core.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93",
"status": "affected",
"version": "5af1f84ed13a416297ab9ced7537f4d5ae7f329a",
"versionType": "git"
},
{
"lessThan": "79a2d4678ba90bdba577dc3af88cc900d6dcd5ee",
"status": "affected",
"version": "5af1f84ed13a416297ab9ced7537f4d5ae7f329a",
"versionType": "git"
},
{
"status": "affected",
"version": "cd55c13bbb3d093ae601aa97e588ed4c1390ebb1",
"versionType": "git"
},
{
"status": "affected",
"version": "4d3ca4a9aaf0aa798a6be372dc0fc3a29e37dd57",
"versionType": "git"
},
{
"status": "affected",
"version": "80265dd1d944c3f33e52375b5dbe654980bd2688",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_core.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: lookup hci_conn on RX path on protocol side\n\nThe hdev lock/lookup/unlock/use pattern in the packet RX path doesn\u0027t\nensure hci_conn* is not concurrently modified/deleted. This locking\nappears to be leftover from before conn_hash started using RCU\ncommit bf4c63252490b (\"Bluetooth: convert conn hash to RCU\")\nand not clear if it had purpose since then.\n\nCurrently, there are code paths that delete hci_conn* from elsewhere\nthan the ordered hdev-\u003eworkqueue where the RX work runs in. E.g.\ncommit 5af1f84ed13a (\"Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync\")\nintroduced some of these, and there probably were a few others before\nit. It\u0027s better to do the locking so that even if these run\nconcurrently no UAF is possible.\n\nMove the lookup of hci_conn and associated socket-specific conn to\nprotocol recv handlers, and do them within a single critical section\nto cover hci_conn* usage and lookup.\n\nsyzkaller has reported a crash that appears to be this issue:\n\n [Task hdev-\u003eworkqueue] [Task 2]\n hci_disconnect_all_sync\n l2cap_recv_acldata(hcon)\n hci_conn_get(hcon)\n hci_abort_conn_sync(hcon)\n hci_dev_lock\n hci_dev_lock\n hci_conn_del(hcon)\n v-------------------------------- hci_dev_unlock\n hci_conn_put(hcon)\n conn = hcon-\u003el2cap_data (UAF)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:21.887Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93"
},
{
"url": "https://git.kernel.org/stable/c/79a2d4678ba90bdba577dc3af88cc900d6dcd5ee"
}
],
"title": "Bluetooth: hci_core: lookup hci_conn on RX path on protocol side",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68304",
"datePublished": "2025-12-16T15:06:21.887Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:21.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71098 (GCVE-0-2025-71098)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ip6_gre: make ip6gre_header() robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: make ip6gre_header() robust
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c12b395a46646bab69089ce7016ac78177f6001f , < 17e7386234f740f3e7d5e58a47b5847ea34c3bc2
(git)
Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 41a1a3140aff295dee8063906f70a514548105e8 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < adee129db814474f2f81207bd182bf343832a52e (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 1717357007db150c2d703f13f5695460e960f26c (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 5fe210533e3459197eabfdbf97327dacbdc04d60 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 91a2b25be07ce1a7549ceebbe82017551d2eec92 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < db5b4e39c4e63700c68a7e65fc4e1f1375273476 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17e7386234f740f3e7d5e58a47b5847ea34c3bc2",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "41a1a3140aff295dee8063906f70a514548105e8",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "adee129db814474f2f81207bd182bf343832a52e",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "1717357007db150c2d703f13f5695460e960f26c",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "5fe210533e3459197eabfdbf97327dacbdc04d60",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "91a2b25be07ce1a7549ceebbe82017551d2eec92",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "db5b4e39c4e63700c68a7e65fc4e1f1375273476",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: make ip6gre_header() robust\n\nOver the years, syzbot found many ways to crash the kernel\nin ip6gre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ip6gre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:213 !\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n neigh_output include/net/neighbour.h:556 [inline]\n ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:50.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2"
},
{
"url": "https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8"
},
{
"url": "https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e"
},
{
"url": "https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c"
},
{
"url": "https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60"
},
{
"url": "https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92"
},
{
"url": "https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476"
}
],
"title": "ip6_gre: make ip6gre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71098",
"datePublished": "2026-01-13T15:34:57.536Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:50.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49927 (GCVE-0-2024-49927)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:01 – Updated: 2026-01-05 10:54
VLAI?
EPSS
Title
x86/ioapic: Handle allocation failures gracefully
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/ioapic: Handle allocation failures gracefully
Breno observed panics when using failslab under certain conditions during
runtime:
can not alloc irq_pin_list (-1,0,20)
Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed
panic+0x4e9/0x590
mp_irqdomain_alloc+0x9ab/0xa80
irq_domain_alloc_irqs_locked+0x25d/0x8d0
__irq_domain_alloc_irqs+0x80/0x110
mp_map_pin_to_irq+0x645/0x890
acpi_register_gsi_ioapic+0xe6/0x150
hpet_open+0x313/0x480
That's a pointless panic which is a leftover of the historic IO/APIC code
which panic'ed during early boot when the interrupt allocation failed.
The only place which might justify panic is the PIT/HPET timer_check() code
which tries to figure out whether the timer interrupt is delivered through
the IO/APIC. But that code does not require to handle interrupt allocation
failures. If the interrupt cannot be allocated then timer delivery fails
and it either panics due to that or falls back to legacy mode.
Cure this by removing the panic wrapper around __add_pin_to_irq_node() and
making mp_irqdomain_alloc() aware of the failure condition and handle it as
any other failure in this function gracefully.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
49c7e60022912d10da88ba67e8eb2927f1143f6a , < e479cb835feeb2abff97f25766e23b96a6eabe28
(git)
Affected: 49c7e60022912d10da88ba67e8eb2927f1143f6a , < ec862cd843faa6f0e84a7a07362f2786446bf697 (git) Affected: 49c7e60022912d10da88ba67e8eb2927f1143f6a , < 077e1b7cd521163ded545987bbbd389519aeed71 (git) Affected: 49c7e60022912d10da88ba67e8eb2927f1143f6a , < 649a5c2ffae797ce792023a70e84c7fe4b6fb8e0 (git) Affected: 49c7e60022912d10da88ba67e8eb2927f1143f6a , < f17efbeb2922327ea01a9efa8829fea9a30e547d (git) Affected: 49c7e60022912d10da88ba67e8eb2927f1143f6a , < 830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:39:34.506279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:48:43.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:23:14.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/io_apic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e479cb835feeb2abff97f25766e23b96a6eabe28",
"status": "affected",
"version": "49c7e60022912d10da88ba67e8eb2927f1143f6a",
"versionType": "git"
},
{
"lessThan": "ec862cd843faa6f0e84a7a07362f2786446bf697",
"status": "affected",
"version": "49c7e60022912d10da88ba67e8eb2927f1143f6a",
"versionType": "git"
},
{
"lessThan": "077e1b7cd521163ded545987bbbd389519aeed71",
"status": "affected",
"version": "49c7e60022912d10da88ba67e8eb2927f1143f6a",
"versionType": "git"
},
{
"lessThan": "649a5c2ffae797ce792023a70e84c7fe4b6fb8e0",
"status": "affected",
"version": "49c7e60022912d10da88ba67e8eb2927f1143f6a",
"versionType": "git"
},
{
"lessThan": "f17efbeb2922327ea01a9efa8829fea9a30e547d",
"status": "affected",
"version": "49c7e60022912d10da88ba67e8eb2927f1143f6a",
"versionType": "git"
},
{
"lessThan": "830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f",
"status": "affected",
"version": "49c7e60022912d10da88ba67e8eb2927f1143f6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/io_apic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/ioapic: Handle allocation failures gracefully\n\nBreno observed panics when using failslab under certain conditions during\nruntime:\n\n can not alloc irq_pin_list (-1,0,20)\n Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed\n\n panic+0x4e9/0x590\n mp_irqdomain_alloc+0x9ab/0xa80\n irq_domain_alloc_irqs_locked+0x25d/0x8d0\n __irq_domain_alloc_irqs+0x80/0x110\n mp_map_pin_to_irq+0x645/0x890\n acpi_register_gsi_ioapic+0xe6/0x150\n hpet_open+0x313/0x480\n\nThat\u0027s a pointless panic which is a leftover of the historic IO/APIC code\nwhich panic\u0027ed during early boot when the interrupt allocation failed.\n\nThe only place which might justify panic is the PIT/HPET timer_check() code\nwhich tries to figure out whether the timer interrupt is delivered through\nthe IO/APIC. But that code does not require to handle interrupt allocation\nfailures. If the interrupt cannot be allocated then timer delivery fails\nand it either panics due to that or falls back to legacy mode.\n\nCure this by removing the panic wrapper around __add_pin_to_irq_node() and\nmaking mp_irqdomain_alloc() aware of the failure condition and handle it as\nany other failure in this function gracefully."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:54:24.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e479cb835feeb2abff97f25766e23b96a6eabe28"
},
{
"url": "https://git.kernel.org/stable/c/ec862cd843faa6f0e84a7a07362f2786446bf697"
},
{
"url": "https://git.kernel.org/stable/c/077e1b7cd521163ded545987bbbd389519aeed71"
},
{
"url": "https://git.kernel.org/stable/c/649a5c2ffae797ce792023a70e84c7fe4b6fb8e0"
},
{
"url": "https://git.kernel.org/stable/c/f17efbeb2922327ea01a9efa8829fea9a30e547d"
},
{
"url": "https://git.kernel.org/stable/c/830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f"
}
],
"title": "x86/ioapic: Handle allocation failures gracefully",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49927",
"datePublished": "2024-10-21T18:01:51.110Z",
"dateReserved": "2024-10-21T12:17:06.038Z",
"dateUpdated": "2026-01-05T10:54:24.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40083 (GCVE-0-2025-40083)
Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
net/sched: sch_qfq: Fix null-deref in agg_dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix null-deref in agg_dequeue
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < 71d84658a61322e5630c85c5388fc25e4a2d08b2
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 99fc137f178797204d36ac860dd8b31e35baa2df (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 1bed56f089f09b465420bf23bb32985c305cfc28 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3c2a8994807623c7655ece205667ae2cf74940aa (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ffa9d66187188e3068b5a3895e6ae1ee34f9199 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ff8e74c8f8a68ec07ef837b95425dfe900d060f (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < dd831ac8221e691e9e918585b1003c7071df0379 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d84658a61322e5630c85c5388fc25e4a2d08b2",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "99fc137f178797204d36ac860dd8b31e35baa2df",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "1bed56f089f09b465420bf23bb32985c305cfc28",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3c2a8994807623c7655ece205667ae2cf74940aa",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ffa9d66187188e3068b5a3895e6ae1ee34f9199",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ff8e74c8f8a68ec07ef837b95425dfe900d060f",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "dd831ac8221e691e9e918585b1003c7071df0379",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.116",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:57.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2"
},
{
"url": "https://git.kernel.org/stable/c/99fc137f178797204d36ac860dd8b31e35baa2df"
},
{
"url": "https://git.kernel.org/stable/c/1bed56f089f09b465420bf23bb32985c305cfc28"
},
{
"url": "https://git.kernel.org/stable/c/3c2a8994807623c7655ece205667ae2cf74940aa"
},
{
"url": "https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199"
},
{
"url": "https://git.kernel.org/stable/c/6ff8e74c8f8a68ec07ef837b95425dfe900d060f"
},
{
"url": "https://git.kernel.org/stable/c/dd831ac8221e691e9e918585b1003c7071df0379"
}
],
"title": "net/sched: sch_qfq: Fix null-deref in agg_dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40083",
"datePublished": "2025-10-29T13:37:01.868Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2026-01-02T15:32:57.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56640 (GCVE-0-2024-56640)
Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51
VLAI?
EPSS
Title
net/smc: fix LGR and link use-after-free issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix LGR and link use-after-free issue
We encountered a LGR/link use-after-free issue, which manifested as
the LGR/link refcnt reaching 0 early and entering the clear process,
making resource access unsafe.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140
Workqueue: events smc_lgr_terminate_work [smc]
Call trace:
refcount_warn_saturate+0x9c/0x140
__smc_lgr_terminate.part.45+0x2a8/0x370 [smc]
smc_lgr_terminate_work+0x28/0x30 [smc]
process_one_work+0x1b8/0x420
worker_thread+0x158/0x510
kthread+0x114/0x118
or
refcount_t: underflow; use-after-free.
WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140
Workqueue: smc_hs_wq smc_listen_work [smc]
Call trace:
refcount_warn_saturate+0xf0/0x140
smcr_link_put+0x1cc/0x1d8 [smc]
smc_conn_free+0x110/0x1b0 [smc]
smc_conn_abort+0x50/0x60 [smc]
smc_listen_find_device+0x75c/0x790 [smc]
smc_listen_work+0x368/0x8a0 [smc]
process_one_work+0x1b8/0x420
worker_thread+0x158/0x510
kthread+0x114/0x118
It is caused by repeated release of LGR/link refcnt. One suspect is that
smc_conn_free() is called repeatedly because some smc_conn_free() from
server listening path are not protected by sock lock.
e.g.
Calls under socklock | smc_listen_work
-------------------------------------------------------
lock_sock(sk) | smc_conn_abort
smc_conn_free | \- smc_conn_free
\- smcr_link_put | \- smcr_link_put (duplicated)
release_sock(sk)
So here add sock lock protection in smc_listen_work() path, making it
exclusive with other connection operations.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < f502a88fdd415647a1f2dc45fac71b9c522a052b
(git)
Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 0cf598548a6c36d90681d53c6b77d52363f2f295 (git) Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 673d606683ac70bc074ca6676b938bff18635226 (git) Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 6f0ae06a234a78ae137064f2c89135ac078a00eb (git) Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:41:51.231757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:22.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:51:40.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f502a88fdd415647a1f2dc45fac71b9c522a052b",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "0cf598548a6c36d90681d53c6b77d52363f2f295",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "673d606683ac70bc074ca6676b938bff18635226",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "6f0ae06a234a78ae137064f2c89135ac078a00eb",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix LGR and link use-after-free issue\n\nWe encountered a LGR/link use-after-free issue, which manifested as\nthe LGR/link refcnt reaching 0 early and entering the clear process,\nmaking resource access unsafe.\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140\n Workqueue: events smc_lgr_terminate_work [smc]\n Call trace:\n refcount_warn_saturate+0x9c/0x140\n __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]\n smc_lgr_terminate_work+0x28/0x30 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nor\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140\n Workqueue: smc_hs_wq smc_listen_work [smc]\n Call trace:\n refcount_warn_saturate+0xf0/0x140\n smcr_link_put+0x1cc/0x1d8 [smc]\n smc_conn_free+0x110/0x1b0 [smc]\n smc_conn_abort+0x50/0x60 [smc]\n smc_listen_find_device+0x75c/0x790 [smc]\n smc_listen_work+0x368/0x8a0 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nIt is caused by repeated release of LGR/link refcnt. One suspect is that\nsmc_conn_free() is called repeatedly because some smc_conn_free() from\nserver listening path are not protected by sock lock.\n\ne.g.\n\nCalls under socklock | smc_listen_work\n-------------------------------------------------------\nlock_sock(sk) | smc_conn_abort\nsmc_conn_free | \\- smc_conn_free\n\\- smcr_link_put | \\- smcr_link_put (duplicated)\nrelease_sock(sk)\n\nSo here add sock lock protection in smc_listen_work() path, making it\nexclusive with other connection operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:00:47.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b"
},
{
"url": "https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295"
},
{
"url": "https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226"
},
{
"url": "https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb"
},
{
"url": "https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7"
}
],
"title": "net/smc: fix LGR and link use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56640",
"datePublished": "2024-12-27T15:02:42.253Z",
"dateReserved": "2024-12-27T15:00:39.839Z",
"dateUpdated": "2025-11-03T20:51:40.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39807 (GCVE-0-2025-39807)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
drm/mediatek: Add error handling for old state CRTC in atomic_disable
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Add error handling for old state CRTC in atomic_disable
Introduce error handling to address an issue where, after a hotplug
event, the cursor continues to update. This situation can lead to a
kernel panic due to accessing the NULL `old_state->crtc`.
E,g.
Unable to handle kernel NULL pointer dereference at virtual address
Call trace:
mtk_crtc_plane_disable+0x24/0x140
mtk_plane_atomic_update+0x8c/0xa8
drm_atomic_helper_commit_planes+0x114/0x2c8
drm_atomic_helper_commit_tail_rpm+0x4c/0x158
commit_tail+0xa0/0x168
drm_atomic_helper_commit+0x110/0x120
drm_atomic_commit+0x8c/0xe0
drm_atomic_helper_update_plane+0xd4/0x128
__setplane_atomic+0xcc/0x110
drm_mode_cursor_common+0x250/0x440
drm_mode_cursor_ioctl+0x44/0x70
drm_ioctl+0x264/0x5d8
__arm64_sys_ioctl+0xd8/0x510
invoke_syscall+0x6c/0xe0
do_el0_svc+0x68/0xe8
el0_svc+0x34/0x60
el0t_64_sync_handler+0x1c/0xf8
el0t_64_sync+0x180/0x188
Adding NULL pointer checks to ensure stability by preventing operations
on an invalid CRTC state.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
40b5b4ba8ed87c0bfb6268c10589777652ebde4c , < 7d5cc22efa44e0fe321ce195c71c3d7da211fbb2
(git)
Affected: d208261e9f7c66960587b10473081dc1cecbe50b , < 9a94e9d8b50bcfe89693bc899a54d3866d86e973 (git) Affected: d208261e9f7c66960587b10473081dc1cecbe50b , < 0c6b24d70da21201ed009a2aca740d2dfddc7ab5 (git) Affected: a9c482689051ca96f4a4630fe49fd6919694caaa (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:14:18.395954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:54.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d5cc22efa44e0fe321ce195c71c3d7da211fbb2",
"status": "affected",
"version": "40b5b4ba8ed87c0bfb6268c10589777652ebde4c",
"versionType": "git"
},
{
"lessThan": "9a94e9d8b50bcfe89693bc899a54d3866d86e973",
"status": "affected",
"version": "d208261e9f7c66960587b10473081dc1cecbe50b",
"versionType": "git"
},
{
"lessThan": "0c6b24d70da21201ed009a2aca740d2dfddc7ab5",
"status": "affected",
"version": "d208261e9f7c66960587b10473081dc1cecbe50b",
"versionType": "git"
},
{
"status": "affected",
"version": "a9c482689051ca96f4a4630fe49fd6919694caaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add error handling for old state CRTC in atomic_disable\n\nIntroduce error handling to address an issue where, after a hotplug\nevent, the cursor continues to update. This situation can lead to a\nkernel panic due to accessing the NULL `old_state-\u003ecrtc`.\n\nE,g.\nUnable to handle kernel NULL pointer dereference at virtual address\nCall trace:\n mtk_crtc_plane_disable+0x24/0x140\n mtk_plane_atomic_update+0x8c/0xa8\n drm_atomic_helper_commit_planes+0x114/0x2c8\n drm_atomic_helper_commit_tail_rpm+0x4c/0x158\n commit_tail+0xa0/0x168\n drm_atomic_helper_commit+0x110/0x120\n drm_atomic_commit+0x8c/0xe0\n drm_atomic_helper_update_plane+0xd4/0x128\n __setplane_atomic+0xcc/0x110\n drm_mode_cursor_common+0x250/0x440\n drm_mode_cursor_ioctl+0x44/0x70\n drm_ioctl+0x264/0x5d8\n __arm64_sys_ioctl+0xd8/0x510\n invoke_syscall+0x6c/0xe0\n do_el0_svc+0x68/0xe8\n el0_svc+0x34/0x60\n el0t_64_sync_handler+0x1c/0xf8\n el0t_64_sync+0x180/0x188\n\nAdding NULL pointer checks to ensure stability by preventing operations\non an invalid CRTC state."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:49.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d5cc22efa44e0fe321ce195c71c3d7da211fbb2"
},
{
"url": "https://git.kernel.org/stable/c/9a94e9d8b50bcfe89693bc899a54d3866d86e973"
},
{
"url": "https://git.kernel.org/stable/c/0c6b24d70da21201ed009a2aca740d2dfddc7ab5"
}
],
"title": "drm/mediatek: Add error handling for old state CRTC in atomic_disable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39807",
"datePublished": "2025-09-16T13:00:10.408Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2026-01-14T18:22:54.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40250 (GCVE-0-2025-40250)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
net/mlx5: Clean up only new IRQ glue on request_irq() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Clean up only new IRQ glue on request_irq() failure
The mlx5_irq_alloc() function can inadvertently free the entire rmap
and end up in a crash[1] when the other threads tries to access this,
when request_irq() fails due to exhausted IRQ vectors. This commit
modifies the cleanup to remove only the specific IRQ mapping that was
just added.
This prevents removal of other valid mappings and ensures precise
cleanup of the failed IRQ allocation's associated glue object.
Note: This error is observed when both fwctl and rds configs are enabled.
[1]
mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1
mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
request irq. err = -28
infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
trying to test write-combining support
mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1
mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1
mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
request irq. err = -28
infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
trying to test write-combining support
mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1
mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
request irq. err = -28
mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
request irq. err = -28
general protection fault, probably for non-canonical address
0xe277a58fde16f291: 0000 [#1] SMP NOPTI
RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
Call Trace:
<TASK>
? show_trace_log_lvl+0x1d6/0x2f9
? show_trace_log_lvl+0x1d6/0x2f9
? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
? __die_body.cold+0x8/0xa
? die_addr+0x39/0x53
? exc_general_protection+0x1c4/0x3e9
? dev_vprintk_emit+0x5f/0x90
? asm_exc_general_protection+0x22/0x27
? free_irq_cpu_rmap+0x23/0x7d
mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
irq_pool_request_vector+0x7d/0x90 [mlx5_core]
mlx5_irq_request+0x2e/0xe0 [mlx5_core]
mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]
comp_irq_request_pci+0x64/0xf0 [mlx5_core]
create_comp_eq+0x71/0x385 [mlx5_core]
? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]
mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]
? xas_load+0x8/0x91
mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]
mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]
mlx5e_open_channels+0xad/0x250 [mlx5_core]
mlx5e_open_locked+0x3e/0x110 [mlx5_core]
mlx5e_open+0x23/0x70 [mlx5_core]
__dev_open+0xf1/0x1a5
__dev_change_flags+0x1e1/0x249
dev_change_flags+0x21/0x5c
do_setlink+0x28b/0xcc4
? __nla_parse+0x22/0x3d
? inet6_validate_link_af+0x6b/0x108
? cpumask_next+0x1f/0x35
? __snmp6_fill_stats64.constprop.0+0x66/0x107
? __nla_validate_parse+0x48/0x1e6
__rtnl_newlink+0x5ff/0xa57
? kmem_cache_alloc_trace+0x164/0x2ce
rtnl_newlink+0x44/0x6e
rtnetlink_rcv_msg+0x2bb/0x362
? __netlink_sendskb+0x4c/0x6c
? netlink_unicast+0x28f/0x2ce
? rtnl_calcit.isra.0+0x150/0x146
netlink_rcv_skb+0x5f/0x112
netlink_unicast+0x213/0x2ce
netlink_sendmsg+0x24f/0x4d9
__sock_sendmsg+0x65/0x6a
____sys_sendmsg+0x28f/0x2c9
? import_iovec+0x17/0x2b
___sys_sendmsg+0x97/0xe0
__sys_sendmsg+0x81/0xd8
do_syscall_64+0x35/0x87
entry_SYSCALL_64_after_hwframe+0x6e/0x0
RIP: 0033:0x7fc328603727
Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed
ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48
RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727
RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d
RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00000000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3354822cde5a9f72aa725b3c619188b149a71a33 , < 69e043bce09c9a77e5f55b9ac7505874a2a1a9f0
(git)
Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee (git) Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 4d6b4bea8b80bfa13c903ba547538249e7c5e977 (git) Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < d47515af6cccd7484d8b0870376858c9848a18ec (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69e043bce09c9a77e5f55b9ac7505874a2a1a9f0",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
},
{
"lessThan": "6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
},
{
"lessThan": "4d6b4bea8b80bfa13c903ba547538249e7c5e977",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
},
{
"lessThan": "d47515af6cccd7484d8b0870376858c9848a18ec",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clean up only new IRQ glue on request_irq() failure\n\nThe mlx5_irq_alloc() function can inadvertently free the entire rmap\nand end up in a crash[1] when the other threads tries to access this,\nwhen request_irq() fails due to exhausted IRQ vectors. This commit\nmodifies the cleanup to remove only the specific IRQ mapping that was\njust added.\n\nThis prevents removal of other valid mappings and ensures precise\ncleanup of the failed IRQ allocation\u0027s associated glue object.\n\nNote: This error is observed when both fwctl and rds configs are enabled.\n\n[1]\nmlx5_core 0000:05:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:06:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\ngeneral protection fault, probably for non-canonical address\n0xe277a58fde16f291: 0000 [#1] SMP NOPTI\n\nRIP: 0010:free_irq_cpu_rmap+0x23/0x7d\nCall Trace:\n \u003cTASK\u003e\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n ? __die_body.cold+0x8/0xa\n ? die_addr+0x39/0x53\n ? exc_general_protection+0x1c4/0x3e9\n ? dev_vprintk_emit+0x5f/0x90\n ? asm_exc_general_protection+0x22/0x27\n ? free_irq_cpu_rmap+0x23/0x7d\n mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n irq_pool_request_vector+0x7d/0x90 [mlx5_core]\n mlx5_irq_request+0x2e/0xe0 [mlx5_core]\n mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]\n comp_irq_request_pci+0x64/0xf0 [mlx5_core]\n create_comp_eq+0x71/0x385 [mlx5_core]\n ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]\n mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]\n ? xas_load+0x8/0x91\n mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]\n mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]\n mlx5e_open_channels+0xad/0x250 [mlx5_core]\n mlx5e_open_locked+0x3e/0x110 [mlx5_core]\n mlx5e_open+0x23/0x70 [mlx5_core]\n __dev_open+0xf1/0x1a5\n __dev_change_flags+0x1e1/0x249\n dev_change_flags+0x21/0x5c\n do_setlink+0x28b/0xcc4\n ? __nla_parse+0x22/0x3d\n ? inet6_validate_link_af+0x6b/0x108\n ? cpumask_next+0x1f/0x35\n ? __snmp6_fill_stats64.constprop.0+0x66/0x107\n ? __nla_validate_parse+0x48/0x1e6\n __rtnl_newlink+0x5ff/0xa57\n ? kmem_cache_alloc_trace+0x164/0x2ce\n rtnl_newlink+0x44/0x6e\n rtnetlink_rcv_msg+0x2bb/0x362\n ? __netlink_sendskb+0x4c/0x6c\n ? netlink_unicast+0x28f/0x2ce\n ? rtnl_calcit.isra.0+0x150/0x146\n netlink_rcv_skb+0x5f/0x112\n netlink_unicast+0x213/0x2ce\n netlink_sendmsg+0x24f/0x4d9\n __sock_sendmsg+0x65/0x6a\n ____sys_sendmsg+0x28f/0x2c9\n ? import_iovec+0x17/0x2b\n ___sys_sendmsg+0x97/0xe0\n __sys_sendmsg+0x81/0xd8\n do_syscall_64+0x35/0x87\n entry_SYSCALL_64_after_hwframe+0x6e/0x0\nRIP: 0033:0x7fc328603727\nCode: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed\nff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48\nRSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727\nRDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d\nRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 00000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:12.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0"
},
{
"url": "https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee"
},
{
"url": "https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977"
},
{
"url": "https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec"
}
],
"title": "net/mlx5: Clean up only new IRQ glue on request_irq() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40250",
"datePublished": "2025-12-04T16:08:12.984Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T16:08:12.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68800 (GCVE-0-2025-68800)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f38656d067257cc43b652958dd154e1ab0773701 , < b957366f5611bbaba03dd10ef861283347ddcc88
(git)
Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 6e367c361a523a4b54fe618215c64a0ee189caf0 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 216afc198484fde110ebeafc017992266f4596ce (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 4049a6ace209f4ed150429f86ae796d7d6a4c22b (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 8ac1dacec458f55f871f7153242ed6ab60373b90 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b957366f5611bbaba03dd10ef861283347ddcc88",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "6e367c361a523a4b54fe618215c64a0ee189caf0",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "5f2831fc593c2b2efbff7dd0dd7441cec76adcd5",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "216afc198484fde110ebeafc017992266f4596ce",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "4049a6ace209f4ed150429f86ae796d7d6a4c22b",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "8ac1dacec458f55f871f7153242ed6ab60373b90",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\n\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\n\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\n\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\n\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xba/0x110\n print_report+0x174/0x4f5\n kasan_report+0xdf/0x110\n mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x43/0x70\n kfree+0x14e/0x700\n mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:48.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88"
},
{
"url": "https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0"
},
{
"url": "https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73"
},
{
"url": "https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5"
},
{
"url": "https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce"
},
{
"url": "https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b"
},
{
"url": "https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90"
}
],
"title": "mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68800",
"datePublished": "2026-01-13T15:29:09.688Z",
"dateReserved": "2025-12-24T10:30:51.044Z",
"dateUpdated": "2026-02-09T08:33:48.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39942 (GCVE-0-2025-39942)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size
This is inspired by the check for data_offset + data_length.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < 196a3a7676d726ee67621ea2bf3b7815ac2685b4
(git)
Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < d3cb3f209d35c44b7ee74f77ed27ebb28995b9ce (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < 9644798294c7287e65a7b26e35aa6d2ce3345bcc (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < c64b915bb3d9339adcae5db4be2c35ffbef5e615 (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < e1868ba37fd27c6a68e31565402b154beaa65df0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "196a3a7676d726ee67621ea2bf3b7815ac2685b4",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "d3cb3f209d35c44b7ee74f77ed27ebb28995b9ce",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "9644798294c7287e65a7b26e35aa6d2ce3345bcc",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "c64b915bb3d9339adcae5db4be2c35ffbef5e615",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "e1868ba37fd27c6a68e31565402b154beaa65df0",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size\n\nThis is inspired by the check for data_offset + data_length."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:04.810Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/196a3a7676d726ee67621ea2bf3b7815ac2685b4"
},
{
"url": "https://git.kernel.org/stable/c/d3cb3f209d35c44b7ee74f77ed27ebb28995b9ce"
},
{
"url": "https://git.kernel.org/stable/c/9644798294c7287e65a7b26e35aa6d2ce3345bcc"
},
{
"url": "https://git.kernel.org/stable/c/c64b915bb3d9339adcae5db4be2c35ffbef5e615"
},
{
"url": "https://git.kernel.org/stable/c/e1868ba37fd27c6a68e31565402b154beaa65df0"
}
],
"title": "ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39942",
"datePublished": "2025-10-04T07:31:04.810Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:04.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68359 (GCVE-0-2025-68359)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
btrfs: fix double free of qgroup record after failure to add delayed ref head
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free of qgroup record after failure to add delayed ref head
In the previous code it was possible to incur into a double kfree()
scenario when calling add_delayed_ref_head(). This could happen if the
record was reported to already exist in the
btrfs_qgroup_trace_extent_nolock() call, but then there was an error
later on add_delayed_ref_head(). In this case, since
add_delayed_ref_head() returned an error, the caller went to free the
record. Since add_delayed_ref_head() couldn't set this kfree'd pointer
to NULL, then kfree() would have acted on a non-NULL 'record' object
which was pointing to memory already freed by the callee.
The problem comes from the fact that the responsibility to kfree the
object is on both the caller and the callee at the same time. Hence, the
fix for this is to shift the ownership of the 'qrecord' object out of
the add_delayed_ref_head(). That is, we will never attempt to kfree()
the given object inside of this function, and will expect the caller to
act on the 'qrecord' object on its own. The only exception where the
'qrecord' object cannot be kfree'd is if it was inserted into the
tracing logic, for which we already have the 'qrecord_inserted_ret'
boolean to account for this. Hence, the caller has to kfree the object
only if add_delayed_ref_head() reports not to have inserted it on the
tracing logic.
As a side-effect of the above, we must guarantee that
'qrecord_inserted_ret' is properly initialized at the start of the
function, not at the end, and then set when an actual insert
happens. This way we avoid 'qrecord_inserted_ret' having an invalid
value on an early exit.
The documentation from the add_delayed_ref_head() has also been updated
to reflect on the exact ownership of the 'qrecord' object.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6ef8fbce010421bf742b12b8f8f2b2d2ff154845 , < 7617680769e3119dfb3b43a2b7c287ce2242211c
(git)
Affected: 6ef8fbce010421bf742b12b8f8f2b2d2ff154845 , < 364685c4c2d9c9f4408d95451bcf42fdeebc3ebb (git) Affected: 6ef8fbce010421bf742b12b8f8f2b2d2ff154845 , < 725e46298876a2cc1f1c3fb22ba69d29102c3ddf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-ref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7617680769e3119dfb3b43a2b7c287ce2242211c",
"status": "affected",
"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845",
"versionType": "git"
},
{
"lessThan": "364685c4c2d9c9f4408d95451bcf42fdeebc3ebb",
"status": "affected",
"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845",
"versionType": "git"
},
{
"lessThan": "725e46298876a2cc1f1c3fb22ba69d29102c3ddf",
"status": "affected",
"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-ref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of qgroup record after failure to add delayed ref head\n\nIn the previous code it was possible to incur into a double kfree()\nscenario when calling add_delayed_ref_head(). This could happen if the\nrecord was reported to already exist in the\nbtrfs_qgroup_trace_extent_nolock() call, but then there was an error\nlater on add_delayed_ref_head(). In this case, since\nadd_delayed_ref_head() returned an error, the caller went to free the\nrecord. Since add_delayed_ref_head() couldn\u0027t set this kfree\u0027d pointer\nto NULL, then kfree() would have acted on a non-NULL \u0027record\u0027 object\nwhich was pointing to memory already freed by the callee.\n\nThe problem comes from the fact that the responsibility to kfree the\nobject is on both the caller and the callee at the same time. Hence, the\nfix for this is to shift the ownership of the \u0027qrecord\u0027 object out of\nthe add_delayed_ref_head(). That is, we will never attempt to kfree()\nthe given object inside of this function, and will expect the caller to\nact on the \u0027qrecord\u0027 object on its own. The only exception where the\n\u0027qrecord\u0027 object cannot be kfree\u0027d is if it was inserted into the\ntracing logic, for which we already have the \u0027qrecord_inserted_ret\u0027\nboolean to account for this. Hence, the caller has to kfree the object\nonly if add_delayed_ref_head() reports not to have inserted it on the\ntracing logic.\n\nAs a side-effect of the above, we must guarantee that\n\u0027qrecord_inserted_ret\u0027 is properly initialized at the start of the\nfunction, not at the end, and then set when an actual insert\nhappens. This way we avoid \u0027qrecord_inserted_ret\u0027 having an invalid\nvalue on an early exit.\n\nThe documentation from the add_delayed_ref_head() has also been updated\nto reflect on the exact ownership of the \u0027qrecord\u0027 object."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:54.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c"
},
{
"url": "https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb"
},
{
"url": "https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf"
}
],
"title": "btrfs: fix double free of qgroup record after failure to add delayed ref head",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68359",
"datePublished": "2025-12-24T10:32:48.456Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2026-02-09T08:31:54.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40155 (GCVE-0-2025-40155)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
iommu/vt-d: debugfs: Fix legacy mode page table dump logic
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: debugfs: Fix legacy mode page table dump logic
In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR
maybe uninitialized or zero in that case and may cause oops like:
Oops: general protection fault, probably for non-canonical address
0xf00087d3f000f000: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
RIP: 0010:pgtable_walk_level+0x98/0x150
RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206
RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e
RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000
RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000
R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98
FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0
PKRU: 55555554
Call Trace:
<TASK>
pgtable_walk_level+0x88/0x150
domain_translation_struct_show.isra.0+0x2d9/0x300
dev_domain_translation_struct_show+0x20/0x40
seq_read_iter+0x12d/0x490
...
Avoid walking the page table if TT is not 00b or 01b.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b437e80456654df3980706384065d444f4bb54d , < d8cf7b59c49f9118fa875462e18686cb6b131bb5
(git)
Affected: 2b437e80456654df3980706384065d444f4bb54d , < df2bf759a0bdb71f13e327d7527260d09facc055 (git) Affected: 2b437e80456654df3980706384065d444f4bb54d , < fbe6070c73badca726e4ff7877320e6c62339917 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8cf7b59c49f9118fa875462e18686cb6b131bb5",
"status": "affected",
"version": "2b437e80456654df3980706384065d444f4bb54d",
"versionType": "git"
},
{
"lessThan": "df2bf759a0bdb71f13e327d7527260d09facc055",
"status": "affected",
"version": "2b437e80456654df3980706384065d444f4bb54d",
"versionType": "git"
},
{
"lessThan": "fbe6070c73badca726e4ff7877320e6c62339917",
"status": "affected",
"version": "2b437e80456654df3980706384065d444f4bb54d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: debugfs: Fix legacy mode page table dump logic\n\nIn legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR\nmaybe uninitialized or zero in that case and may cause oops like:\n\n Oops: general protection fault, probably for non-canonical address\n 0xf00087d3f000f000: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n RIP: 0010:pgtable_walk_level+0x98/0x150\n RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206\n RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e\n RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000\n RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002\n R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000\n R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98\n FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n pgtable_walk_level+0x88/0x150\n domain_translation_struct_show.isra.0+0x2d9/0x300\n dev_domain_translation_struct_show+0x20/0x40\n seq_read_iter+0x12d/0x490\n...\n\nAvoid walking the page table if TT is not 00b or 01b."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:05.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8cf7b59c49f9118fa875462e18686cb6b131bb5"
},
{
"url": "https://git.kernel.org/stable/c/df2bf759a0bdb71f13e327d7527260d09facc055"
},
{
"url": "https://git.kernel.org/stable/c/fbe6070c73badca726e4ff7877320e6c62339917"
}
],
"title": "iommu/vt-d: debugfs: Fix legacy mode page table dump logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40155",
"datePublished": "2025-11-12T10:23:28.718Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:05.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38627 (GCVE-0-2025-38627)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-12-01 10:52
VLAI?
EPSS
Title
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
The decompress_io_ctx may be released asynchronously after
I/O completion. If this file is deleted immediately after read,
and the kworker of processing post_read_wq has not been executed yet
due to high workloads, It is possible that the inode(f2fs_inode_info)
is evicted and freed before it is used f2fs_free_dic.
The UAF case as below:
Thread A Thread B
- f2fs_decompress_end_io
- f2fs_put_dic
- queue_work
add free_dic work to post_read_wq
- do_unlink
- iput
- evict
- call_rcu
This file is deleted after read.
Thread C kworker to process post_read_wq
- rcu_do_batch
- f2fs_free_inode
- kmem_cache_free
inode is freed by rcu
- process_scheduled_works
- f2fs_late_free_dic
- f2fs_free_dic
- f2fs_release_decomp_mem
read (dic->inode)->i_compress_algorithm
This patch store compress_algorithm and sbi in dic to avoid inode UAF.
In addition, the previous solution is deprecated in [1] may cause system hang.
[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bff139b49d9f70c1ac5384aac94554846aa834de , < 5d604d40cd3232b09cb339941ef958e49283ed0a
(git)
Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9 (git) Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 39868685c2a94a70762bc6d77dc81d781d05bff5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d604d40cd3232b09cb339941ef958e49283ed0a",
"status": "affected",
"version": "bff139b49d9f70c1ac5384aac94554846aa834de",
"versionType": "git"
},
{
"lessThan": "8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9",
"status": "affected",
"version": "bff139b49d9f70c1ac5384aac94554846aa834de",
"versionType": "git"
},
{
"lessThan": "39868685c2a94a70762bc6d77dc81d781d05bff5",
"status": "affected",
"version": "bff139b49d9f70c1ac5384aac94554846aa834de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n The UAF case as below:\n Thread A Thread B\n - f2fs_decompress_end_io\n - f2fs_put_dic\n - queue_work\n add free_dic work to post_read_wq\n - do_unlink\n - iput\n - evict\n - call_rcu\n This file is deleted after read.\n\n Thread C kworker to process post_read_wq\n - rcu_do_batch\n - f2fs_free_inode\n - kmem_cache_free\n inode is freed by rcu\n - process_scheduled_works\n - f2fs_late_free_dic\n - f2fs_free_dic\n - f2fs_release_decomp_mem\n read (dic-\u003einode)-\u003ei_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T10:52:48.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d604d40cd3232b09cb339941ef958e49283ed0a"
},
{
"url": "https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9"
},
{
"url": "https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5"
}
],
"title": "f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38627",
"datePublished": "2025-08-22T16:00:35.856Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-12-01T10:52:48.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40153 (GCVE-0-2025-40153)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
mm: hugetlb: avoid soft lockup when mprotect to large memory area
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: hugetlb: avoid soft lockup when mprotect to large memory area
When calling mprotect() to a large hugetlb memory area in our customer's
workload (~300GB hugetlb memory), soft lockup was observed:
watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mte_clear_page_tags+0x14/0x24
lr : mte_sync_tags+0x1c0/0x240
sp : ffff80003150bb80
x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
Call trace:
mte_clear_page_tags+0x14/0x24
set_huge_pte_at+0x25c/0x280
hugetlb_change_protection+0x220/0x430
change_protection+0x5c/0x8c
mprotect_fixup+0x10c/0x294
do_mprotect_pkey.constprop.0+0x2e0/0x3d4
__arm64_sys_mprotect+0x24/0x44
invoke_syscall+0x50/0x160
el0_svc_common+0x48/0x144
do_el0_svc+0x30/0xe0
el0_svc+0x30/0xf0
el0t_64_sync_handler+0xc4/0x148
el0t_64_sync+0x1a4/0x1a8
Soft lockup is not triggered with THP or base page because there is
cond_resched() called for each PMD size.
Although the soft lockup was triggered by MTE, it should be not MTE
specific. The other processing which takes long time in the loop may
trigger soft lockup too.
So add cond_resched() for hugetlb to avoid soft lockup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 30498c44c2a0b20f6833ed7d8fc3df901507f760
(git)
Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 5783485ab2be06be5312b26c8793526edc09123d (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 547e123e9d342a44c756446640ed847a8aeec611 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 964598e6f70a1be9fe675280bf16b4f96b0a6809 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 4975c975ed9457a77953a26aeef85fdba7cf5498 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < c6096f3947f68f96defedb8764b3b1ca4cf3469f (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < f52ce0ea90c83a28904c7cc203a70e6434adfecb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30498c44c2a0b20f6833ed7d8fc3df901507f760",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "5783485ab2be06be5312b26c8793526edc09123d",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "547e123e9d342a44c756446640ed847a8aeec611",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "964598e6f70a1be9fe675280bf16b4f96b0a6809",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "4975c975ed9457a77953a26aeef85fdba7cf5498",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "c6096f3947f68f96defedb8764b3b1ca4cf3469f",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "f52ce0ea90c83a28904c7cc203a70e6434adfecb",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: avoid soft lockup when mprotect to large memory area\n\nWhen calling mprotect() to a large hugetlb memory area in our customer\u0027s\nworkload (~300GB hugetlb memory), soft lockup was observed:\n\nwatchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]\n\nCPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7\nHardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc\u00a0: mte_clear_page_tags+0x14/0x24\nlr\u00a0: mte_sync_tags+0x1c0/0x240\nsp\u00a0: ffff80003150bb80\nx29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000\nx26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458\nx23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000\nx20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c\nx8\u00a0: 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5\u00a0: fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000\nx2\u00a0: 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000\n\nCall trace:\n\u00a0\u00a0mte_clear_page_tags+0x14/0x24\n\u00a0\u00a0set_huge_pte_at+0x25c/0x280\n\u00a0\u00a0hugetlb_change_protection+0x220/0x430\n\u00a0\u00a0change_protection+0x5c/0x8c\n\u00a0\u00a0mprotect_fixup+0x10c/0x294\n\u00a0\u00a0do_mprotect_pkey.constprop.0+0x2e0/0x3d4\n\u00a0\u00a0__arm64_sys_mprotect+0x24/0x44\n\u00a0\u00a0invoke_syscall+0x50/0x160\n\u00a0\u00a0el0_svc_common+0x48/0x144\n\u00a0\u00a0do_el0_svc+0x30/0xe0\n\u00a0\u00a0el0_svc+0x30/0xf0\n\u00a0\u00a0el0t_64_sync_handler+0xc4/0x148\n\u00a0\u00a0el0t_64_sync+0x1a4/0x1a8\n\nSoft lockup is not triggered with THP or base page because there is\ncond_resched() called for each PMD size.\n\nAlthough the soft lockup was triggered by MTE, it should be not MTE\nspecific. The other processing which takes long time in the loop may\ntrigger soft lockup too.\n\nSo add cond_resched() for hugetlb to avoid soft lockup."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:03.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30498c44c2a0b20f6833ed7d8fc3df901507f760"
},
{
"url": "https://git.kernel.org/stable/c/5783485ab2be06be5312b26c8793526edc09123d"
},
{
"url": "https://git.kernel.org/stable/c/547e123e9d342a44c756446640ed847a8aeec611"
},
{
"url": "https://git.kernel.org/stable/c/957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859"
},
{
"url": "https://git.kernel.org/stable/c/964598e6f70a1be9fe675280bf16b4f96b0a6809"
},
{
"url": "https://git.kernel.org/stable/c/4975c975ed9457a77953a26aeef85fdba7cf5498"
},
{
"url": "https://git.kernel.org/stable/c/c6096f3947f68f96defedb8764b3b1ca4cf3469f"
},
{
"url": "https://git.kernel.org/stable/c/f52ce0ea90c83a28904c7cc203a70e6434adfecb"
}
],
"title": "mm: hugetlb: avoid soft lockup when mprotect to large memory area",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40153",
"datePublished": "2025-11-12T10:23:28.201Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:03.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68785 (GCVE-0-2025-68785)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
net: openvswitch: fix middle attribute validation in push_nsh() action
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix middle attribute validation in push_nsh() action
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < d0c135b8bbbcf92836068fd395bebeb7ae6c7bef
(git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3bc2efff20a38b2c7ca18317649715df0dd62ced (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 1b569db9c2f28b599e40050524aae5f7332bc294 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 10ffc558246f2c75619aedda0921906095e46702 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < c999153bfb2d1d9b295b7010d920f2a7c6d7595f (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c135b8bbbcf92836068fd395bebeb7ae6c7bef",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "3bc2efff20a38b2c7ca18317649715df0dd62ced",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "1b569db9c2f28b599e40050524aae5f7332bc294",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "10ffc558246f2c75619aedda0921906095e46702",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "c999153bfb2d1d9b295b7010d920f2a7c6d7595f",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "5ace7ef87f059d68b5f50837ef3e8a1a4870c36e",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix middle attribute validation in push_nsh() action\n\nThe push_nsh() action structure looks like this:\n\n OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))\n\nThe outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK\u0027ed by the\nnla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost\nOVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK\u0027ed by the nla_for_each_nested()\ninside nsh_key_put_from_nlattr(). But nothing checks if the attribute\nin the middle is OK. We don\u0027t even check that this attribute is the\nOVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()\ncalls - first time directly while calling validate_push_nsh() and the\nsecond time as part of the nla_for_each_nested() macro, which isn\u0027t\nsafe, potentially causing invalid memory access if the size of this\nattribute is incorrect. The failure may not be noticed during\nvalidation due to larger netlink buffer, but cause trouble later during\naction execution where the buffer is allocated exactly to the size:\n\n BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n Read of size 184 at addr ffff88816459a634 by task a.out/22624\n\n CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x2c/0x390\n kasan_report+0xdd/0x110\n kasan_check_range+0x35/0x1b0\n __asan_memcpy+0x20/0x60\n nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n push_nsh+0x82/0x120 [openvswitch]\n do_execute_actions+0x1405/0x2840 [openvswitch]\n ovs_execute_actions+0xd5/0x3b0 [openvswitch]\n ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]\n genl_family_rcv_msg_doit+0x1d6/0x2b0\n genl_family_rcv_msg+0x336/0x580\n genl_rcv_msg+0x9f/0x130\n netlink_rcv_skb+0x11f/0x370\n genl_rcv+0x24/0x40\n netlink_unicast+0x73e/0xaa0\n netlink_sendmsg+0x744/0xbf0\n __sys_sendto+0x3d6/0x450\n do_syscall_64+0x79/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nLet\u0027s add some checks that the attribute is properly sized and it\u0027s\nthe only one attribute inside the action. Technically, there is no\nreal reason for OVS_KEY_ATTR_NSH to be there, as we know that we\u0027re\npushing an NSH header already, it just creates extra nesting, but\nthat\u0027s how uAPI works today. So, keeping as it is."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:31.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef"
},
{
"url": "https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced"
},
{
"url": "https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294"
},
{
"url": "https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702"
},
{
"url": "https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9"
},
{
"url": "https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f"
},
{
"url": "https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e"
}
],
"title": "net: openvswitch: fix middle attribute validation in push_nsh() action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68785",
"datePublished": "2026-01-13T15:28:58.930Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:31.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71112 (GCVE-0-2025-71112)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
net: hns3: add VLAN id validation before using
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: add VLAN id validation before using
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8
(git)
Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 42c91dfa772c57de141e5a55a187ac760c0fd7e1 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 00e56a7706e10b3d00a258d81fcb85a7e96372d6 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < b7b4f3bf118f51b67691a55b464f04452e5dc6fc (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 95cca255a7a5ad782639ff0298c2a486707d1046 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 91a51d01be5c9f82c12c2921ca5cceaa31b67128 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 6ef935e65902bfed53980ad2754b06a284ea8ac1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "42c91dfa772c57de141e5a55a187ac760c0fd7e1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "00e56a7706e10b3d00a258d81fcb85a7e96372d6",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "b7b4f3bf118f51b67691a55b464f04452e5dc6fc",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "95cca255a7a5ad782639ff0298c2a486707d1046",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "91a51d01be5c9f82c12c2921ca5cceaa31b67128",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "6ef935e65902bfed53980ad2754b06a284ea8ac1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:06.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8"
},
{
"url": "https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1"
},
{
"url": "https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6"
},
{
"url": "https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc"
},
{
"url": "https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046"
},
{
"url": "https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128"
},
{
"url": "https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1"
}
],
"title": "net: hns3: add VLAN id validation before using",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71112",
"datePublished": "2026-01-14T15:05:59.308Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:06.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22106 (GCVE-0-2025-22106)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-09-25 09:49
VLAI?
EPSS
Title
vmxnet3: unregister xdp rxq info in the reset path
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmxnet3: unregister xdp rxq info in the reset path
vmxnet3 does not unregister xdp rxq info in the
vmxnet3_reset_work() code path as vmxnet3_rq_destroy()
is not invoked in this code path. So, we get below message with a
backtrace.
Missing unregister, handled but fix driver
WARNING: CPU:48 PID: 500 at net/core/xdp.c:182
__xdp_rxq_info_reg+0x93/0xf0
This patch fixes the problem by moving the unregister
code of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < a6157484bee3385a425d288a69e1eaf03232f5fc
(git)
Affected: 54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < 23da4e0bb2a38966d29db0ff90a8fe68fdfa1744 (git) Affected: 54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < 9908541a9e235b7c5e2fbdd59910eaf9c32c3075 (git) Affected: 54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < 0dd765fae295832934bf28e45dd5a355e0891ed4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vmxnet3/vmxnet3_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6157484bee3385a425d288a69e1eaf03232f5fc",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
},
{
"lessThan": "23da4e0bb2a38966d29db0ff90a8fe68fdfa1744",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
},
{
"lessThan": "9908541a9e235b7c5e2fbdd59910eaf9c32c3075",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
},
{
"lessThan": "0dd765fae295832934bf28e45dd5a355e0891ed4",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vmxnet3/vmxnet3_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: unregister xdp rxq info in the reset path\n\nvmxnet3 does not unregister xdp rxq info in the\nvmxnet3_reset_work() code path as vmxnet3_rq_destroy()\nis not invoked in this code path. So, we get below message with a\nbacktrace.\n\nMissing unregister, handled but fix driver\nWARNING: CPU:48 PID: 500 at net/core/xdp.c:182\n__xdp_rxq_info_reg+0x93/0xf0\n\nThis patch fixes the problem by moving the unregister\ncode of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T09:49:08.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6157484bee3385a425d288a69e1eaf03232f5fc"
},
{
"url": "https://git.kernel.org/stable/c/23da4e0bb2a38966d29db0ff90a8fe68fdfa1744"
},
{
"url": "https://git.kernel.org/stable/c/9908541a9e235b7c5e2fbdd59910eaf9c32c3075"
},
{
"url": "https://git.kernel.org/stable/c/0dd765fae295832934bf28e45dd5a355e0891ed4"
}
],
"title": "vmxnet3: unregister xdp rxq info in the reset path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22106",
"datePublished": "2025-04-16T14:12:54.461Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2025-09-25T09:49:08.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40201 (GCVE-0-2025-40201)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()
path is very broken.
sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct
itself. If tsk != current and tsk is not a leader, this process can exit/exec
and task_lock(tsk->group_leader) may use the already freed task_struct.
Another problem is that sys_prlimit64() can race with mt-exec which changes
->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)
->group_leader may change between task_lock() and task_unlock().
Change sys_prlimit64() to take tasklist_lock when necessary. This is not
nice, but I don't see a better fix for -stable.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 1bc0d9315ef5296abb2c9fd840336255850ded18
(git)
Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 132f827e7bac7373e1522e89709d70b43cae5342 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 19b45c84bd9fd42fa97ff80c6350d604cb871c75 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 6796412decd2d8de8ec708213bbc958fab72f143 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < a15f37a40145c986cdf289a4b88390f35efdecc4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bc0d9315ef5296abb2c9fd840336255850ded18",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "132f827e7bac7373e1522e89709d70b43cae5342",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "19b45c84bd9fd42fa97ff80c6350d604cb871c75",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "6796412decd2d8de8ec708213bbc958fab72f143",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "a15f37a40145c986cdf289a4b88390f35efdecc4",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths\n\nThe usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64()-\u003edo_prlimit()\npath is very broken.\n\nsys_prlimit64() does get_task_struct(tsk) but this only protects task_struct\nitself. If tsk != current and tsk is not a leader, this process can exit/exec\nand task_lock(tsk-\u003egroup_leader) may use the already freed task_struct.\n\nAnother problem is that sys_prlimit64() can race with mt-exec which changes\n-\u003egroup_leader. In this case do_prlimit() may take the wrong lock, or (worse)\n-\u003egroup_leader may change between task_lock() and task_unlock().\n\nChange sys_prlimit64() to take tasklist_lock when necessary. This is not\nnice, but I don\u0027t see a better fix for -stable."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:03.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18"
},
{
"url": "https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342"
},
{
"url": "https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75"
},
{
"url": "https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143"
},
{
"url": "https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4"
}
],
"title": "kernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40201",
"datePublished": "2025-11-12T21:56:34.063Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:20:03.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68323 (GCVE-0-2025-68323)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
usb: typec: ucsi: fix use-after-free caused by uec->work
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: fix use-after-free caused by uec->work
The delayed work uec->work is scheduled in gaokun_ucsi_probe()
but never properly canceled in gaokun_ucsi_remove(). This creates
use-after-free scenarios where the ucsi and gaokun_ucsi structure
are freed after ucsi_destroy() completes execution, while the
gaokun_ucsi_register_worker() might be either currently executing
or still pending in the work queue. The already-freed gaokun_ucsi
or ucsi structure may then be accessed.
Furthermore, the race window is 3 seconds, which is sufficiently
long to make this bug easily reproducible. The following is the
trace captured by KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630
Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0
...
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0x78/0x90
print_report+0x114/0x580
kasan_report+0xa4/0xf0
__asan_report_store8_noabort+0x20/0x2c
__run_timers+0x5ec/0x630
run_timer_softirq+0xe8/0x1cc
handle_softirqs+0x294/0x720
__do_softirq+0x14/0x20
____do_softirq+0x10/0x1c
call_on_irq_stack+0x30/0x48
do_softirq_own_stack+0x1c/0x28
__irq_exit_rcu+0x27c/0x364
irq_exit_rcu+0x10/0x1c
el1_interrupt+0x40/0x60
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x6c/0x70
arch_local_irq_enable+0x4/0x8 (P)
do_idle+0x334/0x458
cpu_startup_entry+0x60/0x70
rest_init+0x158/0x174
start_kernel+0x2f8/0x394
__primary_switched+0x8c/0x94
Allocated by task 72 on cpu 0 at 27.510341s:
kasan_save_stack+0x2c/0x54
kasan_save_track+0x24/0x5c
kasan_save_alloc_info+0x40/0x54
__kasan_kmalloc+0xa0/0xb8
__kmalloc_node_track_caller_noprof+0x1c0/0x588
devm_kmalloc+0x7c/0x1c8
gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8
really_probe+0x17c/0x5b8
__driver_probe_device+0x158/0x2c4
driver_probe_device+0x10c/0x264
__device_attach_driver+0x168/0x2d0
bus_for_each_drv+0x100/0x188
__device_attach+0x174/0x368
device_initial_probe+0x14/0x20
bus_probe_device+0x120/0x150
device_add+0xb3c/0x10fc
__auxiliary_device_add+0x88/0x130
...
Freed by task 73 on cpu 1 at 28.910627s:
kasan_save_stack+0x2c/0x54
kasan_save_track+0x24/0x5c
__kasan_save_free_info+0x4c/0x74
__kasan_slab_free+0x60/0x8c
kfree+0xd4/0x410
devres_release_all+0x140/0x1f0
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x344/0x460
device_release_driver+0x18/0x24
bus_remove_device+0x198/0x274
device_del+0x310/0xa84
...
The buggy address belongs to the object at ffff00000ec28c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 200 bytes inside of
freed 512-byte region
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)
page_type: f5(slab)
raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
================================================================
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00327d7f2c8c512c9b168daae02c8b989f79ec71 , < d8ac85c76a4279979b917d4b2f9c6b07d9783003
(git)
Affected: 00327d7f2c8c512c9b168daae02c8b989f79ec71 , < a880ef71a1c8da266b88491213c37893e2126489 (git) Affected: 00327d7f2c8c512c9b168daae02c8b989f79ec71 , < 2b7a0f47aaf2439d517ba0a6b29c66a535302154 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8ac85c76a4279979b917d4b2f9c6b07d9783003",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
},
{
"lessThan": "a880ef71a1c8da266b88491213c37893e2126489",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
},
{
"lessThan": "2b7a0f47aaf2439d517ba0a6b29c66a535302154",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: fix use-after-free caused by uec-\u003ework\n\nThe delayed work uec-\u003ework is scheduled in gaokun_ucsi_probe()\nbut never properly canceled in gaokun_ucsi_remove(). This creates\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\nare freed after ucsi_destroy() completes execution, while the\ngaokun_ucsi_register_worker() might be either currently executing\nor still pending in the work queue. The already-freed gaokun_ucsi\nor ucsi structure may then be accessed.\n\nFurthermore, the race window is 3 seconds, which is sufficiently\nlong to make this bug easily reproducible. The following is the\ntrace captured by KASAN:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\n...\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x78/0x90\n print_report+0x114/0x580\n kasan_report+0xa4/0xf0\n __asan_report_store8_noabort+0x20/0x2c\n __run_timers+0x5ec/0x630\n run_timer_softirq+0xe8/0x1cc\n handle_softirqs+0x294/0x720\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x30/0x48\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x27c/0x364\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x40/0x60\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n arch_local_irq_enable+0x4/0x8 (P)\n do_idle+0x334/0x458\n cpu_startup_entry+0x60/0x70\n rest_init+0x158/0x174\n start_kernel+0x2f8/0x394\n __primary_switched+0x8c/0x94\n\nAllocated by task 72 on cpu 0 at 27.510341s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n kasan_save_alloc_info+0x40/0x54\n __kasan_kmalloc+0xa0/0xb8\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\n devm_kmalloc+0x7c/0x1c8\n gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8\n really_probe+0x17c/0x5b8\n __driver_probe_device+0x158/0x2c4\n driver_probe_device+0x10c/0x264\n __device_attach_driver+0x168/0x2d0\n bus_for_each_drv+0x100/0x188\n __device_attach+0x174/0x368\n device_initial_probe+0x14/0x20\n bus_probe_device+0x120/0x150\n device_add+0xb3c/0x10fc\n __auxiliary_device_add+0x88/0x130\n...\n\nFreed by task 73 on cpu 1 at 28.910627s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n __kasan_save_free_info+0x4c/0x74\n __kasan_slab_free+0x60/0x8c\n kfree+0xd4/0x410\n devres_release_all+0x140/0x1f0\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x344/0x460\n device_release_driver+0x18/0x24\n bus_remove_device+0x198/0x274\n device_del+0x310/0xa84\n...\n\nThe buggy address belongs to the object at ffff00000ec28c00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 200 bytes inside of\n freed 512-byte region\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\npage_type: f5(slab)\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n================================================================\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:24.714Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003"
},
{
"url": "https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489"
},
{
"url": "https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154"
}
],
"title": "usb: typec: ucsi: fix use-after-free caused by uec-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68323",
"datePublished": "2025-12-18T15:02:48.403Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-02-09T08:31:24.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68339 (GCVE-0-2025-68339)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
atm/fore200e: Fix possible data race in fore200e_open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm/fore200e: Fix possible data race in fore200e_open()
Protect access to fore200e->available_cell_rate with rate_mtx lock in the
error handling path of fore200e_open() to prevent a data race.
The field fore200e->available_cell_rate is a shared resource used to track
available bandwidth. It is concurrently accessed by fore200e_open(),
fore200e_close(), and fore200e_change_qos().
In fore200e_open(), the lock rate_mtx is correctly held when subtracting
vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
However, if the subsequent call to fore200e_activate_vcin() fails, the
function restores the reserved bandwidth by adding back to
available_cell_rate without holding the lock.
This introduces a race condition because available_cell_rate is a global
device resource shared across all VCCs. If the error path in
fore200e_open() executes concurrently with operations like
fore200e_close() or fore200e_change_qos() on other VCCs, a
read-modify-write race occurs.
Specifically, the error path reads the rate without the lock. If another
CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
fore200e_close()) between this read and the subsequent write, the error
path will overwrite the concurrent update with a stale value. This results
in incorrect bandwidth accounting.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd1415efbab507b9b995918105eef953013449dd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9917ba597cf95f307778e495f71ff25a5064d167 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 667ac868823224374f819500adc5baa2889c7bc5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6610361458e7eb6502dd3182f586f91fcc218039 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82fca3d8a4a34667f01ec2351a607135249c9cff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd1415efbab507b9b995918105eef953013449dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9917ba597cf95f307778e495f71ff25a5064d167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "667ac868823224374f819500adc5baa2889c7bc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6610361458e7eb6502dd3182f586f91fcc218039",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82fca3d8a4a34667f01ec2351a607135249c9cff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm/fore200e: Fix possible data race in fore200e_open()\n\nProtect access to fore200e-\u003eavailable_cell_rate with rate_mtx lock in the\nerror handling path of fore200e_open() to prevent a data race.\n\nThe field fore200e-\u003eavailable_cell_rate is a shared resource used to track\navailable bandwidth. It is concurrently accessed by fore200e_open(),\nfore200e_close(), and fore200e_change_qos().\n\nIn fore200e_open(), the lock rate_mtx is correctly held when subtracting\nvcc-\u003eqos.txtp.max_pcr from available_cell_rate to reserve bandwidth.\nHowever, if the subsequent call to fore200e_activate_vcin() fails, the\nfunction restores the reserved bandwidth by adding back to\navailable_cell_rate without holding the lock.\n\nThis introduces a race condition because available_cell_rate is a global\ndevice resource shared across all VCCs. If the error path in\nfore200e_open() executes concurrently with operations like\nfore200e_close() or fore200e_change_qos() on other VCCs, a\nread-modify-write race occurs.\n\nSpecifically, the error path reads the rate without the lock. If another\nCPU acquires the lock and modifies the rate (e.g., releasing bandwidth in\nfore200e_close()) between this read and the subsequent write, the error\npath will overwrite the concurrent update with a stale value. This results\nin incorrect bandwidth accounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:24.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d"
},
{
"url": "https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd"
},
{
"url": "https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1"
},
{
"url": "https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167"
},
{
"url": "https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5"
},
{
"url": "https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039"
},
{
"url": "https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff"
}
],
"title": "atm/fore200e: Fix possible data race in fore200e_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68339",
"datePublished": "2025-12-23T13:58:24.955Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:24.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40293 (GCVE-0-2025-40293)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
iommufd: Don't overflow during division for dirty tracking
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Don't overflow during division for dirty tracking
If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow
to 0 and this triggers divide by 0.
In this case the index should just be 0, so reorganize things to divide
by shift and avoid hitting any overflows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < 07105e61882ff4a7d58db63cc5f9e90c6c60506c
(git)
Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < 4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69 (git) Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < de7f2c67ceb1941b05b04ac35458a03e93cc57b1 (git) Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < dbf316fc90aa954dcd5440817f4b944627ed63e0 (git) Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < cb30dfa75d55eced379a42fd67bd5fb7ec38555e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/iova_bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07105e61882ff4a7d58db63cc5f9e90c6c60506c",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "de7f2c67ceb1941b05b04ac35458a03e93cc57b1",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "dbf316fc90aa954dcd5440817f4b944627ed63e0",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "cb30dfa75d55eced379a42fd67bd5fb7ec38555e",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/iova_bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Don\u0027t overflow during division for dirty tracking\n\nIf pgshift is 63 then BITS_PER_TYPE(*bitmap-\u003ebitmap) * pgsize will overflow\nto 0 and this triggers divide by 0.\n\nIn this case the index should just be 0, so reorganize things to divide\nby shift and avoid hitting any overflows."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:16.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07105e61882ff4a7d58db63cc5f9e90c6c60506c"
},
{
"url": "https://git.kernel.org/stable/c/4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69"
},
{
"url": "https://git.kernel.org/stable/c/de7f2c67ceb1941b05b04ac35458a03e93cc57b1"
},
{
"url": "https://git.kernel.org/stable/c/dbf316fc90aa954dcd5440817f4b944627ed63e0"
},
{
"url": "https://git.kernel.org/stable/c/cb30dfa75d55eced379a42fd67bd5fb7ec38555e"
}
],
"title": "iommufd: Don\u0027t overflow during division for dirty tracking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40293",
"datePublished": "2025-12-08T00:46:16.850Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:16.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40353 (GCVE-0-2025-40353)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
arm64: mte: Do not warn if the page is already tagged in copy_highpage()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mte: Do not warn if the page is already tagged in copy_highpage()
The arm64 copy_highpage() assumes that the destination page is newly
allocated and not MTE-tagged (PG_mte_tagged unset) and warns
accordingly. However, following commit 060913999d7a ("mm: migrate:
support poisoned recover from migrate folio"), folio_mc_copy() is called
before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the
copy will be done again to the same destination page. Since
copy_highpage() already set the PG_mte_tagged flag, this second copy
will warn.
Replace the WARN_ON_ONCE(page already tagged) in the arm64
copy_highpage() with a comment.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
060913999d7a9e50c283fdb15253fc27974ddadc , < 5ff5765a1fc526f07d3bbaedb061d970eb13bcf4
(git)
Affected: 060913999d7a9e50c283fdb15253fc27974ddadc , < 0bbf3fc6e9211fce9889fe8efbb89c220504d617 (git) Affected: 060913999d7a9e50c283fdb15253fc27974ddadc , < b98c94eed4a975e0c80b7e90a649a46967376f58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/copypage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ff5765a1fc526f07d3bbaedb061d970eb13bcf4",
"status": "affected",
"version": "060913999d7a9e50c283fdb15253fc27974ddadc",
"versionType": "git"
},
{
"lessThan": "0bbf3fc6e9211fce9889fe8efbb89c220504d617",
"status": "affected",
"version": "060913999d7a9e50c283fdb15253fc27974ddadc",
"versionType": "git"
},
{
"lessThan": "b98c94eed4a975e0c80b7e90a649a46967376f58",
"status": "affected",
"version": "060913999d7a9e50c283fdb15253fc27974ddadc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/copypage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Do not warn if the page is already tagged in copy_highpage()\n\nThe arm64 copy_highpage() assumes that the destination page is newly\nallocated and not MTE-tagged (PG_mte_tagged unset) and warns\naccordingly. However, following commit 060913999d7a (\"mm: migrate:\nsupport poisoned recover from migrate folio\"), folio_mc_copy() is called\nbefore __folio_migrate_mapping(). If the latter fails (-EAGAIN), the\ncopy will be done again to the same destination page. Since\ncopy_highpage() already set the PG_mte_tagged flag, this second copy\nwill warn.\n\nReplace the WARN_ON_ONCE(page already tagged) in the arm64\ncopy_highpage() with a comment."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:52.663Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ff5765a1fc526f07d3bbaedb061d970eb13bcf4"
},
{
"url": "https://git.kernel.org/stable/c/0bbf3fc6e9211fce9889fe8efbb89c220504d617"
},
{
"url": "https://git.kernel.org/stable/c/b98c94eed4a975e0c80b7e90a649a46967376f58"
}
],
"title": "arm64: mte: Do not warn if the page is already tagged in copy_highpage()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40353",
"datePublished": "2025-12-16T13:30:26.273Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:52.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68788 (GCVE-0-2025-68788)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
fsnotify: do not generate ACCESS/MODIFY events on child for special files
Summary
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: do not generate ACCESS/MODIFY events on child for special files
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72acc854427948efed7a83da27f7dc3239ac9afc , < df2711544b050aba703e6da418c53c7dc5d443ca
(git)
Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 859bdf438f01d9aa7f84b09c1202d548c7cad9e8 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < e0643d46759db8b84c0504a676043e5e341b6c81 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 82f7416bcbd951549e758d15fc1a96a5afc2e900 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 635bc4def026a24e071436f4f356ea08c0eed6ff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df2711544b050aba703e6da418c53c7dc5d443ca",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "859bdf438f01d9aa7f84b09c1202d548c7cad9e8",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "e0643d46759db8b84c0504a676043e5e341b6c81",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "82f7416bcbd951549e758d15fc1a96a5afc2e900",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "635bc4def026a24e071436f4f356ea08c0eed6ff",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: do not generate ACCESS/MODIFY events on child for special files\n\ninotify/fanotify do not allow users with no read access to a file to\nsubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the\nsame user to subscribe for watching events on children when the user\nhas access to the parent directory (e.g. /dev).\n\nUsers with no read access to a file but with read access to its parent\ndirectory can still stat the file and see if it was accessed/modified\nvia atime/mtime change.\n\nThe same is not true for special files (e.g. /dev/null). Users will not\ngenerally observe atime/mtime changes when other users read/write to\nspecial files, only when someone sets atime/mtime via utimensat().\n\nAlign fsnotify events with this stat behavior and do not generate\nACCESS/MODIFY events to parent watchers on read/write of special files.\nThe events are still generated to parent watchers on utimensat(). This\ncloses some side-channels that could be possibly used for information\nexfiltration [1].\n\n[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:35.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca"
},
{
"url": "https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8"
},
{
"url": "https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91"
},
{
"url": "https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81"
},
{
"url": "https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900"
},
{
"url": "https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6"
},
{
"url": "https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff"
}
],
"title": "fsnotify: do not generate ACCESS/MODIFY events on child for special files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68788",
"datePublished": "2026-01-13T15:29:01.270Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-02-09T08:33:35.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40304 (GCVE-0-2025-40304)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Add bounds checking to prevent writes past framebuffer boundaries when
rendering text near screen edges. Return early if the Y position is off-screen
and clip image height to screen boundary. Break from the rendering loop if the
X position is off-screen. When clipping image width to fit the screen, update
the character count to match the clipped width to prevent buffer size
mismatches.
Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
receive mismatched parameters where the buffer is allocated for the clipped
width but cnt reflects the original larger count, causing out-of-bounds writes.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 996bfaa7372d6718b6d860bdf78f6618e850c702
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f0982400648a3e00580253e0c48e991f34d2684c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ebc0730b490c7f27340b1222e01dd106e820320d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 86df8ade88d290725554cefd03101ecd0fbd3752 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 15ba9acafb0517f8359ca30002c189a68ddbb939 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2d1359e11674ed4274934eac8a71877ae5ae7bbb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3637d34b35b287ab830e66048841ace404382b67 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "996bfaa7372d6718b6d860bdf78f6618e850c702",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f0982400648a3e00580253e0c48e991f34d2684c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ebc0730b490c7f27340b1222e01dd106e820320d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "86df8ade88d290725554cefd03101ecd0fbd3752",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "15ba9acafb0517f8359ca30002c189a68ddbb939",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d1359e11674ed4274934eac8a71877ae5ae7bbb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3637d34b35b287ab830e66048841ace404382b67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds\n\nAdd bounds checking to prevent writes past framebuffer boundaries when\nrendering text near screen edges. Return early if the Y position is off-screen\nand clip image height to screen boundary. Break from the rendering loop if the\nX position is off-screen. When clipping image width to fit the screen, update\nthe character count to match the clipped width to prevent buffer size\nmismatches.\n\nWithout the character count update, bit_putcs_aligned and bit_putcs_unaligned\nreceive mismatched parameters where the buffer is allocated for the clipped\nwidth but cnt reflects the original larger count, causing out-of-bounds writes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:26.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702"
},
{
"url": "https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c"
},
{
"url": "https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1"
},
{
"url": "https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d"
},
{
"url": "https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752"
},
{
"url": "https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939"
},
{
"url": "https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb"
},
{
"url": "https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67"
}
],
"title": "fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40304",
"datePublished": "2025-12-08T00:46:29.013Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:26.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40360 (GCVE-0-2025-40360)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2025-12-16 13:39
VLAI?
EPSS
Title
drm/sysfb: Do not dereference NULL pointer in plane reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sysfb: Do not dereference NULL pointer in plane reset
The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
deref that pointer, but forward NULL to the other plane-reset helpers.
Clears plane->state to NULL.
v2:
- fix typo in commit description (Javier)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b715650220311e50448cb499c71084ca8aeeeece , < 6abeff03cb79a2c7f4554a8e8738acd35bb37152
(git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < c4faf7f417eea8b8d5cc570a1015736f307aa2d5 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < b61ed8005bd3102510fab5015ac6a275c9c5ea16 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < 6bdef5648a60e49d4a3b02461ab7ae3776877e77 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_atomic_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6abeff03cb79a2c7f4554a8e8738acd35bb37152",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "c4faf7f417eea8b8d5cc570a1015736f307aa2d5",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "b61ed8005bd3102510fab5015ac6a275c9c5ea16",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "6bdef5648a60e49d4a3b02461ab7ae3776877e77",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "14e02ed3876f4ab0ed6d3f41972175f8b8df3d70",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_atomic_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sysfb: Do not dereference NULL pointer in plane reset\n\nThe plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not\nderef that pointer, but forward NULL to the other plane-reset helpers.\nClears plane-\u003estate to NULL.\n\nv2:\n- fix typo in commit description (Javier)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:39:59.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6abeff03cb79a2c7f4554a8e8738acd35bb37152"
},
{
"url": "https://git.kernel.org/stable/c/c4faf7f417eea8b8d5cc570a1015736f307aa2d5"
},
{
"url": "https://git.kernel.org/stable/c/b61ed8005bd3102510fab5015ac6a275c9c5ea16"
},
{
"url": "https://git.kernel.org/stable/c/6bdef5648a60e49d4a3b02461ab7ae3776877e77"
},
{
"url": "https://git.kernel.org/stable/c/c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232"
},
{
"url": "https://git.kernel.org/stable/c/14e02ed3876f4ab0ed6d3f41972175f8b8df3d70"
}
],
"title": "drm/sysfb: Do not dereference NULL pointer in plane reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40360",
"datePublished": "2025-12-16T13:39:59.490Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:39:59.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40223 (GCVE-0-2025-40223)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
most: usb: Fix use-after-free in hdm_disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: Fix use-after-free in hdm_disconnect
hdm_disconnect() calls most_deregister_interface(), which eventually
unregisters the MOST interface device with device_unregister(iface->dev).
If that drops the last reference, the device core may call release_mdev()
immediately while hdm_disconnect() is still executing.
The old code also freed several mdev-owned allocations in
hdm_disconnect() and then performed additional put_device() calls.
Depending on refcount order, this could lead to use-after-free or
double-free when release_mdev() ran (or when unregister paths also
performed puts).
Fix by moving the frees of mdev-owned allocations into release_mdev(),
so they happen exactly once when the device is truly released, and by
dropping the extra put_device() calls in hdm_disconnect() that are
redundant after device_unregister() and most_deregister_interface().
This addresses the KASAN slab-use-after-free reported by syzbot in
hdm_disconnect(). See report and stack traces in the bug link below.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831
(git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 578eb18cd111addec94c43f61cd4b4429e454809 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 33daf469f5294b9d07c4fc98216cace9f4f34cc6 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 72427dc6f87523995f4e6ae35a948bb2992cabce (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < f93a84ffb884d761a9d4e869ba29c238711e81f1 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 4b1270902609ef0d935ed2faa2ea6d122bd148f5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "578eb18cd111addec94c43f61cd4b4429e454809",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "33daf469f5294b9d07c4fc98216cace9f4f34cc6",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "72427dc6f87523995f4e6ae35a948bb2992cabce",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "f93a84ffb884d761a9d4e869ba29c238711e81f1",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "4b1270902609ef0d935ed2faa2ea6d122bd148f5",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: Fix use-after-free in hdm_disconnect\n\nhdm_disconnect() calls most_deregister_interface(), which eventually\nunregisters the MOST interface device with device_unregister(iface-\u003edev).\nIf that drops the last reference, the device core may call release_mdev()\nimmediately while hdm_disconnect() is still executing.\n\nThe old code also freed several mdev-owned allocations in\nhdm_disconnect() and then performed additional put_device() calls.\nDepending on refcount order, this could lead to use-after-free or\ndouble-free when release_mdev() ran (or when unregister paths also\nperformed puts).\n\nFix by moving the frees of mdev-owned allocations into release_mdev(),\nso they happen exactly once when the device is truly released, and by\ndropping the extra put_device() calls in hdm_disconnect() that are\nredundant after device_unregister() and most_deregister_interface().\n\nThis addresses the KASAN slab-use-after-free reported by syzbot in\nhdm_disconnect(). See report and stack traces in the bug link below."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:15.158Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831"
},
{
"url": "https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809"
},
{
"url": "https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6"
},
{
"url": "https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce"
},
{
"url": "https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1"
},
{
"url": "https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6"
},
{
"url": "https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5"
}
],
"title": "most: usb: Fix use-after-free in hdm_disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40223",
"datePublished": "2025-12-04T15:31:15.158Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:15.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68217 (GCVE-0-2025-68217)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
Input: pegasus-notetaker - fix potential out-of-bounds access
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: pegasus-notetaker - fix potential out-of-bounds access
In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1afca2b66aac7ac262d3511c68725e9e7053b40f , < c4e746651bd74c38f581e1cf31651119a94de8cd
(git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 36bc92b838ff72f62f2c17751a9013b29ead2513 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 015b719962696b793997e8deefac019f816aca77 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 084264e10e2ae8938a54355123ad977eb9df56d6 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 9ab67eff6d654e34ba6da07c64761aa87c2a3c26 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 763c3f4d2394a697d14af1335d3bb42f05c9409f (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 69aeb507312306f73495598a055293fa749d454e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/tablet/pegasus_notetaker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4e746651bd74c38f581e1cf31651119a94de8cd",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "36bc92b838ff72f62f2c17751a9013b29ead2513",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "015b719962696b793997e8deefac019f816aca77",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "084264e10e2ae8938a54355123ad977eb9df56d6",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "9ab67eff6d654e34ba6da07c64761aa87c2a3c26",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "763c3f4d2394a697d14af1335d3bb42f05c9409f",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "69aeb507312306f73495598a055293fa749d454e",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/tablet/pegasus_notetaker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: pegasus-notetaker - fix potential out-of-bounds access\n\nIn the pegasus_notetaker driver, the pegasus_probe() function allocates\nthe URB transfer buffer using the wMaxPacketSize value from\nthe endpoint descriptor. An attacker can use a malicious USB descriptor\nto force the allocation of a very small buffer.\n\nSubsequently, if the device sends an interrupt packet with a specific\npattern (e.g., where the first byte is 0x80 or 0x42),\nthe pegasus_parse_packet() function parses the packet without checking\nthe allocated buffer size. This leads to an out-of-bounds memory access."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:12.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cd"
},
{
"url": "https://git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513"
},
{
"url": "https://git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77"
},
{
"url": "https://git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6"
},
{
"url": "https://git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479"
},
{
"url": "https://git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26"
},
{
"url": "https://git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409f"
},
{
"url": "https://git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454e"
}
],
"title": "Input: pegasus-notetaker - fix potential out-of-bounds access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68217",
"datePublished": "2025-12-16T13:57:12.011Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:12.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40318 (GCVE-0-2025-40318)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".
Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f00f36db76eb8fd10d13e80e2590f23b5beaa54d , < 0a94f7e017438935c09ef833a1aa908ad9875213
(git)
Affected: 1499f79995c7ee58e3bfeeff75f6d1b37dcda881 , < 932c0a4f77ac13e526fdd5b42914d29c9821d389 (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < ae76cf6c2c842944c6514c57df54d728f1916553 (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 9cd536970192b72257afcdfba0bfc09993e6f19c (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 (git) Affected: 357603f4d396d85fbf0045512efaf1d7f7394ed7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a94f7e017438935c09ef833a1aa908ad9875213",
"status": "affected",
"version": "f00f36db76eb8fd10d13e80e2590f23b5beaa54d",
"versionType": "git"
},
{
"lessThan": "932c0a4f77ac13e526fdd5b42914d29c9821d389",
"status": "affected",
"version": "1499f79995c7ee58e3bfeeff75f6d1b37dcda881",
"versionType": "git"
},
{
"lessThan": "ae76cf6c2c842944c6514c57df54d728f1916553",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"lessThan": "9cd536970192b72257afcdfba0bfc09993e6f19c",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"lessThan": "09b0cd1297b4dbfe736aeaa0ceeab2265f47f772",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"status": "affected",
"version": "357603f4d396d85fbf0045512efaf1d7f7394ed7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once\n\nhci_cmd_sync_dequeue_once() does lookup and then cancel\nthe entry under two separate lock sections. Meanwhile,\nhci_cmd_sync_work() can also delete the same entry,\nleading to double list_del() and \"UAF\".\n\nFix this by holding cmd_sync_work_lock across both\nlookup and cancel, so that the entry cannot be removed\nconcurrently."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:45.382Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213"
},
{
"url": "https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389"
},
{
"url": "https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553"
},
{
"url": "https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c"
},
{
"url": "https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772"
}
],
"title": "Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40318",
"datePublished": "2025-12-08T00:46:45.382Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:45.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68228 (GCVE-0-2025-68228)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
drm/plane: Fix create_in_format_blob() return value
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/plane: Fix create_in_format_blob() return value
create_in_format_blob() is either supposed to return a valid
pointer or an error, but never NULL. The caller will dereference
the blob when it is not an error, and thus will oops if NULL
returned. Return proper error values in the failure cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "860f93f4fce1e733b8a2474f6bfa153243d775f3",
"status": "affected",
"version": "0d6dcd741c266389bbf0a8758f537b3a171ac32a",
"versionType": "git"
},
{
"lessThan": "cead55e24cf9e092890cf51c0548eccd7569defa",
"status": "affected",
"version": "0d6dcd741c266389bbf0a8758f537b3a171ac32a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/plane: Fix create_in_format_blob() return value\n\ncreate_in_format_blob() is either supposed to return a valid\npointer or an error, but never NULL. The caller will dereference\nthe blob when it is not an error, and thus will oops if NULL\nreturned. Return proper error values in the failure cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:21.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/860f93f4fce1e733b8a2474f6bfa153243d775f3"
},
{
"url": "https://git.kernel.org/stable/c/cead55e24cf9e092890cf51c0548eccd7569defa"
}
],
"title": "drm/plane: Fix create_in_format_blob() return value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68228",
"datePublished": "2025-12-16T13:57:21.011Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:21.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39828 (GCVE-0-2025-39828)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
syzbot reported the splat below. [0]
When atmtcp_v_open() or atmtcp_v_close() is called via connect()
or close(), atmtcp_send_control() is called to send an in-kernel
special message.
The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.
Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.
The notable thing is struct atmtcp_control is uAPI but has a
space for an in-kernel pointer.
struct atmtcp_control {
struct atmtcp_hdr hdr; /* must be first */
...
atm_kptr_t vcc; /* both directions */
...
} __ATM_API_ALIGN;
typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;
The special message is processed in atmtcp_recv_control() called
from atmtcp_c_send().
atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:
1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())
2. vcc_sendmsg()
The problem is sendmsg() does not validate the message length and
userspace can abuse atmtcp_recv_control() to overwrite any kptr
by atmtcp_control.
Let's add a new ->pre_send() hook to validate messages from sendmsg().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]
CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]
RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297
Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c
RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203
RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c
RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd
R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000
R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff
FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0
Call Trace:
<TASK>
vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
____sys_sendmsg+0x505/0x830 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8d7e96a4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9
RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005
RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac
R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250
</TASK>
Modules linked in:
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b502f16bad8f0a4cfbd023452766f21bfda39dde
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0a6a6d4fb333f7afe22e59ffed18511a7a98efc8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 62f368472b0aa4b5d91d9b983152855c6b6d8925 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51872b26429077be611b0a1816e0e722278015c3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:50.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c",
"include/linux/atmdev.h",
"net/atm/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b502f16bad8f0a4cfbd023452766f21bfda39dde",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0a6a6d4fb333f7afe22e59ffed18511a7a98efc8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62f368472b0aa4b5d91d9b983152855c6b6d8925",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51872b26429077be611b0a1816e0e722278015c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c",
"include/linux/atmdev.h",
"net/atm/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n\nsyzbot reported the splat below. [0]\n\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\nor close(), atmtcp_send_control() is called to send an in-kernel\nspecial message.\n\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\n\nThe notable thing is struct atmtcp_control is uAPI but has a\nspace for an in-kernel pointer.\n\n struct atmtcp_control {\n \tstruct atmtcp_hdr hdr;\t/* must be first */\n ...\n \tatm_kptr_t vcc;\t\t/* both directions */\n ...\n } __ATM_API_ALIGN;\n\n typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\n\nThe special message is processed in atmtcp_recv_control() called\nfrom atmtcp_c_send().\n\natmtcp_c_send() is vcc-\u003edev-\u003eops-\u003esend() and called from 2 paths:\n\n 1. .ndo_start_xmit() (vcc-\u003esend() == atm_send_aal0())\n 2. vcc_sendmsg()\n\nThe problem is sendmsg() does not validate the message length and\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\nby atmtcp_control.\n\nLet\u0027s add a new -\u003epre_send() hook to validate messages from sendmsg().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 \u003c42\u003e 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\nFS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f8d7e96a4a9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\n \u003c/TASK\u003e\nModules linked in:"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:30.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b502f16bad8f0a4cfbd023452766f21bfda39dde"
},
{
"url": "https://git.kernel.org/stable/c/0a6a6d4fb333f7afe22e59ffed18511a7a98efc8"
},
{
"url": "https://git.kernel.org/stable/c/62f368472b0aa4b5d91d9b983152855c6b6d8925"
},
{
"url": "https://git.kernel.org/stable/c/51872b26429077be611b0a1816e0e722278015c3"
},
{
"url": "https://git.kernel.org/stable/c/3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b"
},
{
"url": "https://git.kernel.org/stable/c/33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b"
},
{
"url": "https://git.kernel.org/stable/c/3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe"
},
{
"url": "https://git.kernel.org/stable/c/ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a"
}
],
"title": "atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39828",
"datePublished": "2025-09-16T13:00:26.433Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:50.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39827 (GCVE-0-2025-39827)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
net: rose: include node references in rose_neigh refcount
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.
This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4cce478c3e82a5fc788d72adb2f4c4e983997639
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c547c8eee9d1cf6e744611d688b9f725cf9a115 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d7563b456ed44151e1a82091d96f60166daea89b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 384210cceb1873a4c8218b27ba0745444436b728 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < da9c9c877597170b929a6121a68dcd3dd9a80f45 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:48.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cce478c3e82a5fc788d72adb2f4c4e983997639",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c547c8eee9d1cf6e744611d688b9f725cf9a115",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7563b456ed44151e1a82091d96f60166daea89b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "384210cceb1873a4c8218b27ba0745444436b728",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da9c9c877597170b929a6121a68dcd3dd9a80f45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the \u0027count\u0027 field in struct rose_neigh tracks references from\nrose_node structures, while the \u0027use\u0027 field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using \u0027use\u0027 field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:28.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639"
},
{
"url": "https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115"
},
{
"url": "https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b"
},
{
"url": "https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728"
},
{
"url": "https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45"
}
],
"title": "net: rose: include node references in rose_neigh refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39827",
"datePublished": "2025-09-16T13:00:25.555Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:48.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68335 (GCVE-0-2025-68335)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00aba6e7b5653a6607238ecdab7172318059d984 , < b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16
(git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 935ad4b3c325c24fff2c702da403283025ffc722 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 88d99ca5adbd01ff088f5fb2ddeba5755e085e52 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 5caa40e7c6a43e08e3574f990865127705c22861 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < d948c53dec36dafe182631457597c49c1f1df5ea (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 877adccfacb32687b90714a27cfb09f444fdfa16 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < a51f025b5038abd3d22eed2ede4cd46793d89565 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "935ad4b3c325c24fff2c702da403283025ffc722",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "88d99ca5adbd01ff088f5fb2ddeba5755e085e52",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "5caa40e7c6a43e08e3574f990865127705c22861",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "d948c53dec36dafe182631457597c49c1f1df5ea",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "877adccfacb32687b90714a27cfb09f444fdfa16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "a51f025b5038abd3d22eed2ede4cd46793d89565",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev-\u003eread_subdev may not have initialized its pointer to\n\u0026struct comedi_async as intended. Thus, any such dereferencing of\n\u0026s-\u003easync-\u003ecmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice\u0027s own -\u003ecancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \u003cTASK\u003e\n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:29.256Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16"
},
{
"url": "https://git.kernel.org/stable/c/935ad4b3c325c24fff2c702da403283025ffc722"
},
{
"url": "https://git.kernel.org/stable/c/88d99ca5adbd01ff088f5fb2ddeba5755e085e52"
},
{
"url": "https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861"
},
{
"url": "https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea"
},
{
"url": "https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16"
},
{
"url": "https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565"
}
],
"title": "comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68335",
"datePublished": "2025-12-22T16:14:12.614Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:29.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40180 (GCVE-0-2025-40180)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
The cleanup loop was starting at the wrong array index, causing
out-of-bounds access.
Start the loop at the correct index for zero-indexed arrays to prevent
accessing memory beyond the allocated array bounds.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < cd0cbf2713f6e027ebba867cb7409ae345a31312
(git)
Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < ab96f08ecedd263ecaab9df8455bfb23b07fdcc2 (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < 0aead8197fc1a85b0a89646e418feb49a564b029 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd0cbf2713f6e027ebba867cb7409ae345a31312",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "ab96f08ecedd263ecaab9df8455bfb23b07fdcc2",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "0aead8197fc1a85b0a89646e418feb49a564b029",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop\n\nThe cleanup loop was starting at the wrong array index, causing\nout-of-bounds access.\nStart the loop at the correct index for zero-indexed arrays to prevent\naccessing memory beyond the allocated array bounds."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:37.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd0cbf2713f6e027ebba867cb7409ae345a31312"
},
{
"url": "https://git.kernel.org/stable/c/ab96f08ecedd263ecaab9df8455bfb23b07fdcc2"
},
{
"url": "https://git.kernel.org/stable/c/0aead8197fc1a85b0a89646e418feb49a564b029"
}
],
"title": "mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40180",
"datePublished": "2025-11-12T21:56:25.395Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:37.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23047 (GCVE-0-2026-23047)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:00 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
libceph: make calc_target() set t->paused, not just clear it
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make calc_target() set t->paused, not just clear it
Currently calc_target() clears t->paused if the request shouldn't be
paused anymore, but doesn't ever set t->paused even though it's able to
determine when the request should be paused. Setting t->paused is left
to __submit_request() which is fine for regular requests but doesn't
work for linger requests -- since __submit_request() doesn't operate
on linger requests, there is nowhere for lreq->t.paused to be set.
One consequence of this is that watches don't get reestablished on
paused -> unpaused transitions in cases where requests have been paused
long enough for the (paused) unwatch request to time out and for the
subsequent (re)watch request to enter the paused state. On top of the
watch not getting reestablished, rbd_reregister_watch() gets stuck with
rbd_dev->watch_mutex held:
rbd_register_watch
__rbd_register_watch
ceph_osdc_watch
linger_reg_commit_wait
It's waiting for lreq->reg_commit_wait to be completed, but for that to
happen the respective request needs to end up on need_resend_linger list
and be kicked when requests are unpaused. There is no chance for that
if the request in question is never marked paused in the first place.
The fact that rbd_dev->watch_mutex remains taken out forever then
prevents the image from getting unmapped -- "rbd unmap" would inevitably
hang in D state on an attempt to grab the mutex.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
922dab6134178cae317ae00de86376cba59f3147 , < 2b3329b3c29d9e188e40d902d5230c2d5989b940
(git)
Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 5d0dc83cb9a69c1d0bea58f1c430199b05f6b021 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 4d3399c52e0e61720ae898f5a0b5b75d4460ae24 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 4ebc711b738d139cabe2fc9e7e7749847676a342 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 6f468f6ff233c6a81e0e761d9124e982903fe9a5 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 5647d42c47b535573b63e073e91164d6a5bb058c (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3329b3c29d9e188e40d902d5230c2d5989b940",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "5d0dc83cb9a69c1d0bea58f1c430199b05f6b021",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "4d3399c52e0e61720ae898f5a0b5b75d4460ae24",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "4ebc711b738d139cabe2fc9e7e7749847676a342",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "6f468f6ff233c6a81e0e761d9124e982903fe9a5",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "5647d42c47b535573b63e073e91164d6a5bb058c",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make calc_target() set t-\u003epaused, not just clear it\n\nCurrently calc_target() clears t-\u003epaused if the request shouldn\u0027t be\npaused anymore, but doesn\u0027t ever set t-\u003epaused even though it\u0027s able to\ndetermine when the request should be paused. Setting t-\u003epaused is left\nto __submit_request() which is fine for regular requests but doesn\u0027t\nwork for linger requests -- since __submit_request() doesn\u0027t operate\non linger requests, there is nowhere for lreq-\u003et.paused to be set.\nOne consequence of this is that watches don\u0027t get reestablished on\npaused -\u003e unpaused transitions in cases where requests have been paused\nlong enough for the (paused) unwatch request to time out and for the\nsubsequent (re)watch request to enter the paused state. On top of the\nwatch not getting reestablished, rbd_reregister_watch() gets stuck with\nrbd_dev-\u003ewatch_mutex held:\n\n rbd_register_watch\n __rbd_register_watch\n ceph_osdc_watch\n linger_reg_commit_wait\n\nIt\u0027s waiting for lreq-\u003ereg_commit_wait to be completed, but for that to\nhappen the respective request needs to end up on need_resend_linger list\nand be kicked when requests are unpaused. There is no chance for that\nif the request in question is never marked paused in the first place.\n\nThe fact that rbd_dev-\u003ewatch_mutex remains taken out forever then\nprevents the image from getting unmapped -- \"rbd unmap\" would inevitably\nhang in D state on an attempt to grab the mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:42.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940"
},
{
"url": "https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021"
},
{
"url": "https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24"
},
{
"url": "https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342"
},
{
"url": "https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5"
},
{
"url": "https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c"
},
{
"url": "https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176"
}
],
"title": "libceph: make calc_target() set t-\u003epaused, not just clear it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23047",
"datePublished": "2026-02-04T16:00:29.475Z",
"dateReserved": "2026-01-13T15:37:45.944Z",
"dateUpdated": "2026-02-09T08:37:42.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37354 (GCVE-0-2024-37354)
Vulnerability from cvelistv5 – Published: 2024-06-25 14:22 – Updated: 2026-01-05 10:36
VLAI?
EPSS
Title
btrfs: fix crash on racing fsync and size-extending write into prealloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix crash on racing fsync and size-extending write into prealloc
We have been seeing crashes on duplicate keys in
btrfs_set_item_key_safe():
BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)
------------[ cut here ]------------
kernel BUG at fs/btrfs/ctree.c:2620!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]
With the following stack trace:
#0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)
#1 btrfs_drop_extents (fs/btrfs/file.c:411:4)
#2 log_one_extent (fs/btrfs/tree-log.c:4732:9)
#3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)
#4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)
#5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)
#6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)
#7 btrfs_sync_file (fs/btrfs/file.c:1933:8)
#8 vfs_fsync_range (fs/sync.c:188:9)
#9 vfs_fsync (fs/sync.c:202:9)
#10 do_fsync (fs/sync.c:212:9)
#11 __do_sys_fdatasync (fs/sync.c:225:9)
#12 __se_sys_fdatasync (fs/sync.c:223:1)
#13 __x64_sys_fdatasync (fs/sync.c:223:1)
#14 do_syscall_x64 (arch/x86/entry/common.c:52:14)
#15 do_syscall_64 (arch/x86/entry/common.c:83:7)
#16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)
So we're logging a changed extent from fsync, which is splitting an
extent in the log tree. But this split part already exists in the tree,
triggering the BUG().
This is the state of the log tree at the time of the crash, dumped with
drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)
to get more details than btrfs_print_leaf() gives us:
>>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"])
leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610
leaf 33439744 flags 0x100000000000000
fs uuid e5bd3946-400c-4223-8923-190ef1f18677
chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 7 transid 9 size 8192 nbytes 8473563889606862198
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 204 flags 0x10(PREALLOC)
atime 1716417703.220000000 (2024-05-22 15:41:43)
ctime 1716417704.983333333 (2024-05-22 15:41:44)
mtime 1716417704.983333333 (2024-05-22 15:41:44)
otime 17592186044416.000000000 (559444-03-08 01:40:16)
item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13
index 195 namelen 3 name: 193
item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37
location key (0 UNKNOWN.0 0) type XATTR
transid 7 data_len 1 name_len 6
name: user.a
data a
item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53
generation 9 type 1 (regular)
extent data disk byte 303144960 nr 12288
extent data offset 0 nr 4096 ram 12288
extent compression 0 (none)
item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 4096 nr 8192
item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 8192 nr 4096
...
So the real problem happened earlier: notice that items 4 (4k-12k) and 5
(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and
item 5 starts at i_size.
Here is the state of
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
31d11b83b96faaee4bb514d375a09489117c3e8d , < c993fd02ba471e296ca1996f13626fc917120158
(git)
Affected: 31d11b83b96faaee4bb514d375a09489117c3e8d , < 1ff2bd566fbcefcb892be85c493bdb92b911c428 (git) Affected: 31d11b83b96faaee4bb514d375a09489117c3e8d , < 3d08c52ba1887a1ff9c179d4b6a18b427bcb2097 (git) Affected: 31d11b83b96faaee4bb514d375a09489117c3e8d , < f4e5ed974876c14d3623e04dc43d3e3281bc6011 (git) Affected: 31d11b83b96faaee4bb514d375a09489117c3e8d , < 9d274c19a71b3a276949933859610721a453946b (git) Affected: 61a9f6b7fe0ca9706b49a23cecf5f9a9c802b6ce (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37354",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T15:43:24.537360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T15:43:32.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c993fd02ba471e296ca1996f13626fc917120158",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "1ff2bd566fbcefcb892be85c493bdb92b911c428",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "3d08c52ba1887a1ff9c179d4b6a18b427bcb2097",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "f4e5ed974876c14d3623e04dc43d3e3281bc6011",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "9d274c19a71b3a276949933859610721a453946b",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"status": "affected",
"version": "61a9f6b7fe0ca9706b49a23cecf5f9a9c802b6ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.94",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.34",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.5",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we\u0027re logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n \u003e\u003e\u003e print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:36:37.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c993fd02ba471e296ca1996f13626fc917120158"
},
{
"url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428"
},
{
"url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097"
},
{
"url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011"
},
{
"url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b"
}
],
"title": "btrfs: fix crash on racing fsync and size-extending write into prealloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-37354",
"datePublished": "2024-06-25T14:22:36.228Z",
"dateReserved": "2024-06-24T13:53:25.569Z",
"dateUpdated": "2026-01-05T10:36:37.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68344 (GCVE-0-2025-68344)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ALSA: wavefront: Fix integer overflow in sample size validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: wavefront: Fix integer overflow in sample size validation
The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 488bf86d60077f52810c60dbdf7468c277880167
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f811071e702fbb74933526e2fbadf8c4ed0c0c4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 02b63f3bc29265bd9e83191792d200ed563acacf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5588b7c86effffa9bb55383a38800649d7b40778 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bca11de0a277b8baeb7d006f93b543c907b6e782 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1823e08f76c68b9e1d26f6d5ef831b96f61a62a0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c4a13ba88594fd4a27292853e736c6b4349823d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "488bf86d60077f52810c60dbdf7468c277880167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f811071e702fbb74933526e2fbadf8c4ed0c0c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02b63f3bc29265bd9e83191792d200ed563acacf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5588b7c86effffa9bb55383a38800649d7b40778",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bca11de0a277b8baeb7d006f93b543c907b6e782",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1823e08f76c68b9e1d26f6d5ef831b96f61a62a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4a13ba88594fd4a27292853e736c6b4349823d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: wavefront: Fix integer overflow in sample size validation\n\nThe wavefront_send_sample() function has an integer overflow issue\nwhen validating sample size. The header-\u003esize field is u32 but gets\ncast to int for comparison with dev-\u003efreemem\n\nFix by using unsigned comparison to avoid integer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:32.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/488bf86d60077f52810c60dbdf7468c277880167"
},
{
"url": "https://git.kernel.org/stable/c/d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937"
},
{
"url": "https://git.kernel.org/stable/c/4f811071e702fbb74933526e2fbadf8c4ed0c0c4"
},
{
"url": "https://git.kernel.org/stable/c/02b63f3bc29265bd9e83191792d200ed563acacf"
},
{
"url": "https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778"
},
{
"url": "https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782"
},
{
"url": "https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0"
},
{
"url": "https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d"
}
],
"title": "ALSA: wavefront: Fix integer overflow in sample size validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68344",
"datePublished": "2025-12-24T10:32:37.615Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:32.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40312 (GCVE-0-2025-40312)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
jfs: Verify inode mode when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: Verify inode mode when loading from disk
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 19cce65709a8a2966203653028d9004e28e85bd5
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fabc1348bb8fe6bc80850014ee94bd89945f7f4d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2870a7dec49ccdc3f6ae35da8f5d6737f21133a8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ce054a366c54992185c9514e489a14f145b10c29 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1795277a4e98d82e6451544d43695540cee042ea (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8d6a9cbd276b3b85da0e7e98208f89416fed9265 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7a5aa54fba2bd591b22b9b624e6baa9037276986 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19cce65709a8a2966203653028d9004e28e85bd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fabc1348bb8fe6bc80850014ee94bd89945f7f4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2870a7dec49ccdc3f6ae35da8f5d6737f21133a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce054a366c54992185c9514e489a14f145b10c29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1795277a4e98d82e6451544d43695540cee042ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d6a9cbd276b3b85da0e7e98208f89416fed9265",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a5aa54fba2bd591b22b9b624e6baa9037276986",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Verify inode mode when loading from disk\n\nThe inode mode loaded from corrupted disk can be invalid. Do like what\ncommit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\")\ndoes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:32.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19cce65709a8a2966203653028d9004e28e85bd5"
},
{
"url": "https://git.kernel.org/stable/c/fabc1348bb8fe6bc80850014ee94bd89945f7f4d"
},
{
"url": "https://git.kernel.org/stable/c/46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f"
},
{
"url": "https://git.kernel.org/stable/c/2870a7dec49ccdc3f6ae35da8f5d6737f21133a8"
},
{
"url": "https://git.kernel.org/stable/c/ce054a366c54992185c9514e489a14f145b10c29"
},
{
"url": "https://git.kernel.org/stable/c/1795277a4e98d82e6451544d43695540cee042ea"
},
{
"url": "https://git.kernel.org/stable/c/8d6a9cbd276b3b85da0e7e98208f89416fed9265"
},
{
"url": "https://git.kernel.org/stable/c/7a5aa54fba2bd591b22b9b624e6baa9037276986"
}
],
"title": "jfs: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40312",
"datePublished": "2025-12-08T00:46:38.147Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:32.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68215 (GCVE-0-2025-68215)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
ice: fix PTP cleanup on driver removal in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix PTP cleanup on driver removal in error path
Improve the cleanup on releasing PTP resources in error path.
The error case might happen either at the driver probe and PTP
feature initialization or on PTP restart (errors in reset handling, NVM
update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf
function) and 'ps_lock' mutex deinitialization were missed.
Additionally, ptp clock was not unregistered in the latter case.
Keep PTP state as 'uninitialized' on init to distinguish between error
scenarios and to avoid resource release duplication at driver removal.
The consequence of missing ice_ptp_cleanup_pf call is the following call
trace dumped when ice_adapter object is freed (port list is not empty,
as it is required at this stage):
[ T93022] ------------[ cut here ]------------
[ T93022] WARNING: CPU: 10 PID: 93022 at
ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]
...
[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]
...
[ T93022] Call Trace:
[ T93022] <TASK>
[ T93022] ? ice_adapter_put+0xef/0x100 [ice
33d2647ad4f6d866d41eefff1806df37c68aef0c]
[ T93022] ? __warn.cold+0xb0/0x10e
[ T93022] ? ice_adapter_put+0xef/0x100 [ice
33d2647ad4f6d866d41eefff1806df37c68aef0c]
[ T93022] ? report_bug+0xd8/0x150
[ T93022] ? handle_bug+0xe9/0x110
[ T93022] ? exc_invalid_op+0x17/0x70
[ T93022] ? asm_exc_invalid_op+0x1a/0x20
[ T93022] ? ice_adapter_put+0xef/0x100 [ice
33d2647ad4f6d866d41eefff1806df37c68aef0c]
[ T93022] pci_device_remove+0x42/0xb0
[ T93022] device_release_driver_internal+0x19f/0x200
[ T93022] driver_detach+0x48/0x90
[ T93022] bus_remove_driver+0x70/0xf0
[ T93022] pci_unregister_driver+0x42/0xb0
[ T93022] ice_module_exit+0x10/0xdb0 [ice
33d2647ad4f6d866d41eefff1806df37c68aef0c]
...
[ T93022] ---[ end trace 0000000000000000 ]---
[ T93022] ice: module unloaded
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2f59743be4d9568cad2d9cf697d1b897975421ed , < f5eb91f876ebecbcd90f9edcaea98dcb354603b3
(git)
Affected: e800654e85b5b27966fc6493201f5f8cf658beb6 , < 765236f2c4fbba7650436b71a0e350500e9ec15f (git) Affected: e800654e85b5b27966fc6493201f5f8cf658beb6 , < 23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f5eb91f876ebecbcd90f9edcaea98dcb354603b3",
"status": "affected",
"version": "2f59743be4d9568cad2d9cf697d1b897975421ed",
"versionType": "git"
},
{
"lessThan": "765236f2c4fbba7650436b71a0e350500e9ec15f",
"status": "affected",
"version": "e800654e85b5b27966fc6493201f5f8cf658beb6",
"versionType": "git"
},
{
"lessThan": "23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0",
"status": "affected",
"version": "e800654e85b5b27966fc6493201f5f8cf658beb6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix PTP cleanup on driver removal in error path\n\nImprove the cleanup on releasing PTP resources in error path.\nThe error case might happen either at the driver probe and PTP\nfeature initialization or on PTP restart (errors in reset handling, NVM\nupdate etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf\nfunction) and \u0027ps_lock\u0027 mutex deinitialization were missed.\nAdditionally, ptp clock was not unregistered in the latter case.\n\nKeep PTP state as \u0027uninitialized\u0027 on init to distinguish between error\nscenarios and to avoid resource release duplication at driver removal.\n\nThe consequence of missing ice_ptp_cleanup_pf call is the following call\ntrace dumped when ice_adapter object is freed (port list is not empty,\nas it is required at this stage):\n\n[ T93022] ------------[ cut here ]------------\n[ T93022] WARNING: CPU: 10 PID: 93022 at\nice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]\n...\n[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]\n...\n[ T93022] Call Trace:\n[ T93022] \u003cTASK\u003e\n[ T93022] ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[ T93022] ? __warn.cold+0xb0/0x10e\n[ T93022] ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[ T93022] ? report_bug+0xd8/0x150\n[ T93022] ? handle_bug+0xe9/0x110\n[ T93022] ? exc_invalid_op+0x17/0x70\n[ T93022] ? asm_exc_invalid_op+0x1a/0x20\n[ T93022] ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[ T93022] pci_device_remove+0x42/0xb0\n[ T93022] device_release_driver_internal+0x19f/0x200\n[ T93022] driver_detach+0x48/0x90\n[ T93022] bus_remove_driver+0x70/0xf0\n[ T93022] pci_unregister_driver+0x42/0xb0\n[ T93022] ice_module_exit+0x10/0xdb0 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n...\n[ T93022] ---[ end trace 0000000000000000 ]---\n[ T93022] ice: module unloaded"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:10.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f5eb91f876ebecbcd90f9edcaea98dcb354603b3"
},
{
"url": "https://git.kernel.org/stable/c/765236f2c4fbba7650436b71a0e350500e9ec15f"
},
{
"url": "https://git.kernel.org/stable/c/23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0"
}
],
"title": "ice: fix PTP cleanup on driver removal in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68215",
"datePublished": "2025-12-16T13:57:10.576Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:10.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68760 (GCVE-0-2025-68760)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show
In iommu_mmio_write(), it validates the user-provided offset with the
check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`.
This assumes a 4-byte access. However, the corresponding
show handler, iommu_mmio_show(), uses readq() to perform an 8-byte
(64-bit) read.
If a user provides an offset equal to `mmio_phys_end - 4`, the check
passes, and will lead to a 4-byte out-of-bounds read.
Fix this by adjusting the boundary check to use sizeof(u64), which
corresponds to the size of the readq() operation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a4ee419e8c144b747a8915856e91a034d7c8f34 , < b959df804c33913dbfdb90750f2d693502b3d126
(git)
Affected: 7a4ee419e8c144b747a8915856e91a034d7c8f34 , < 0ec4aaf5f3f559716a6559f3d6d9616e9470bed6 (git) Affected: 7a4ee419e8c144b747a8915856e91a034d7c8f34 , < a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b959df804c33913dbfdb90750f2d693502b3d126",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
},
{
"lessThan": "0ec4aaf5f3f559716a6559f3d6d9616e9470bed6",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
},
{
"lessThan": "a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix potential out-of-bounds read in iommu_mmio_show\n\nIn iommu_mmio_write(), it validates the user-provided offset with the\ncheck: `iommu-\u003edbg_mmio_offset \u003e iommu-\u003emmio_phys_end - 4`.\nThis assumes a 4-byte access. However, the corresponding\nshow handler, iommu_mmio_show(), uses readq() to perform an 8-byte\n(64-bit) read.\n\nIf a user provides an offset equal to `mmio_phys_end - 4`, the check\npasses, and will lead to a 4-byte out-of-bounds read.\n\nFix this by adjusting the boundary check to use sizeof(u64), which\ncorresponds to the size of the readq() operation."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:04.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b959df804c33913dbfdb90750f2d693502b3d126"
},
{
"url": "https://git.kernel.org/stable/c/0ec4aaf5f3f559716a6559f3d6d9616e9470bed6"
},
{
"url": "https://git.kernel.org/stable/c/a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7"
}
],
"title": "iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68760",
"datePublished": "2026-01-05T09:32:32.894Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:04.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68801 (GCVE-0-2025-68801)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
mlxsw: spectrum_router: Fix neighbour use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_router: Fix neighbour use-after-free
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6cf3c971dc84cb36579515ddb488919b9e9fb6de , < a2dfe6758fc63e542105bee8b17a3a7485684db0
(git)
Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < c437fbfd4382412598cdda1f8e2881b523668cc2 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 4a3c569005f42ab5e5b2ad637132a33bf102cc08 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 675c5aeadf6472672c472dc0f26401e4fcfbf254 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 8b0e69763ef948fb872a7767df4be665d18f5fd4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2dfe6758fc63e542105bee8b17a3a7485684db0",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "c437fbfd4382412598cdda1f8e2881b523668cc2",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "4a3c569005f42ab5e5b2ad637132a33bf102cc08",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "675c5aeadf6472672c472dc0f26401e4fcfbf254",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "8b0e69763ef948fb872a7767df4be665d18f5fd4",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix neighbour use-after-free\n\nWe sometimes observe use-after-free when dereferencing a neighbour [1].\nThe problem seems to be that the driver stores a pointer to the\nneighbour, but without holding a reference on it. A reference is only\ntaken when the neighbour is used by a nexthop.\n\nFix by simplifying the reference counting scheme. Always take a\nreference when storing a neighbour pointer in a neighbour entry. Avoid\ntaking a referencing when the neighbour is used by a nexthop as the\nneighbour entry associated with the nexthop already holds a reference.\n\nTested by running the test that uncovered the problem over 300 times.\nWithout this patch the problem was reproduced after a handful of\niterations.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310\nRead of size 8 at addr ffff88817f8e3420 by task ip/3929\n\nCPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6e/0x300\n print_report+0xfc/0x1fb\n kasan_report+0xe4/0x110\n mlxsw_sp_neigh_entry_update+0x2d4/0x310\n mlxsw_sp_router_rif_gone_sync+0x35f/0x510\n mlxsw_sp_rif_destroy+0x1ea/0x730\n mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0\n __mlxsw_sp_inetaddr_lag_event+0xcc/0x130\n __mlxsw_sp_inetaddr_event+0xf5/0x3c0\n mlxsw_sp_router_netdevice_event+0x1015/0x1580\n notifier_call_chain+0xcc/0x150\n call_netdevice_notifiers_info+0x7e/0x100\n __netdev_upper_dev_unlink+0x10b/0x210\n netdev_upper_dev_unlink+0x79/0xa0\n vrf_del_slave+0x18/0x50\n do_set_master+0x146/0x7d0\n do_setlink.isra.0+0x9a0/0x2880\n rtnl_newlink+0x637/0xb20\n rtnetlink_rcv_msg+0x6fe/0xb90\n netlink_rcv_skb+0x123/0x380\n netlink_unicast+0x4a3/0x770\n netlink_sendmsg+0x75b/0xc90\n __sock_sendmsg+0xbe/0x160\n ____sys_sendmsg+0x5b2/0x7d0\n ___sys_sendmsg+0xfd/0x180\n __sys_sendmsg+0x124/0x1c0\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[...]\n\nAllocated by task 109:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x2c1/0x790\n neigh_alloc+0x6af/0x8f0\n ___neigh_create+0x63/0xe90\n mlxsw_sp_nexthop_neigh_init+0x430/0x7e0\n mlxsw_sp_nexthop_type_init+0x212/0x960\n mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280\n mlxsw_sp_nexthop6_group_get+0x392/0x6a0\n mlxsw_sp_fib6_entry_create+0x46a/0xfd0\n mlxsw_sp_router_fib6_replace+0x1ed/0x5f0\n mlxsw_sp_router_fib6_event_work+0x10a/0x2a0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nFreed by task 154:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kmem_cache_free_bulk.part.0+0x1eb/0x5e0\n kvfree_rcu_bulk+0x1f2/0x260\n kfree_rcu_work+0x130/0x1b0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nLast potentially related work creation:\n kasan_save_stack+0x30/0x50\n kasan_record_aux_stack+0x8c/0xa0\n kvfree_call_rcu+0x93/0x5b0\n mlxsw_sp_router_neigh_event_work+0x67d/0x860\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:49.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0"
},
{
"url": "https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc"
},
{
"url": "https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2"
},
{
"url": "https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08"
},
{
"url": "https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a"
},
{
"url": "https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254"
},
{
"url": "https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4"
}
],
"title": "mlxsw: spectrum_router: Fix neighbour use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68801",
"datePublished": "2026-01-13T15:29:10.349Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:49.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68208 (GCVE-0-2025-68208)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
bpf: account for current allocated stack depth in widen_imprecise_scalars()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: account for current allocated stack depth in widen_imprecise_scalars()
The usage pattern for widen_imprecise_scalars() looks as follows:
prev_st = find_prev_entry(env, ...);
queued_st = push_stack(...);
widen_imprecise_scalars(env, prev_st, queued_st);
Where prev_st is an ancestor of the queued_st in the explored states
tree. This ancestor is not guaranteed to have same allocated stack
depth as queued_st. E.g. in the following case:
def main():
for i in 1..2:
foo(i) // same callsite, differnt param
def foo(i):
if i == 1:
use 128 bytes of stack
iterator based loop
Here, for a second 'foo' call prev_st->allocated_stack is 128,
while queued_st->allocated_stack is much smaller.
widen_imprecise_scalars() needs to take this into account and avoid
accessing bpf_verifier_state->frame[*]->stack out of bounds.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ab470fefce2837e66b771c60858118d50bb5bb10 , < 64b12dca2b0abcb5fc0542887d18b926ea5cf711
(git)
Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < 9944c7938cd5b3f37b0afec0481c7c015e4f1c58 (git) Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < 57e04e2ff56e32f923154f0f7bc476fcb596ffe7 (git) Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < b0c8e6d3d866b6a7f73877f71968dbffd27b7785 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64b12dca2b0abcb5fc0542887d18b926ea5cf711",
"status": "affected",
"version": "ab470fefce2837e66b771c60858118d50bb5bb10",
"versionType": "git"
},
{
"lessThan": "9944c7938cd5b3f37b0afec0481c7c015e4f1c58",
"status": "affected",
"version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
"versionType": "git"
},
{
"lessThan": "57e04e2ff56e32f923154f0f7bc476fcb596ffe7",
"status": "affected",
"version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
"versionType": "git"
},
{
"lessThan": "b0c8e6d3d866b6a7f73877f71968dbffd27b7785",
"status": "affected",
"version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: account for current allocated stack depth in widen_imprecise_scalars()\n\nThe usage pattern for widen_imprecise_scalars() looks as follows:\n\n prev_st = find_prev_entry(env, ...);\n queued_st = push_stack(...);\n widen_imprecise_scalars(env, prev_st, queued_st);\n\nWhere prev_st is an ancestor of the queued_st in the explored states\ntree. This ancestor is not guaranteed to have same allocated stack\ndepth as queued_st. E.g. in the following case:\n\n def main():\n for i in 1..2:\n foo(i) // same callsite, differnt param\n\n def foo(i):\n if i == 1:\n use 128 bytes of stack\n iterator based loop\n\nHere, for a second \u0027foo\u0027 call prev_st-\u003eallocated_stack is 128,\nwhile queued_st-\u003eallocated_stack is much smaller.\nwiden_imprecise_scalars() needs to take this into account and avoid\naccessing bpf_verifier_state-\u003eframe[*]-\u003estack out of bounds."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:35.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64b12dca2b0abcb5fc0542887d18b926ea5cf711"
},
{
"url": "https://git.kernel.org/stable/c/9944c7938cd5b3f37b0afec0481c7c015e4f1c58"
},
{
"url": "https://git.kernel.org/stable/c/57e04e2ff56e32f923154f0f7bc476fcb596ffe7"
},
{
"url": "https://git.kernel.org/stable/c/b0c8e6d3d866b6a7f73877f71968dbffd27b7785"
}
],
"title": "bpf: account for current allocated stack depth in widen_imprecise_scalars()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68208",
"datePublished": "2025-12-16T13:48:35.298Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:35.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-48875 (GCVE-0-2022-48875)
Vulnerability from cvelistv5 – Published: 2024-08-21 06:10 – Updated: 2025-12-23 13:20
VLAI?
EPSS
Title
wifi: mac80211: sdata can be NULL during AMPDU start
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: sdata can be NULL during AMPDU start
ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
deauthentication is ongoing.
Here a trace triggering the race with the hostapd test
multi_ap_fronthaul_on_ap:
(gdb) list *drv_ampdu_action+0x46
0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
391 int ret = -EOPNOTSUPP;
392
393 might_sleep();
394
395 sdata = get_bss_sdata(sdata);
396 if (!check_sdata_in_driver(sdata))
397 return -EIO;
398
399 trace_drv_ampdu_action(local, sdata, params);
400
wlan0: moving STA 02:00:00:00:03:00 to state 3
wlan0: associated
wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
wlan0: moving STA 02:00:00:00:03:00 to state 2
wlan0: moving STA 02:00:00:00:03:00 to state 1
wlan0: Removed STA 02:00:00:00:03:00
wlan0: Destroyed STA 02:00:00:00:03:00
BUG: unable to handle page fault for address: fffffffffffffb48
PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Workqueue: phy3 ieee80211_ba_session_work [mac80211]
RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
Call Trace:
<TASK>
ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
process_one_work+0x29f/0x620
worker_thread+0x4d/0x3d0
? process_one_work+0x620/0x620
kthread+0xfb/0x120
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0ab337032a0dfcd5f2527d3306d3deeba5f95b59 , < 187523fa7c2d4c780f775cb869216865c4a909ef
(git)
Affected: 0ab337032a0dfcd5f2527d3306d3deeba5f95b59 , < a12fd43bd175fa52c82f9740179d38c34ca1b62e (git) Affected: 0ab337032a0dfcd5f2527d3306d3deeba5f95b59 , < c838df8461a601b20dc1b9fb1834d2aad8e2f949 (git) Affected: 0ab337032a0dfcd5f2527d3306d3deeba5f95b59 , < 69403bad97aa0162e3d7911b27e25abe774093df (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:05:16.319547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:32:53.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/agg-tx.c",
"net/mac80211/driver-ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "187523fa7c2d4c780f775cb869216865c4a909ef",
"status": "affected",
"version": "0ab337032a0dfcd5f2527d3306d3deeba5f95b59",
"versionType": "git"
},
{
"lessThan": "a12fd43bd175fa52c82f9740179d38c34ca1b62e",
"status": "affected",
"version": "0ab337032a0dfcd5f2527d3306d3deeba5f95b59",
"versionType": "git"
},
{
"lessThan": "c838df8461a601b20dc1b9fb1834d2aad8e2f949",
"status": "affected",
"version": "0ab337032a0dfcd5f2527d3306d3deeba5f95b59",
"versionType": "git"
},
{
"lessThan": "69403bad97aa0162e3d7911b27e25abe774093df",
"status": "affected",
"version": "0ab337032a0dfcd5f2527d3306d3deeba5f95b59",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/agg-tx.c",
"net/mac80211/driver-ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.165",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.90",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 \u003c8b\u003e 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n \u003cTASK\u003e\n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:20:59.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef"
},
{
"url": "https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e"
},
{
"url": "https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949"
},
{
"url": "https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df"
}
],
"title": "wifi: mac80211: sdata can be NULL during AMPDU start",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48875",
"datePublished": "2024-08-21T06:10:06.207Z",
"dateReserved": "2024-07-16T11:38:08.922Z",
"dateUpdated": "2025-12-23T13:20:59.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22982 (GCVE-0-2026-22982)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net: mscc: ocelot: Fix crash when adding interface under a lag
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mscc: ocelot: Fix crash when adding interface under a lag
Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.
This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.
Fix this by checking if the port pointer is valid before accessing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
528d3f190c98c8f7d9581f68db4af021696727b2 , < 8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d
(git)
Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < b17818307446c5a8d925a39a792261dbfa930041 (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 2985712dc76dfa670eb7fd607c09d4d48e5f5c6e (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 03fb1708b7d1e76aecebf767ad059c319845039f (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < f490af47bbee02441e356a1e0b86e3b3dd5120ff (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "b17818307446c5a8d925a39a792261dbfa930041",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "2985712dc76dfa670eb7fd607c09d4d48e5f5c6e",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "03fb1708b7d1e76aecebf767ad059c319845039f",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "f490af47bbee02441e356a1e0b86e3b3dd5120ff",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix crash when adding interface under a lag\n\nCommit 15faa1f67ab4 (\"lan966x: Fix crash when adding interface under a lag\")\nfixed a similar issue in the lan966x driver caused by a NULL pointer dereference.\nThe ocelot_set_aggr_pgids() function in the ocelot driver has similar logic\nand is susceptible to the same crash.\n\nThis issue specifically affects the ocelot_vsc7514.c frontend, which leaves\nunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as\nit uses the DSA framework which registers all ports.\n\nFix this by checking if the port pointer is valid before accessing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:32.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d"
},
{
"url": "https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041"
},
{
"url": "https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e"
},
{
"url": "https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f"
},
{
"url": "https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff"
},
{
"url": "https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95"
}
],
"title": "net: mscc: ocelot: Fix crash when adding interface under a lag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22982",
"datePublished": "2026-01-23T15:24:04.556Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:32.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39845 (GCVE-0-2025-39845)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure
page tables are properly synchronized when calling p*d_populate_kernel().
For 5-level paging, synchronization is performed via
pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so
synchronization is instead performed at the P4D level via
p4d_populate_kernel().
This fixes intermittent boot failures on systems using 4-level paging and
a large amount of persistent memory:
BUG: unable to handle page fault for address: ffffe70000000034
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] SMP NOPTI
RIP: 0010:__init_single_page+0x9/0x6d
Call Trace:
<TASK>
__init_zone_device_page+0x17/0x5d
memmap_init_zone_device+0x154/0x1bb
pagemap_range+0x2e0/0x40f
memremap_pages+0x10b/0x2f0
devm_memremap_pages+0x1e/0x60
dev_dax_probe+0xce/0x2ec [device_dax]
dax_bus_probe+0x6d/0xc9
[... snip ...]
</TASK>
It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap
before sync_global_pgds() [1]:
BUG: unable to handle page fault for address: ffffeb3ff1200000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI
Tainted: [W]=WARN
RIP: 0010:vmemmap_set_pmd+0xff/0x230
<TASK>
vmemmap_populate_hugepages+0x176/0x180
vmemmap_populate+0x34/0x80
__populate_section_memmap+0x41/0x90
sparse_add_section+0x121/0x3e0
__add_pages+0xba/0x150
add_pages+0x1d/0x70
memremap_pages+0x3dc/0x810
devm_memremap_pages+0x1c/0x60
xe_devm_add+0x8b/0x100 [xe]
xe_tile_init_noalloc+0x6a/0x70 [xe]
xe_device_probe+0x48c/0x740 [xe]
[... snip ...]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8d400913c231bd1da74067255816453f96cd35b0 , < 744ff519c72de31344a627eaf9b24e9595aae554
(git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 5f761d40ee95d2624f839c90ebeef2d5c55007f5 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 26ff568f390a531d1bd792e49f1a401849921960 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < b7f4051dd3388edd30e9a6077c05c486aa31e0d4 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 6bf9473727569e8283c1e2445c7ac42cf4fc9fa9 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 6659d027998083fbb6d42a165b0c90dc2e8ba989 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:00.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/pgtable_64_types.h",
"arch/x86/mm/init_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "744ff519c72de31344a627eaf9b24e9595aae554",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "5f761d40ee95d2624f839c90ebeef2d5c55007f5",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "26ff568f390a531d1bd792e49f1a401849921960",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "b7f4051dd3388edd30e9a6077c05c486aa31e0d4",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "6bf9473727569e8283c1e2445c7ac42cf4fc9fa9",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "6659d027998083fbb6d42a165b0c90dc2e8ba989",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/pgtable_64_types.h",
"arch/x86/mm/init_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\n\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\npage tables are properly synchronized when calling p*d_populate_kernel().\n\nFor 5-level paging, synchronization is performed via\npgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so\nsynchronization is instead performed at the P4D level via\np4d_populate_kernel().\n\nThis fixes intermittent boot failures on systems using 4-level paging and\na large amount of persistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \u003cTASK\u003e\n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \u003c/TASK\u003e\n\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\nbefore sync_global_pgds() [1]:\n\n BUG: unable to handle page fault for address: ffffeb3ff1200000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\n Tainted: [W]=WARN\n RIP: 0010:vmemmap_set_pmd+0xff/0x230\n \u003cTASK\u003e\n vmemmap_populate_hugepages+0x176/0x180\n vmemmap_populate+0x34/0x80\n __populate_section_memmap+0x41/0x90\n sparse_add_section+0x121/0x3e0\n __add_pages+0xba/0x150\n add_pages+0x1d/0x70\n memremap_pages+0x3dc/0x810\n devm_memremap_pages+0x1c/0x60\n xe_devm_add+0x8b/0x100 [xe]\n xe_tile_init_noalloc+0x6a/0x70 [xe]\n xe_device_probe+0x48c/0x740 [xe]\n [... snip ...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:54.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/744ff519c72de31344a627eaf9b24e9595aae554"
},
{
"url": "https://git.kernel.org/stable/c/5f761d40ee95d2624f839c90ebeef2d5c55007f5"
},
{
"url": "https://git.kernel.org/stable/c/26ff568f390a531d1bd792e49f1a401849921960"
},
{
"url": "https://git.kernel.org/stable/c/b7f4051dd3388edd30e9a6077c05c486aa31e0d4"
},
{
"url": "https://git.kernel.org/stable/c/6bf9473727569e8283c1e2445c7ac42cf4fc9fa9"
},
{
"url": "https://git.kernel.org/stable/c/6659d027998083fbb6d42a165b0c90dc2e8ba989"
}
],
"title": "x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39845",
"datePublished": "2025-09-19T15:26:19.225Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:00.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68767 (GCVE-0-2025-68767)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
hfsplus: Verify inode mode when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: Verify inode mode when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6f768724aabd5b321c5b8f15acdca11e4781cf32
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d92333c7a35856e419500e7eed72dac1afa404a5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 001f44982587ad462b3002ee40c75e8df67d597d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 05ec9af3cc430683c97f76027e1c55ac6fd25c59 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < edfb2e602b5ba5ca6bf31cbac20b366efb72b156 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 91f114bffa36ce56d0e1f60a0a44fc09baaefc79 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 005d4b0d33f6b4a23d382b7930f7a96b95b01f39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f768724aabd5b321c5b8f15acdca11e4781cf32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d92333c7a35856e419500e7eed72dac1afa404a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "001f44982587ad462b3002ee40c75e8df67d597d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "05ec9af3cc430683c97f76027e1c55ac6fd25c59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edfb2e602b5ba5ca6bf31cbac20b366efb72b156",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91f114bffa36ce56d0e1f60a0a44fc09baaefc79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "005d4b0d33f6b4a23d382b7930f7a96b95b01f39",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: Verify inode mode when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 16bits \"mode\" field loaded from disk are corrupted.\n\nAccording to [1], the permissions field was treated as reserved in Mac OS\n8 and 9. According to [2], the reserved field was explicitly initialized\nwith 0, and that field must remain 0 as long as reserved. Therefore, when\nthe \"mode\" field is not 0 (i.e. no longer reserved), the file must be\nS_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/\nS_IFBLK/S_IFIFO/S_IFSOCK if dir == 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:12.139Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32"
},
{
"url": "https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5"
},
{
"url": "https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d"
},
{
"url": "https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59"
},
{
"url": "https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156"
},
{
"url": "https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79"
},
{
"url": "https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39"
}
],
"title": "hfsplus: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68767",
"datePublished": "2026-01-13T15:28:46.382Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:12.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68244 (GCVE-0-2025-68244)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21
VLAI?
EPSS
Title
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
On completion of i915_vma_pin_ww(), a synchronous variant of
dma_fence_work_commit() is called. When pinning a VMA to GGTT address
space on a Cherry View family processor, or on a Broxton generation SoC
with VTD enabled, i.e., when stop_machine() is then called from
intel_ggtt_bind_vma(), that can potentially lead to lock inversion among
reservation_ww and cpu_hotplug locks.
[86.861179] ======================================================
[86.861193] WARNING: possible circular locking dependency detected
[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U
[86.861226] ------------------------------------------------------
[86.861238] i915_module_loa/1432 is trying to acquire lock:
[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50
[86.861290]
but task is already holding lock:
[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]
[86.862233]
which lock already depends on the new lock.
[86.862251]
the existing dependency chain (in reverse order) is:
[86.862265]
-> #5 (reservation_ww_class_mutex){+.+.}-{3:3}:
[86.862292] dma_resv_lockdep+0x19a/0x390
[86.862315] do_one_initcall+0x60/0x3f0
[86.862334] kernel_init_freeable+0x3cd/0x680
[86.862353] kernel_init+0x1b/0x200
[86.862369] ret_from_fork+0x47/0x70
[86.862383] ret_from_fork_asm+0x1a/0x30
[86.862399]
-> #4 (reservation_ww_class_acquire){+.+.}-{0:0}:
[86.862425] dma_resv_lockdep+0x178/0x390
[86.862440] do_one_initcall+0x60/0x3f0
[86.862454] kernel_init_freeable+0x3cd/0x680
[86.862470] kernel_init+0x1b/0x200
[86.862482] ret_from_fork+0x47/0x70
[86.862495] ret_from_fork_asm+0x1a/0x30
[86.862509]
-> #3 (&mm->mmap_lock){++++}-{3:3}:
[86.862531] down_read_killable+0x46/0x1e0
[86.862546] lock_mm_and_find_vma+0xa2/0x280
[86.862561] do_user_addr_fault+0x266/0x8e0
[86.862578] exc_page_fault+0x8a/0x2f0
[86.862593] asm_exc_page_fault+0x27/0x30
[86.862607] filldir64+0xeb/0x180
[86.862620] kernfs_fop_readdir+0x118/0x480
[86.862635] iterate_dir+0xcf/0x2b0
[86.862648] __x64_sys_getdents64+0x84/0x140
[86.862661] x64_sys_call+0x1058/0x2660
[86.862675] do_syscall_64+0x91/0xe90
[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[86.862703]
-> #2 (&root->kernfs_rwsem){++++}-{3:3}:
[86.862725] down_write+0x3e/0xf0
[86.862738] kernfs_add_one+0x30/0x3c0
[86.862751] kernfs_create_dir_ns+0x53/0xb0
[86.862765] internal_create_group+0x134/0x4c0
[86.862779] sysfs_create_group+0x13/0x20
[86.862792] topology_add_dev+0x1d/0x30
[86.862806] cpuhp_invoke_callback+0x4b5/0x850
[86.862822] cpuhp_issue_call+0xbf/0x1f0
[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320
[86.862852] __cpuhp_setup_state+0xb0/0x220
[86.862866] topology_sysfs_init+0x30/0x50
[86.862879] do_one_initcall+0x60/0x3f0
[86.862893] kernel_init_freeable+0x3cd/0x680
[86.862908] kernel_init+0x1b/0x200
[86.862921] ret_from_fork+0x47/0x70
[86.862934] ret_from_fork_asm+0x1a/0x30
[86.862947]
-> #1 (cpuhp_state_mutex){+.+.}-{3:3}:
[86.862969] __mutex_lock+0xaa/0xed0
[86.862982] mutex_lock_nested+0x1b/0x30
[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320
[86.863012] __cpuhp_setup_state+0xb0/0x220
[86.863026] page_alloc_init_cpuhp+0x2d/0x60
[86.863041] mm_core_init+0x22/0x2d0
[86.863054] start_kernel+0x576/0xbd0
[86.863068] x86_64_start_reservations+0x18/0x30
[86.863084] x86_64_start_kernel+0xbf/0x110
[86.863098] common_startup_64+0x13e/0x141
[86.863114]
-> #0 (cpu_hotplug_lock){++++}-{0:0}:
[86.863135] __lock_acquire+0x16
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d1c2618eac590d948eb33b9807d913ddb6e105f , < e988634d7aae7214818b9c86cd7ef9e78c84b02d
(git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 20d94a6117b752fd10a78cefdc1cf2c16706048b (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 3dec22bde207a36f1b8a4b80564cbbe13996a7cd (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 4e73066e3323add260e46eb51f79383d87950281 (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 858a50127be714f55c3bcb25621028d4a323d77e (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e988634d7aae7214818b9c86cd7ef9e78c84b02d",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "20d94a6117b752fd10a78cefdc1cf2c16706048b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "3dec22bde207a36f1b8a4b80564cbbe13996a7cd",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "4e73066e3323add260e46eb51f79383d87950281",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "858a50127be714f55c3bcb25621028d4a323d77e",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called. When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-\u003e #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292] dma_resv_lockdep+0x19a/0x390\n[86.862315] do_one_initcall+0x60/0x3f0\n[86.862334] kernel_init_freeable+0x3cd/0x680\n[86.862353] kernel_init+0x1b/0x200\n[86.862369] ret_from_fork+0x47/0x70\n[86.862383] ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-\u003e #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425] dma_resv_lockdep+0x178/0x390\n[86.862440] do_one_initcall+0x60/0x3f0\n[86.862454] kernel_init_freeable+0x3cd/0x680\n[86.862470] kernel_init+0x1b/0x200\n[86.862482] ret_from_fork+0x47/0x70\n[86.862495] ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-\u003e #3 (\u0026mm-\u003emmap_lock){++++}-{3:3}:\n[86.862531] down_read_killable+0x46/0x1e0\n[86.862546] lock_mm_and_find_vma+0xa2/0x280\n[86.862561] do_user_addr_fault+0x266/0x8e0\n[86.862578] exc_page_fault+0x8a/0x2f0\n[86.862593] asm_exc_page_fault+0x27/0x30\n[86.862607] filldir64+0xeb/0x180\n[86.862620] kernfs_fop_readdir+0x118/0x480\n[86.862635] iterate_dir+0xcf/0x2b0\n[86.862648] __x64_sys_getdents64+0x84/0x140\n[86.862661] x64_sys_call+0x1058/0x2660\n[86.862675] do_syscall_64+0x91/0xe90\n[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-\u003e #2 (\u0026root-\u003ekernfs_rwsem){++++}-{3:3}:\n[86.862725] down_write+0x3e/0xf0\n[86.862738] kernfs_add_one+0x30/0x3c0\n[86.862751] kernfs_create_dir_ns+0x53/0xb0\n[86.862765] internal_create_group+0x134/0x4c0\n[86.862779] sysfs_create_group+0x13/0x20\n[86.862792] topology_add_dev+0x1d/0x30\n[86.862806] cpuhp_invoke_callback+0x4b5/0x850\n[86.862822] cpuhp_issue_call+0xbf/0x1f0\n[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852] __cpuhp_setup_state+0xb0/0x220\n[86.862866] topology_sysfs_init+0x30/0x50\n[86.862879] do_one_initcall+0x60/0x3f0\n[86.862893] kernel_init_freeable+0x3cd/0x680\n[86.862908] kernel_init+0x1b/0x200\n[86.862921] ret_from_fork+0x47/0x70\n[86.862934] ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-\u003e #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969] __mutex_lock+0xaa/0xed0\n[86.862982] mutex_lock_nested+0x1b/0x30\n[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012] __cpuhp_setup_state+0xb0/0x220\n[86.863026] page_alloc_init_cpuhp+0x2d/0x60\n[86.863041] mm_core_init+0x22/0x2d0\n[86.863054] start_kernel+0x576/0xbd0\n[86.863068] x86_64_start_reservations+0x18/0x30\n[86.863084] x86_64_start_kernel+0xbf/0x110\n[86.863098] common_startup_64+0x13e/0x141\n[86.863114]\n-\u003e #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135] __lock_acquire+0x16\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:21.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d"
},
{
"url": "https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b"
},
{
"url": "https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd"
},
{
"url": "https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281"
},
{
"url": "https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e"
},
{
"url": "https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b"
}
],
"title": "drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68244",
"datePublished": "2025-12-16T14:21:21.277Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:21:21.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39824 (GCVE-0-2025-39824)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
HID: asus: fix UAF via HID_CLAIMED_INPUT validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: fix UAF via HID_CLAIMED_INPUT validation
After hid_hw_start() is called hidinput_connect() will eventually be
called to set up the device with the input layer since the
HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()
all input and output reports are processed and corresponding hid_inputs
are allocated and configured via hidinput_configure_usages(). This
process involves slot tagging report fields and configuring usages
by setting relevant bits in the capability bitmaps. However it is possible
that the capability bitmaps are not set at all leading to the subsequent
hidinput_has_been_populated() check to fail leading to the freeing of the
hid_input and the underlying input device.
This becomes problematic because a malicious HID device like a
ASUS ROG N-Key keyboard can trigger the above scenario via a
specially crafted descriptor which then leads to a user-after-free
when the name of the freed input device is written to later on after
hid_hw_start(). Below, report 93 intentionally utilises the
HID_UP_UNDEFINED Usage Page which is skipped during usage
configuration, leading to the frees.
0x05, 0x0D, // Usage Page (Digitizer)
0x09, 0x05, // Usage (Touch Pad)
0xA1, 0x01, // Collection (Application)
0x85, 0x0D, // Report ID (13)
0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)
0x09, 0xC5, // Usage (0xC5)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x04, // Report Count (4)
0xB1, 0x02, // Feature (Data,Var,Abs)
0x85, 0x5D, // Report ID (93)
0x06, 0x00, 0x00, // Usage Page (Undefined)
0x09, 0x01, // Usage (0x01)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x1B, // Report Count (27)
0x81, 0x02, // Input (Data,Var,Abs)
0xC0, // End Collection
Below is the KASAN splat after triggering the UAF:
[ 21.672709] ==================================================================
[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80
[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54
[ 21.673700]
[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)
[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 21.673700] Call Trace:
[ 21.673700] <TASK>
[ 21.673700] dump_stack_lvl+0x5f/0x80
[ 21.673700] print_report+0xd1/0x660
[ 21.673700] kasan_report+0xe5/0x120
[ 21.673700] __asan_report_store8_noabort+0x1b/0x30
[ 21.673700] asus_probe+0xeeb/0xf80
[ 21.673700] hid_device_probe+0x2ee/0x700
[ 21.673700] really_probe+0x1c6/0x6b0
[ 21.673700] __driver_probe_device+0x24f/0x310
[ 21.673700] driver_probe_device+0x4e/0x220
[...]
[ 21.673700]
[ 21.673700] Allocated by task 54:
[ 21.673700] kasan_save_stack+0x3d/0x60
[ 21.673700] kasan_save_track+0x18/0x40
[ 21.673700] kasan_save_alloc_info+0x3b/0x50
[ 21.673700] __kasan_kmalloc+0x9c/0xa0
[ 21.673700] __kmalloc_cache_noprof+0x139/0x340
[ 21.673700] input_allocate_device+0x44/0x370
[ 21.673700] hidinput_connect+0xcb6/0x2630
[ 21.673700] hid_connect+0xf74/0x1d60
[ 21.673700] hid_hw_start+0x8c/0x110
[ 21.673700] asus_probe+0x5a3/0xf80
[ 21.673700] hid_device_probe+0x2ee/0x700
[ 21.673700] really_probe+0x1c6/0x6b0
[ 21.673700] __driver_probe_device+0x24f/0x310
[ 21.673700] driver_probe_device+0x4e/0x220
[...]
[ 21.673700]
[ 21.673700] Freed by task 54:
[ 21.673700] kasan_save_stack+0x3d/0x60
[ 21.673700] kasan_save_track+0x18/0x40
[ 21.673700] kasan_save_free_info+0x3f/0x60
[ 21.673700] __kasan_slab_free+0x3c/0x50
[ 21.673700] kfre
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9ce12d8be12c94334634dd57050444910415e45f , < 9a9e4a8317437bf944fa017c66e1e23a0368b5c7
(git)
Affected: 9ce12d8be12c94334634dd57050444910415e45f , < 7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5 (git) Affected: 9ce12d8be12c94334634dd57050444910415e45f , < eaae728e7335b5dbad70966e2bd520a731fdf7b2 (git) Affected: 9ce12d8be12c94334634dd57050444910415e45f , < a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c (git) Affected: 9ce12d8be12c94334634dd57050444910415e45f , < 5f3c0839b173f7f33415eb098331879e547d1d2d (git) Affected: 9ce12d8be12c94334634dd57050444910415e45f , < c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c (git) Affected: 9ce12d8be12c94334634dd57050444910415e45f , < 72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275 (git) Affected: 9ce12d8be12c94334634dd57050444910415e45f , < d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:45.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9e4a8317437bf944fa017c66e1e23a0368b5c7",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "eaae728e7335b5dbad70966e2bd520a731fdf7b2",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "5f3c0839b173f7f33415eb098331879e547d1d2d",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D, // Usage Page (Digitizer)\n0x09, 0x05, // Usage (Touch Pad)\n0xA1, 0x01, // Collection (Application)\n0x85, 0x0D, // Report ID (13)\n0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5, // Usage (0xC5)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x04, // Report Count (4)\n0xB1, 0x02, // Feature (Data,Var,Abs)\n0x85, 0x5D, // Report ID (93)\n0x06, 0x00, 0x00, // Usage Page (Undefined)\n0x09, 0x01, // Usage (0x01)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x1B, // Report Count (27)\n0x81, 0x02, // Input (Data,Var,Abs)\n0xC0, // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[ 21.672709] ==================================================================\n[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[ 21.673700]\n[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 21.673700] Call Trace:\n[ 21.673700] \u003cTASK\u003e\n[ 21.673700] dump_stack_lvl+0x5f/0x80\n[ 21.673700] print_report+0xd1/0x660\n[ 21.673700] kasan_report+0xe5/0x120\n[ 21.673700] __asan_report_store8_noabort+0x1b/0x30\n[ 21.673700] asus_probe+0xeeb/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Allocated by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_alloc_info+0x3b/0x50\n[ 21.673700] __kasan_kmalloc+0x9c/0xa0\n[ 21.673700] __kmalloc_cache_noprof+0x139/0x340\n[ 21.673700] input_allocate_device+0x44/0x370\n[ 21.673700] hidinput_connect+0xcb6/0x2630\n[ 21.673700] hid_connect+0xf74/0x1d60\n[ 21.673700] hid_hw_start+0x8c/0x110\n[ 21.673700] asus_probe+0x5a3/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Freed by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_free_info+0x3f/0x60\n[ 21.673700] __kasan_slab_free+0x3c/0x50\n[ 21.673700] kfre\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:24.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9e4a8317437bf944fa017c66e1e23a0368b5c7"
},
{
"url": "https://git.kernel.org/stable/c/7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5"
},
{
"url": "https://git.kernel.org/stable/c/eaae728e7335b5dbad70966e2bd520a731fdf7b2"
},
{
"url": "https://git.kernel.org/stable/c/a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c"
},
{
"url": "https://git.kernel.org/stable/c/5f3c0839b173f7f33415eb098331879e547d1d2d"
},
{
"url": "https://git.kernel.org/stable/c/c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c"
},
{
"url": "https://git.kernel.org/stable/c/72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275"
},
{
"url": "https://git.kernel.org/stable/c/d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4"
}
],
"title": "HID: asus: fix UAF via HID_CLAIMED_INPUT validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39824",
"datePublished": "2025-09-16T13:00:23.135Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-11-03T17:43:45.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39866 (GCVE-0-2025-39866)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
fs: writeback: fix use-after-free in __mark_inode_dirty()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: writeback: fix use-after-free in __mark_inode_dirty()
An use-after-free issue occurred when __mark_inode_dirty() get the
bdi_writeback that was in the progress of switching.
CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1
......
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __mark_inode_dirty+0x124/0x418
lr : __mark_inode_dirty+0x118/0x418
sp : ffffffc08c9dbbc0
........
Call trace:
__mark_inode_dirty+0x124/0x418
generic_update_time+0x4c/0x60
file_modified+0xcc/0xd0
ext4_buffered_write_iter+0x58/0x124
ext4_file_write_iter+0x54/0x704
vfs_write+0x1c0/0x308
ksys_write+0x74/0x10c
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x114
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x40/0xe4
el0t_64_sync_handler+0x120/0x12c
el0t_64_sync+0x194/0x198
Root cause is:
systemd-random-seed kworker
----------------------------------------------------------------------
___mark_inode_dirty inode_switch_wbs_work_fn
spin_lock(&inode->i_lock);
inode_attach_wb
locked_inode_to_wb_and_lock_list
get inode->i_wb
spin_unlock(&inode->i_lock);
spin_lock(&wb->list_lock)
spin_lock(&inode->i_lock)
inode_io_list_move_locked
spin_unlock(&wb->list_lock)
spin_unlock(&inode->i_lock)
spin_lock(&old_wb->list_lock)
inode_do_switch_wbs
spin_lock(&inode->i_lock)
inode->i_wb = new_wb
spin_unlock(&inode->i_lock)
spin_unlock(&old_wb->list_lock)
wb_put_many(old_wb, nr_switched)
cgwb_release
old wb released
wb_wakeup_delayed() accesses wb,
then trigger the use-after-free
issue
Fix this race condition by holding inode spinlock until
wb_wakeup_delayed() finished.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0747259d13febfcc838980a63c414c9b920cea6f , < e2a14bbae5d8bacaa301362744a110e2be40a3a3
(git)
Affected: 0747259d13febfcc838980a63c414c9b920cea6f , < b187c976111960e6e54a6b1fff724f6e3d39406c (git) Affected: 0747259d13febfcc838980a63c414c9b920cea6f , < 1edc2feb9c759a9883dfe81cb5ed231412d8b2e4 (git) Affected: 0747259d13febfcc838980a63c414c9b920cea6f , < bf89b1f87c72df79cf76203f71fbf8349cd5c9de (git) Affected: 0747259d13febfcc838980a63c414c9b920cea6f , < e63052921f1b25a836feb1500b841bff7a4a0456 (git) Affected: 0747259d13febfcc838980a63c414c9b920cea6f , < c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a (git) Affected: 0747259d13febfcc838980a63c414c9b920cea6f , < d02d2c98d25793902f65803ab853b592c7a96b29 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:17.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2a14bbae5d8bacaa301362744a110e2be40a3a3",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
},
{
"lessThan": "b187c976111960e6e54a6b1fff724f6e3d39406c",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
},
{
"lessThan": "1edc2feb9c759a9883dfe81cb5ed231412d8b2e4",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
},
{
"lessThan": "bf89b1f87c72df79cf76203f71fbf8349cd5c9de",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
},
{
"lessThan": "e63052921f1b25a836feb1500b841bff7a4a0456",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
},
{
"lessThan": "c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
},
{
"lessThan": "d02d2c98d25793902f65803ab853b592c7a96b29",
"status": "affected",
"version": "0747259d13febfcc838980a63c414c9b920cea6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed kworker\n----------------------------------------------------------------------\n___mark_inode_dirty inode_switch_wbs_work_fn\n\n spin_lock(\u0026inode-\u003ei_lock);\n inode_attach_wb\n locked_inode_to_wb_and_lock_list\n get inode-\u003ei_wb\n spin_unlock(\u0026inode-\u003ei_lock);\n spin_lock(\u0026wb-\u003elist_lock)\n spin_lock(\u0026inode-\u003ei_lock)\n inode_io_list_move_locked\n spin_unlock(\u0026wb-\u003elist_lock)\n spin_unlock(\u0026inode-\u003ei_lock)\n spin_lock(\u0026old_wb-\u003elist_lock)\n inode_do_switch_wbs\n spin_lock(\u0026inode-\u003ei_lock)\n inode-\u003ei_wb = new_wb\n spin_unlock(\u0026inode-\u003ei_lock)\n spin_unlock(\u0026old_wb-\u003elist_lock)\n wb_put_many(old_wb, nr_switched)\n cgwb_release\n old wb released\n wb_wakeup_delayed() accesses wb,\n then trigger the use-after-free\n issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:38.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2a14bbae5d8bacaa301362744a110e2be40a3a3"
},
{
"url": "https://git.kernel.org/stable/c/b187c976111960e6e54a6b1fff724f6e3d39406c"
},
{
"url": "https://git.kernel.org/stable/c/1edc2feb9c759a9883dfe81cb5ed231412d8b2e4"
},
{
"url": "https://git.kernel.org/stable/c/bf89b1f87c72df79cf76203f71fbf8349cd5c9de"
},
{
"url": "https://git.kernel.org/stable/c/e63052921f1b25a836feb1500b841bff7a4a0456"
},
{
"url": "https://git.kernel.org/stable/c/c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a"
},
{
"url": "https://git.kernel.org/stable/c/d02d2c98d25793902f65803ab853b592c7a96b29"
}
],
"title": "fs: writeback: fix use-after-free in __mark_inode_dirty()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39866",
"datePublished": "2025-09-19T15:26:35.725Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2026-01-02T15:32:38.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40062 (GCVE-0-2025-40062)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs
When the initialization of qm->debug.acc_diff_reg fails,
the probe process does not exit. However, after qm->debug.qm_diff_regs is
freed, it is not set to NULL. This can lead to a double free when the
remove process attempts to free it again. Therefore, qm->debug.qm_diff_regs
should be set to NULL after it is freed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c , < a7836260d5121949ba734e840d42a86ab4a32fcc
(git)
Affected: 7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e , < 1750f1ec143ebabdbdfa013668665c9d5042c430 (git) Affected: 8be0913389718e8d27c4f1d4537b5e1b99ed7739 , < a87a21a56244b8f4eb357f6bad879247005bbe38 (git) Affected: 8be0913389718e8d27c4f1d4537b5e1b99ed7739 , < 7226a0650ad5705bd8d39a11be270fa21ed1e6a5 (git) Affected: 8be0913389718e8d27c4f1d4537b5e1b99ed7739 , < f0cafb02de883b3b413d34eb079c9680782a9cc1 (git) Affected: e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7836260d5121949ba734e840d42a86ab4a32fcc",
"status": "affected",
"version": "eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c",
"versionType": "git"
},
{
"lessThan": "1750f1ec143ebabdbdfa013668665c9d5042c430",
"status": "affected",
"version": "7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e",
"versionType": "git"
},
{
"lessThan": "a87a21a56244b8f4eb357f6bad879247005bbe38",
"status": "affected",
"version": "8be0913389718e8d27c4f1d4537b5e1b99ed7739",
"versionType": "git"
},
{
"lessThan": "7226a0650ad5705bd8d39a11be270fa21ed1e6a5",
"status": "affected",
"version": "8be0913389718e8d27c4f1d4537b5e1b99ed7739",
"versionType": "git"
},
{
"lessThan": "f0cafb02de883b3b413d34eb079c9680782a9cc1",
"status": "affected",
"version": "8be0913389718e8d27c4f1d4537b5e1b99ed7739",
"versionType": "git"
},
{
"status": "affected",
"version": "e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - set NULL to qm-\u003edebug.qm_diff_regs\n\nWhen the initialization of qm-\u003edebug.acc_diff_reg fails,\nthe probe process does not exit. However, after qm-\u003edebug.qm_diff_regs is\nfreed, it is not set to NULL. This can lead to a double free when the\nremove process attempts to free it again. Therefore, qm-\u003edebug.qm_diff_regs\nshould be set to NULL after it is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:12.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7836260d5121949ba734e840d42a86ab4a32fcc"
},
{
"url": "https://git.kernel.org/stable/c/1750f1ec143ebabdbdfa013668665c9d5042c430"
},
{
"url": "https://git.kernel.org/stable/c/a87a21a56244b8f4eb357f6bad879247005bbe38"
},
{
"url": "https://git.kernel.org/stable/c/7226a0650ad5705bd8d39a11be270fa21ed1e6a5"
},
{
"url": "https://git.kernel.org/stable/c/f0cafb02de883b3b413d34eb079c9680782a9cc1"
}
],
"title": "crypto: hisilicon/qm - set NULL to qm-\u003edebug.qm_diff_regs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40062",
"datePublished": "2025-10-28T11:48:33.961Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:12.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40032 (GCVE-0-2025-40032)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be
NULL even after EPF initialization. Then it is prudent to check that
they have non-NULL values before releasing the channels. Add the checks
in pci_epf_test_clean_dma_chan().
Without the checks, NULL pointer dereferences happen and they can lead
to a kernel panic in some cases:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
Call trace:
dma_release_channel+0x2c/0x120 (P)
pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test]
pci_epc_deinit_notify+0x74/0xc0
tegra_pcie_ep_pex_rst_irq+0x250/0x5d8
irq_thread_fn+0x34/0xb8
irq_thread+0x18c/0x2e8
kthread+0x14c/0x210
ret_from_fork+0x10/0x20
[mani: trimmed the stack trace]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5ebf3fc59bd20d17df3ba26159787d13cf20d362 , < 6411f840a9b5c47c00ca8e004733de232553870d
(git)
Affected: 5ebf3fc59bd20d17df3ba26159787d13cf20d362 , < 0c5ce6b6ccc22d486cc7239ed908cb0ae5363a7b (git) Affected: 5ebf3fc59bd20d17df3ba26159787d13cf20d362 , < fb54ffd60064c4e5139a3eb216e877b1acae1c8b (git) Affected: 5ebf3fc59bd20d17df3ba26159787d13cf20d362 , < 57f7fb0d1ac28540c0f6405c829bb9c3b89d8dba (git) Affected: 5ebf3fc59bd20d17df3ba26159787d13cf20d362 , < 85afa9ea122dd9d4a2ead104a951d318975dcd25 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6411f840a9b5c47c00ca8e004733de232553870d",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "0c5ce6b6ccc22d486cc7239ed908cb0ae5363a7b",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "fb54ffd60064c4e5139a3eb216e877b1acae1c8b",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "57f7fb0d1ac28540c0f6405c829bb9c3b89d8dba",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "85afa9ea122dd9d4a2ead104a951d318975dcd25",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release\n\nThe fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be\nNULL even after EPF initialization. Then it is prudent to check that\nthey have non-NULL values before releasing the channels. Add the checks\nin pci_epf_test_clean_dma_chan().\n\nWithout the checks, NULL pointer dereferences happen and they can lead\nto a kernel panic in some cases:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Call trace:\n dma_release_channel+0x2c/0x120 (P)\n pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test]\n pci_epc_deinit_notify+0x74/0xc0\n tegra_pcie_ep_pex_rst_irq+0x250/0x5d8\n irq_thread_fn+0x34/0xb8\n irq_thread+0x18c/0x2e8\n kthread+0x14c/0x210\n ret_from_fork+0x10/0x20\n\n[mani: trimmed the stack trace]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:35.381Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6411f840a9b5c47c00ca8e004733de232553870d"
},
{
"url": "https://git.kernel.org/stable/c/0c5ce6b6ccc22d486cc7239ed908cb0ae5363a7b"
},
{
"url": "https://git.kernel.org/stable/c/fb54ffd60064c4e5139a3eb216e877b1acae1c8b"
},
{
"url": "https://git.kernel.org/stable/c/57f7fb0d1ac28540c0f6405c829bb9c3b89d8dba"
},
{
"url": "https://git.kernel.org/stable/c/85afa9ea122dd9d4a2ead104a951d318975dcd25"
}
],
"title": "PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40032",
"datePublished": "2025-10-28T11:48:14.876Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:35.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39678 (GCVE-0-2025-39678)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-10-29 13:19
VLAI?
EPSS
Title
platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL
If metric table address is not allocated, accessing metrics_bin will
result in a NULL pointer dereference, so add a check.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5150542b8ec5fb561be080ed0ef3bab8598154c3 , < 782977c0d8ba432b6fd3d5d0d87016a523ec1c69
(git)
Affected: 5150542b8ec5fb561be080ed0ef3bab8598154c3 , < d47782d5c0cb87b9826041f34505580204ccf703 (git) Affected: 5150542b8ec5fb561be080ed0ef3bab8598154c3 , < 2c78fb287e1f430b929f2e49786518350d15605c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/hsmp/hsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "782977c0d8ba432b6fd3d5d0d87016a523ec1c69",
"status": "affected",
"version": "5150542b8ec5fb561be080ed0ef3bab8598154c3",
"versionType": "git"
},
{
"lessThan": "d47782d5c0cb87b9826041f34505580204ccf703",
"status": "affected",
"version": "5150542b8ec5fb561be080ed0ef3bab8598154c3",
"versionType": "git"
},
{
"lessThan": "2c78fb287e1f430b929f2e49786518350d15605c",
"status": "affected",
"version": "5150542b8ec5fb561be080ed0ef3bab8598154c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/hsmp/hsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/hsmp: Ensure sock-\u003emetric_tbl_addr is non-NULL\n\nIf metric table address is not allocated, accessing metrics_bin will\nresult in a NULL pointer dereference, so add a check."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:05.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/782977c0d8ba432b6fd3d5d0d87016a523ec1c69"
},
{
"url": "https://git.kernel.org/stable/c/d47782d5c0cb87b9826041f34505580204ccf703"
},
{
"url": "https://git.kernel.org/stable/c/2c78fb287e1f430b929f2e49786518350d15605c"
}
],
"title": "platform/x86/amd/hsmp: Ensure sock-\u003emetric_tbl_addr is non-NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39678",
"datePublished": "2025-09-05T17:20:44.246Z",
"dateReserved": "2025-04-16T07:20:57.112Z",
"dateUpdated": "2025-10-29T13:19:05.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39846 (GCVE-0-2025-39846)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to
res and used in pci_bus_alloc_resource(). There is a dereference of res
in pci_bus_alloc_resource(), which could lead to a NULL pointer
dereference on failure of pcmcia_make_resource().
Fix this bug by adding a check of res.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
49b1153adfe18a3cce7e70aa26c690f275917cd0 , < b990c8c6ff50649ad3352507398e443b1e3527b2
(git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 5ff2826c998370bf7f9ae26fe802140d220e3510 (git) Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 4bd570f494124608a0696da070f00236a96fb610 (git) Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < ce3b7766276894d2fbb07e2047a171f9deb965de (git) Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 2ee32c4c4f636e474cd8ab7c19a68cf36072ea93 (git) Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < fafa7450075f41d232bc785a4ebcbf16374f2076 (git) Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < d7286005e8fde0a430dc180a9f46c088c7d74483 (git) Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 44822df89e8f3386871d9cad563ece8e2fd8f0e7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:02.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_iodyn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b990c8c6ff50649ad3352507398e443b1e3527b2",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "5ff2826c998370bf7f9ae26fe802140d220e3510",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "4bd570f494124608a0696da070f00236a96fb610",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "ce3b7766276894d2fbb07e2047a171f9deb965de",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "2ee32c4c4f636e474cd8ab7c19a68cf36072ea93",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "fafa7450075f41d232bc785a4ebcbf16374f2076",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "d7286005e8fde0a430dc180a9f46c088c7d74483",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "44822df89e8f3386871d9cad563ece8e2fd8f0e7",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_iodyn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:56.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b990c8c6ff50649ad3352507398e443b1e3527b2"
},
{
"url": "https://git.kernel.org/stable/c/5ff2826c998370bf7f9ae26fe802140d220e3510"
},
{
"url": "https://git.kernel.org/stable/c/4bd570f494124608a0696da070f00236a96fb610"
},
{
"url": "https://git.kernel.org/stable/c/ce3b7766276894d2fbb07e2047a171f9deb965de"
},
{
"url": "https://git.kernel.org/stable/c/2ee32c4c4f636e474cd8ab7c19a68cf36072ea93"
},
{
"url": "https://git.kernel.org/stable/c/fafa7450075f41d232bc785a4ebcbf16374f2076"
},
{
"url": "https://git.kernel.org/stable/c/d7286005e8fde0a430dc180a9f46c088c7d74483"
},
{
"url": "https://git.kernel.org/stable/c/44822df89e8f3386871d9cad563ece8e2fd8f0e7"
}
],
"title": "pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39846",
"datePublished": "2025-09-19T15:26:19.932Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:02.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40333 (GCVE-0-2025-40333)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
f2fs: fix infinite loop in __insert_extent_tree()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix infinite loop in __insert_extent_tree()
When we get wrong extent info data, and look up extent_node in rb tree,
it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by
return NULL and print some kernel messages in that case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 765f8816d3959ef1f3f7f85e2af748594d091f40
(git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < c0b9951bb2668d67eb4817bb23fc109abc08c075 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < f4c31adcb2a0556f43776d4e51a67de88d7fb9ee (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 23361bd54966b437e1ed3eb1a704572f4b279e58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/extent_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "765f8816d3959ef1f3f7f85e2af748594d091f40",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "c0b9951bb2668d67eb4817bb23fc109abc08c075",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "f4c31adcb2a0556f43776d4e51a67de88d7fb9ee",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "23361bd54966b437e1ed3eb1a704572f4b279e58",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/extent_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix infinite loop in __insert_extent_tree()\n\nWhen we get wrong extent info data, and look up extent_node in rb tree,\nit will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by\nreturn NULL and print some kernel messages in that case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:06.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/765f8816d3959ef1f3f7f85e2af748594d091f40"
},
{
"url": "https://git.kernel.org/stable/c/c0b9951bb2668d67eb4817bb23fc109abc08c075"
},
{
"url": "https://git.kernel.org/stable/c/f4c31adcb2a0556f43776d4e51a67de88d7fb9ee"
},
{
"url": "https://git.kernel.org/stable/c/23361bd54966b437e1ed3eb1a704572f4b279e58"
}
],
"title": "f2fs: fix infinite loop in __insert_extent_tree()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40333",
"datePublished": "2025-12-09T04:09:50.051Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-20T08:52:06.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68746 (GCVE-0-2025-68746)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
spi: tegra210-quad: Fix timeout handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Fix timeout handling
When the CPU that the QSPI interrupt handler runs on (typically CPU 0)
is excessively busy, it can lead to rare cases of the IRQ thread not
running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and
the message that they correspond to is marked as failed, which leaves
the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this
condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new
interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a
hard IRQ handler. Ideally we would also want to signal that the IRQ
thread no longer needs to be run after the timeout is hit to avoid the
extra check for a valid transfer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 88db8bb7ed1bb474618acdf05ebd4f0758d244e2
(git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 83309dd551cfd60a5a1a98d9cab19f435b44d46d (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < c934e40246da2c5726d14e94719c514e30840df8 (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 551060efb156c50fe33799038ba8145418cfdeef (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < bb0c58be84f907285af45657c1d4847b960a12bf (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 01bbf25c767219b14c3235bfa85906b8d2cb8fbc (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < b4e002d8a7cee3b1d70efad0e222567f92a73000 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "c934e40246da2c5726d14e94719c514e30840df8",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "551060efb156c50fe33799038ba8145418cfdeef",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "bb0c58be84f907285af45657c1d4847b960a12bf",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Fix timeout handling\n\nWhen the CPU that the QSPI interrupt handler runs on (typically CPU 0)\nis excessively busy, it can lead to rare cases of the IRQ thread not\nrunning before the transfer timeout is reached.\n\nWhile handling the timeouts, any pending transfers are cleaned up and\nthe message that they correspond to is marked as failed, which leaves\nthe curr_xfer field pointing at stale memory.\n\nTo avoid this, clear curr_xfer to NULL upon timeout and check for this\ncondition when the IRQ thread is finally run.\n\nWhile at it, also make sure to clear interrupts on failure so that new\ninterrupts can be run.\n\nA better, more involved, fix would move the interrupt clearing into a\nhard IRQ handler. Ideally we would also want to signal that the IRQ\nthread no longer needs to be run after the timeout is hit to avoid the\nextra check for a valid transfer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:50.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2"
},
{
"url": "https://git.kernel.org/stable/c/83309dd551cfd60a5a1a98d9cab19f435b44d46d"
},
{
"url": "https://git.kernel.org/stable/c/c934e40246da2c5726d14e94719c514e30840df8"
},
{
"url": "https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef"
},
{
"url": "https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf"
},
{
"url": "https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc"
},
{
"url": "https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000"
}
],
"title": "spi: tegra210-quad: Fix timeout handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68746",
"datePublished": "2025-12-24T12:09:42.213Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-02-09T08:32:50.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68763 (GCVE-0-2025-68763)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
crypto: starfive - Correctly handle return of sg_nents_for_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: starfive - Correctly handle return of sg_nents_for_len
The return value of sg_nents_for_len was assigned to an unsigned long
in starfive_hash_digest, causing negative error codes to be converted
to large positive integers.
Add error checking for sg_nents_for_len and return immediately on
failure to prevent potential buffer overflows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 6cd14414394b4f3d6e1ed64b8241d1fcc2271820
(git)
Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 0c3854d65cc4402cb8c52d4d773450a06efecab6 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 1af5c973dd744e29fa22121f43e8646b7a7a71a7 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 9b3f71cf02e04cfaa482155e3078707fe7f8aef4 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < e9eb52037a529fbb307c290e9951a62dd728b03d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cd14414394b4f3d6e1ed64b8241d1fcc2271820",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "0c3854d65cc4402cb8c52d4d773450a06efecab6",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "1af5c973dd744e29fa22121f43e8646b7a7a71a7",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "9b3f71cf02e04cfaa482155e3078707fe7f8aef4",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "e9eb52037a529fbb307c290e9951a62dd728b03d",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Correctly handle return of sg_nents_for_len\n\nThe return value of sg_nents_for_len was assigned to an unsigned long\nin starfive_hash_digest, causing negative error codes to be converted\nto large positive integers.\n\nAdd error checking for sg_nents_for_len and return immediately on\nfailure to prevent potential buffer overflows."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:07.993Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cd14414394b4f3d6e1ed64b8241d1fcc2271820"
},
{
"url": "https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6"
},
{
"url": "https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7"
},
{
"url": "https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4"
},
{
"url": "https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d"
}
],
"title": "crypto: starfive - Correctly handle return of sg_nents_for_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68763",
"datePublished": "2026-01-05T09:32:35.678Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:07.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40258 (GCVE-0-2025-40258)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
mptcp: fix race condition in mptcp_schedule_work()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix race condition in mptcp_schedule_work()
syzbot reported use-after-free in mptcp_schedule_work() [1]
Issue here is that mptcp_schedule_work() schedules a work,
then gets a refcount on sk->sk_refcnt if the work was scheduled.
This refcount will be released by mptcp_worker().
[A] if (schedule_work(...)) {
[B] sock_hold(sk);
return true;
}
Problem is that mptcp_worker() can run immediately and complete before [B]
We need instead :
sock_hold(sk);
if (schedule_work(...))
return true;
sock_put(sk);
[1]
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
sock_hold include/net/sock.h:816 [inline]
mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b1d6210a9577369103330b0d802b0bf74b65e7f , < f865e6595acf33083168db76921e66ace8bf0e5b
(git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 99908e2d601236842d705d5fd04fb349577316f5 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < db4f7968a75250ca6c4ed70d0a78beabb2dcee18 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 8f9ba1a99a89feef9b5867c15a0141a97e893309 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < ac28dfddedf6f209190950fc71bcff65ec4ab47b (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 3fc7723ed01d1130d4bf7063c50e0af60ecccbb4 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 035bca3f017ee9dea3a5a756e77a6f7138cc6eea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f865e6595acf33083168db76921e66ace8bf0e5b",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "99908e2d601236842d705d5fd04fb349577316f5",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "db4f7968a75250ca6c4ed70d0a78beabb2dcee18",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "8f9ba1a99a89feef9b5867c15a0141a97e893309",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "ac28dfddedf6f209190950fc71bcff65ec4ab47b",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "3fc7723ed01d1130d4bf7063c50e0af60ecccbb4",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "035bca3f017ee9dea3a5a756e77a6f7138cc6eea",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race condition in mptcp_schedule_work()\n\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\n\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk-\u003esk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n\n[A] if (schedule_work(...)) {\n[B] sock_hold(sk);\n return true;\n }\n\nProblem is that mptcp_worker() can run immediately and complete before [B]\n\nWe need instead :\n\n sock_hold(sk);\n if (schedule_work(...))\n return true;\n sock_put(sk);\n\n[1]\nrefcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n \u003cTASK\u003e\n __refcount_add include/linux/refcount.h:-1 [inline]\n __refcount_inc include/linux/refcount.h:366 [inline]\n refcount_inc include/linux/refcount.h:383 [inline]\n sock_hold include/net/sock.h:816 [inline]\n mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\n mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\n smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:56.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b"
},
{
"url": "https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5"
},
{
"url": "https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18"
},
{
"url": "https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309"
},
{
"url": "https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b"
},
{
"url": "https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4"
},
{
"url": "https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea"
}
],
"title": "mptcp: fix race condition in mptcp_schedule_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40258",
"datePublished": "2025-12-04T16:08:19.176Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:56.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68220 (GCVE-0-2025-68220)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error
Make knav_dma_open_channel consistently return NULL on error instead
of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h
returns NULL when the driver is disabled, but the driver
implementation does not even return NULL or ERR_PTR on failure,
causing inconsistency in the users. This results in a crash in
netcp_free_navigator_resources as followed (trimmed):
Unhandled fault: alignment exception (0x221) at 0xfffffff2
[fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000
Internal error: : 221 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE
Hardware name: Keystone
PC is at knav_dma_close_channel+0x30/0x19c
LR is at netcp_free_navigator_resources+0x2c/0x28c
[... TRIM...]
Call trace:
knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c
netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c
netcp_ndo_open from __dev_open+0x114/0x29c
__dev_open from __dev_change_flags+0x190/0x208
__dev_change_flags from netif_change_flags+0x1c/0x58
netif_change_flags from dev_change_flags+0x38/0xa0
dev_change_flags from ip_auto_config+0x2c4/0x11f0
ip_auto_config from do_one_initcall+0x58/0x200
do_one_initcall from kernel_init_freeable+0x1cc/0x238
kernel_init_freeable from kernel_init+0x1c/0x12c
kernel_init from ret_from_fork+0x14/0x38
[... TRIM...]
Standardize the error handling by making the function return NULL on
all error conditions. The API is used in just the netcp_core.c so the
impact is limited.
Note, this change, in effect reverts commit 5b6cb43b4d62 ("net:
ethernet: ti: netcp_core: return error while dma channel open issue"),
but provides a less error prone implementation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
88139ed030583557751e279968e13e892ae10825 , < af6b10a13fc0aee37df4a8292414cc055c263fa3
(git)
Affected: 88139ed030583557751e279968e13e892ae10825 , < 8427218ecbd7f8559c37972e66cb0fa06e82353b (git) Affected: 88139ed030583557751e279968e13e892ae10825 , < 3afeb909c3e2e0eb19b1e20506196e5f2d9c2259 (git) Affected: 88139ed030583557751e279968e13e892ae10825 , < 2572c358ee434ce4b994472cceeb4043cbff5bc5 (git) Affected: 88139ed030583557751e279968e13e892ae10825 , < 952637c5b9be64539cd0e13ef88db71a1df46373 (git) Affected: 88139ed030583557751e279968e13e892ae10825 , < fbb53727ca789a8d27052aab4b77ca9e2a0fae2b (git) Affected: 88139ed030583557751e279968e13e892ae10825 , < f9608637ecc165d7d6341df105aee44691461fb9 (git) Affected: 88139ed030583557751e279968e13e892ae10825 , < 90a88306eb874fe4bbdd860e6c9787f5bbc588b5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/netcp_core.c",
"drivers/soc/ti/knav_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af6b10a13fc0aee37df4a8292414cc055c263fa3",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "8427218ecbd7f8559c37972e66cb0fa06e82353b",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "3afeb909c3e2e0eb19b1e20506196e5f2d9c2259",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "2572c358ee434ce4b994472cceeb4043cbff5bc5",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "952637c5b9be64539cd0e13ef88db71a1df46373",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "fbb53727ca789a8d27052aab4b77ca9e2a0fae2b",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "f9608637ecc165d7d6341df105aee44691461fb9",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "90a88306eb874fe4bbdd860e6c9787f5bbc588b5",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/netcp_core.c",
"drivers/soc/ti/knav_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error\n\nMake knav_dma_open_channel consistently return NULL on error instead\nof ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h\nreturns NULL when the driver is disabled, but the driver\nimplementation does not even return NULL or ERR_PTR on failure,\ncausing inconsistency in the users. This results in a crash in\nnetcp_free_navigator_resources as followed (trimmed):\n\nUnhandled fault: alignment exception (0x221) at 0xfffffff2\n[fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000\nInternal error: : 221 [#1] SMP ARM\nModules linked in:\nCPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE\nHardware name: Keystone\nPC is at knav_dma_close_channel+0x30/0x19c\nLR is at netcp_free_navigator_resources+0x2c/0x28c\n\n[... TRIM...]\n\nCall trace:\n knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c\n netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c\n netcp_ndo_open from __dev_open+0x114/0x29c\n __dev_open from __dev_change_flags+0x190/0x208\n __dev_change_flags from netif_change_flags+0x1c/0x58\n netif_change_flags from dev_change_flags+0x38/0xa0\n dev_change_flags from ip_auto_config+0x2c4/0x11f0\n ip_auto_config from do_one_initcall+0x58/0x200\n do_one_initcall from kernel_init_freeable+0x1cc/0x238\n kernel_init_freeable from kernel_init+0x1c/0x12c\n kernel_init from ret_from_fork+0x14/0x38\n[... TRIM...]\n\nStandardize the error handling by making the function return NULL on\nall error conditions. The API is used in just the netcp_core.c so the\nimpact is limited.\n\nNote, this change, in effect reverts commit 5b6cb43b4d62 (\"net:\nethernet: ti: netcp_core: return error while dma channel open issue\"),\nbut provides a less error prone implementation."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:25.945Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af6b10a13fc0aee37df4a8292414cc055c263fa3"
},
{
"url": "https://git.kernel.org/stable/c/8427218ecbd7f8559c37972e66cb0fa06e82353b"
},
{
"url": "https://git.kernel.org/stable/c/3afeb909c3e2e0eb19b1e20506196e5f2d9c2259"
},
{
"url": "https://git.kernel.org/stable/c/2572c358ee434ce4b994472cceeb4043cbff5bc5"
},
{
"url": "https://git.kernel.org/stable/c/952637c5b9be64539cd0e13ef88db71a1df46373"
},
{
"url": "https://git.kernel.org/stable/c/fbb53727ca789a8d27052aab4b77ca9e2a0fae2b"
},
{
"url": "https://git.kernel.org/stable/c/f9608637ecc165d7d6341df105aee44691461fb9"
},
{
"url": "https://git.kernel.org/stable/c/90a88306eb874fe4bbdd860e6c9787f5bbc588b5"
}
],
"title": "net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68220",
"datePublished": "2025-12-16T13:57:14.142Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2026-01-02T15:34:25.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39953 (GCVE-0-2025-39953)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
cgroup: split cgroup_destroy_wq into 3 workqueues
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup: split cgroup_destroy_wq into 3 workqueues
A hung task can occur during [1] LTP cgroup testing when repeatedly
mounting/unmounting perf_event and net_prio controllers with
systemd.unified_cgroup_hierarchy=1. The hang manifests in
cgroup_lock_and_drain_offline() during root destruction.
Related case:
cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event
cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio
Call Trace:
cgroup_lock_and_drain_offline+0x14c/0x1e8
cgroup_destroy_root+0x3c/0x2c0
css_free_rwork_fn+0x248/0x338
process_one_work+0x16c/0x3b8
worker_thread+0x22c/0x3b0
kthread+0xec/0x100
ret_from_fork+0x10/0x20
Root Cause:
CPU0 CPU1
mount perf_event umount net_prio
cgroup1_get_tree cgroup_kill_sb
rebind_subsystems // root destruction enqueues
// cgroup_destroy_wq
// kill all perf_event css
// one perf_event css A is dying
// css A offline enqueues cgroup_destroy_wq
// root destruction will be executed first
css_free_rwork_fn
cgroup_destroy_root
cgroup_lock_and_drain_offline
// some perf descendants are dying
// cgroup_destroy_wq max_active = 1
// waiting for css A to die
Problem scenario:
1. CPU0 mounts perf_event (rebind_subsystems)
2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work
3. A dying perf_event CSS gets queued for offline after root destruction
4. Root destruction waits for offline completion, but offline work is
blocked behind root destruction in cgroup_destroy_wq (max_active=1)
Solution:
Split cgroup_destroy_wq into three dedicated workqueues:
cgroup_offline_wq – Handles CSS offline operations
cgroup_release_wq – Manages resource release
cgroup_free_wq – Performs final memory deallocation
This separation eliminates blocking in the CSS free path while waiting for
offline operations to complete.
[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
334c3679ec4b2b113c35ebe37d2018b112dd5013 , < cabadd7fd15f97090f752fd22dd7f876a0dc3dc4
(git)
Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < a0c896bda7077aa5005473e2c5b3c27173313b4c (git) Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < f2795d1b92506e3adf52a298f7181032a1525e04 (git) Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < 993049c9b1355c78918344a6403427d53f9ee700 (git) Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < 4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811 (git) Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < ded4d207a3209a834b6831ceec7f39b934c74802 (git) Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < 05e0b03447cf215ec384210441b34b7a3b16e8b0 (git) Affected: 334c3679ec4b2b113c35ebe37d2018b112dd5013 , < 79f919a89c9d06816dbdbbd168fa41d27411a7f9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cabadd7fd15f97090f752fd22dd7f876a0dc3dc4",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "a0c896bda7077aa5005473e2c5b3c27173313b4c",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "f2795d1b92506e3adf52a298f7181032a1525e04",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "993049c9b1355c78918344a6403427d53f9ee700",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "ded4d207a3209a834b6831ceec7f39b934c74802",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "05e0b03447cf215ec384210441b34b7a3b16e8b0",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "79f919a89c9d06816dbdbbd168fa41d27411a7f9",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq \u2013 Handles CSS offline operations\ncgroup_release_wq \u2013 Manages resource release\ncgroup_free_wq \u2013 Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:08.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cabadd7fd15f97090f752fd22dd7f876a0dc3dc4"
},
{
"url": "https://git.kernel.org/stable/c/a0c896bda7077aa5005473e2c5b3c27173313b4c"
},
{
"url": "https://git.kernel.org/stable/c/f2795d1b92506e3adf52a298f7181032a1525e04"
},
{
"url": "https://git.kernel.org/stable/c/993049c9b1355c78918344a6403427d53f9ee700"
},
{
"url": "https://git.kernel.org/stable/c/4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811"
},
{
"url": "https://git.kernel.org/stable/c/ded4d207a3209a834b6831ceec7f39b934c74802"
},
{
"url": "https://git.kernel.org/stable/c/05e0b03447cf215ec384210441b34b7a3b16e8b0"
},
{
"url": "https://git.kernel.org/stable/c/79f919a89c9d06816dbdbbd168fa41d27411a7f9"
}
],
"title": "cgroup: split cgroup_destroy_wq into 3 workqueues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39953",
"datePublished": "2025-10-04T07:31:13.237Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-04T07:37:08.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71121 (GCVE-0-2025-71121)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
parisc: Do not reprogram affinitiy on ASP chip
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Do not reprogram affinitiy on ASP chip
The ASP chip is a very old variant of the GSP chip and is used e.g. in
HP 730 workstations. When trying to reprogram the affinity it will crash
with a HPMC as the relevant registers don't seem to be at the usual
location. Let's avoid the crash by checking the sversion. Also note,
that reprogramming isn't necessary either, as the HP730 is a just a
single-CPU machine.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7c35220305f273bddc0bdaf1e453b4ca280f145 , < 845a92b74cf7a730200532ecb4482981cec9d006
(git)
Affected: f77f482ec31a1f38eb38079622ca367b4b7d7442 , < 7a146f34e5be96330467397c9fd9d3d851b2cbbe (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < 4d0858bbeea12a50bfb32137f74d4b74917ebadd (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < e09fd2eb6d4c993ee9eaae556cb51e30ec1042df (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < 60560d13ff368415c96a0c1247bea16d427c0641 (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < c8f810e20f4bbe50b49f73429d9fa6efad00623e (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < dca7da244349eef4d78527cafc0bf80816b261f5 (git) Affected: 52b66c46bb9f5fb270673327c41dec50171939c1 (git) Affected: 3940ecfccfffec8385b64551fd73a12c02049437 (git) Affected: bab8e3b4f68ac393c42da73d0bce891d281ded55 (git) Affected: ff342de194ad311f905ce0b6b73db48db802e224 (git) Affected: ef24e0a68b59ea8f59fedf5a9881fd9cf9f27370 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/parisc/gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "845a92b74cf7a730200532ecb4482981cec9d006",
"status": "affected",
"version": "f7c35220305f273bddc0bdaf1e453b4ca280f145",
"versionType": "git"
},
{
"lessThan": "7a146f34e5be96330467397c9fd9d3d851b2cbbe",
"status": "affected",
"version": "f77f482ec31a1f38eb38079622ca367b4b7d7442",
"versionType": "git"
},
{
"lessThan": "4d0858bbeea12a50bfb32137f74d4b74917ebadd",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "e09fd2eb6d4c993ee9eaae556cb51e30ec1042df",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "60560d13ff368415c96a0c1247bea16d427c0641",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "c8f810e20f4bbe50b49f73429d9fa6efad00623e",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "dca7da244349eef4d78527cafc0bf80816b261f5",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"status": "affected",
"version": "52b66c46bb9f5fb270673327c41dec50171939c1",
"versionType": "git"
},
{
"status": "affected",
"version": "3940ecfccfffec8385b64551fd73a12c02049437",
"versionType": "git"
},
{
"status": "affected",
"version": "bab8e3b4f68ac393c42da73d0bce891d281ded55",
"versionType": "git"
},
{
"status": "affected",
"version": "ff342de194ad311f905ce0b6b73db48db802e224",
"versionType": "git"
},
{
"status": "affected",
"version": "ef24e0a68b59ea8f59fedf5a9881fd9cf9f27370",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/parisc/gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Do not reprogram affinitiy on ASP chip\n\nThe ASP chip is a very old variant of the GSP chip and is used e.g. in\nHP 730 workstations. When trying to reprogram the affinity it will crash\nwith a HPMC as the relevant registers don\u0027t seem to be at the usual\nlocation. Let\u0027s avoid the crash by checking the sversion. Also note,\nthat reprogramming isn\u0027t necessary either, as the HP730 is a just a\nsingle-CPU machine."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:16.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006"
},
{
"url": "https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe"
},
{
"url": "https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd"
},
{
"url": "https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df"
},
{
"url": "https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641"
},
{
"url": "https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e"
},
{
"url": "https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5"
}
],
"title": "parisc: Do not reprogram affinitiy on ASP chip",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71121",
"datePublished": "2026-01-14T15:06:07.871Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:16.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68308 (GCVE-0-2025-68308)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`
functions contain logic to zero-length commands. These commands are used
to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer
position `pos` to the next packet boundary using `round_up()` function.
However, if zero-length command is found exactly on a packet boundary
(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`
function will return the unchanged value of `pos`. This prevents `pos`
to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using `pos + 1` instead.
This ensures that even if `pos` is on a boundary, the calculation is
based on `pos + 1`, forcing `round_up()` to always return the next
aligned boundary.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7259124eac7d1b76b41c7a9cb2511a30556deebe , < 58343e0a4d43699f0e2f5b169384bbe4c0217add
(git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 69c7825df64e24dc15d31631a1fc9145324b1345 (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 028e89c7e8b4346302e88df01cc50e0a1f05791a (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < e9dd83a75a7274edef21682c823bf0b66d7b6b7f (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 0897cea266e39166a36111059ba147192b36592f (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < bd8135a560cf6e64f0b98ed4daadf126a38f7f48 (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 0c73772cd2b8cc108d5f5334de89ad648d89b9ec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58343e0a4d43699f0e2f5b169384bbe4c0217add",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "69c7825df64e24dc15d31631a1fc9145324b1345",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "028e89c7e8b4346302e88df01cc50e0a1f05791a",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "e9dd83a75a7274edef21682c823bf0b66d7b6b7f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0897cea266e39166a36111059ba147192b36592f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "bd8135a560cf6e64f0b98ed4daadf126a38f7f48",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0c73772cd2b8cc108d5f5334de89ad648d89b9ec",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint\u0027s wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:25.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add"
},
{
"url": "https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345"
},
{
"url": "https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a"
},
{
"url": "https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f"
},
{
"url": "https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f"
},
{
"url": "https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48"
},
{
"url": "https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec"
}
],
"title": "can: kvaser_usb: leaf: Fix potential infinite loop in command parsers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68308",
"datePublished": "2025-12-16T15:06:25.081Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:25.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39927 (GCVE-0-2025-39927)
Vulnerability from cvelistv5 – Published: 2025-10-01 08:07 – Updated: 2026-01-14 17:42
VLAI?
EPSS
Title
ceph: fix race condition validating r_parent before applying state
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix race condition validating r_parent before applying state
Add validation to ensure the cached parent directory inode matches the
directory info in MDS replies. This prevents client-side race conditions
where concurrent operations (e.g. rename) cause r_parent to become stale
between request initiation and reply processing, which could lead to
applying state changes to incorrect directory inodes.
[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to
move CEPH_CAP_PIN reference when r_parent is updated:
When the parent directory lock is not held, req->r_parent can become
stale and is updated to point to the correct inode. However, the
associated CEPH_CAP_PIN reference was not being adjusted. The
CEPH_CAP_PIN is a reference on an inode that is tracked for
accounting purposes. Moving this pin is important to keep the
accounting balanced. When the pin was not moved from the old parent
to the new one, it created two problems: The reference on the old,
stale parent was never released, causing a reference leak.
A reference for the new parent was never acquired, creating the risk
of a reference underflow later in ceph_mdsc_release_request(). This
patch corrects the logic by releasing the pin from the old parent and
acquiring it for the new parent when r_parent is switched. This
ensures reference accounting stays balanced. ]
Severity ?
4.7 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9030aaf9bf0a1eee47a154c316c789e959638b0f , < db378e6f83ec705c6091c65d482d555edc2b0a72
(git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 2bfe45987eb346e299d9f763f9cd05f77011519f (git) Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 15f519e9f883b316d86e2bb6b767a023aafd9d83 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:39:17.680672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:42:45.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/debugfs.c",
"fs/ceph/dir.c",
"fs/ceph/file.c",
"fs/ceph/inode.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db378e6f83ec705c6091c65d482d555edc2b0a72",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "2bfe45987eb346e299d9f763f9cd05f77011519f",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "15f519e9f883b316d86e2bb6b767a023aafd9d83",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/debugfs.c",
"fs/ceph/dir.c",
"fs/ceph/file.c",
"fs/ceph/inode.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix race condition validating r_parent before applying state\n\nAdd validation to ensure the cached parent directory inode matches the\ndirectory info in MDS replies. This prevents client-side race conditions\nwhere concurrent operations (e.g. rename) cause r_parent to become stale\nbetween request initiation and reply processing, which could lead to\napplying state changes to incorrect directory inodes.\n\n[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to\n move CEPH_CAP_PIN reference when r_parent is updated:\n\n When the parent directory lock is not held, req-\u003er_parent can become\n stale and is updated to point to the correct inode. However, the\n associated CEPH_CAP_PIN reference was not being adjusted. The\n CEPH_CAP_PIN is a reference on an inode that is tracked for\n accounting purposes. Moving this pin is important to keep the\n accounting balanced. When the pin was not moved from the old parent\n to the new one, it created two problems: The reference on the old,\n stale parent was never released, causing a reference leak.\n A reference for the new parent was never acquired, creating the risk\n of a reference underflow later in ceph_mdsc_release_request(). This\n patch corrects the logic by releasing the pin from the old parent and\n acquiring it for the new parent when r_parent is switched. This\n ensures reference accounting stays balanced. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:31.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db378e6f83ec705c6091c65d482d555edc2b0a72"
},
{
"url": "https://git.kernel.org/stable/c/2bfe45987eb346e299d9f763f9cd05f77011519f"
},
{
"url": "https://git.kernel.org/stable/c/15f519e9f883b316d86e2bb6b767a023aafd9d83"
}
],
"title": "ceph: fix race condition validating r_parent before applying state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39927",
"datePublished": "2025-10-01T08:07:14.595Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2026-01-14T17:42:45.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40211 (GCVE-0-2025-40211)
Vulnerability from cvelistv5 – Published: 2025-11-21 10:21 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
The switch_brightness_work delayed work accesses device->brightness
and device->backlight, freed by acpi_video_dev_unregister_backlight()
during device removal.
If the work executes after acpi_video_bus_unregister_backlight()
frees these resources, it causes a use-after-free when
acpi_video_switch_brightness() dereferences device->brightness or
device->backlight.
Fix this by calling cancel_delayed_work_sync() for each device's
switch_brightness_work in acpi_video_bus_remove_notify_handler()
after removing the notify handler that queues the work. This ensures
the work completes before the memory is freed.
[ rjw: Changelog edit ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 3f803ccf5a0c043e7c8b83f6665b082401fc8bee
(git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < ba1704316492a0496c69334338ea1fdbf4c2fd34 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < bc78a4f51d548c1ccc3d1967c2b394bf687c86e9 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 4e85246ec0d019dfba86ba54d841ef6694f97149 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < de5fc93275a4a459fe2f7cb746984f2ab3e8292a (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 293125536ef5521328815fa7c76d5f9eb1635659 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 8f067aa59430266386b83c18b983ca583faa6a11 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f803ccf5a0c043e7c8b83f6665b082401fc8bee",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "ba1704316492a0496c69334338ea1fdbf4c2fd34",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "bc78a4f51d548c1ccc3d1967c2b394bf687c86e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "4e85246ec0d019dfba86ba54d841ef6694f97149",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "de5fc93275a4a459fe2f7cb746984f2ab3e8292a",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "293125536ef5521328815fa7c76d5f9eb1635659",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "8f067aa59430266386b83c18b983ca583faa6a11",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device-\u003ebrightness\nand device-\u003ebacklight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device-\u003ebrightness or\ndevice-\u003ebacklight.\n\nFix this by calling cancel_delayed_work_sync() for each device\u0027s\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:42.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f803ccf5a0c043e7c8b83f6665b082401fc8bee"
},
{
"url": "https://git.kernel.org/stable/c/ba1704316492a0496c69334338ea1fdbf4c2fd34"
},
{
"url": "https://git.kernel.org/stable/c/bc78a4f51d548c1ccc3d1967c2b394bf687c86e9"
},
{
"url": "https://git.kernel.org/stable/c/a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9"
},
{
"url": "https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149"
},
{
"url": "https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a"
},
{
"url": "https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659"
},
{
"url": "https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11"
}
],
"title": "ACPI: video: Fix use-after-free in acpi_video_switch_brightness()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40211",
"datePublished": "2025-11-21T10:21:36.438Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-06T21:38:42.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40272 (GCVE-0-2025-40272)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
mm/secretmem: fix use-after-free race in fault handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/secretmem: fix use-after-free race in fault handler
When a page fault occurs in a secret memory file created with
`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the
underlying page as not-present in the direct map, and add it to the file
mapping.
If two tasks cause a fault in the same page concurrently, both could end
up allocating a folio and removing the page from the direct map, but only
one would succeed in adding the folio to the file mapping. The task that
failed undoes the effects of its attempt by (a) freeing the folio again
and (b) putting the page back into the direct map. However, by doing
these two operations in this order, the page becomes available to the
allocator again before it is placed back in the direct mapping.
If another task attempts to allocate the page between (a) and (b), and the
kernel tries to access it via the direct map, it would result in a
supervisor not-present page fault.
Fix the ordering to restore the direct map before the folio is freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < bb1c19636aedae39360e6fdbcaef4f2bcff25785
(git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 1e4643d6628edf9c0047b1f8f5bc574665025acb (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 42d486d35a4143cc37fc72ee66edc99d942dd367 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 4444767e625da46009fc94a453fd1967b80ba047 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 6f86d0534fddfbd08687fa0f01479d4226bc3c3d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/secretmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb1c19636aedae39360e6fdbcaef4f2bcff25785",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "1e4643d6628edf9c0047b1f8f5bc574665025acb",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "42d486d35a4143cc37fc72ee66edc99d942dd367",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "4444767e625da46009fc94a453fd1967b80ba047",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "6f86d0534fddfbd08687fa0f01479d4226bc3c3d",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/secretmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix use-after-free race in fault handler\n\nWhen a page fault occurs in a secret memory file created with\n`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the\nunderlying page as not-present in the direct map, and add it to the file\nmapping.\n\nIf two tasks cause a fault in the same page concurrently, both could end\nup allocating a folio and removing the page from the direct map, but only\none would succeed in adding the folio to the file mapping. The task that\nfailed undoes the effects of its attempt by (a) freeing the folio again\nand (b) putting the page back into the direct map. However, by doing\nthese two operations in this order, the page becomes available to the\nallocator again before it is placed back in the direct mapping.\n\nIf another task attempts to allocate the page between (a) and (b), and the\nkernel tries to access it via the direct map, it would result in a\nsupervisor not-present page fault.\n\nFix the ordering to restore the direct map before the folio is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:54.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785"
},
{
"url": "https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb"
},
{
"url": "https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367"
},
{
"url": "https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649"
},
{
"url": "https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047"
},
{
"url": "https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d"
}
],
"title": "mm/secretmem: fix use-after-free race in fault handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40272",
"datePublished": "2025-12-06T21:50:54.629Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:50:54.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68747 (GCVE-0-2025-68747)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
drm/panthor: Fix UAF on kernel BO VA nodes
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Fix UAF on kernel BO VA nodes
If the MMU is down, panthor_vm_unmap_range() might return an error.
We expect the page table to be updated still, and if the MMU is blocked,
the rest of the GPU should be blocked too, so no risk of accessing
physical memory returned to the system (which the current code doesn't
cover for anyway).
Proceed with the rest of the cleanup instead of bailing out and leaving
the va_node inserted in the drm_mm, which leads to UAF when other
adjacent nodes are removed from the drm_mm tree.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8a1cc07578bf42d85f008316873d710ff684dd29 , < 5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391
(git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 1123eadb843588b361c96f53a771202b7953154f (git) Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 0612704b6f6ddf2ae223019c52148c5ac76cf70e (git) Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 98dd5143447af0ee33551776d8b2560c35d0bc4a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "1123eadb843588b361c96f53a771202b7953154f",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "0612704b6f6ddf2ae223019c52148c5ac76cf70e",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "98dd5143447af0ee33551776d8b2560c35d0bc4a",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF on kernel BO VA nodes\n\nIf the MMU is down, panthor_vm_unmap_range() might return an error.\nWe expect the page table to be updated still, and if the MMU is blocked,\nthe rest of the GPU should be blocked too, so no risk of accessing\nphysical memory returned to the system (which the current code doesn\u0027t\ncover for anyway).\n\nProceed with the rest of the cleanup instead of bailing out and leaving\nthe va_node inserted in the drm_mm, which leads to UAF when other\nadjacent nodes are removed from the drm_mm tree."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:52.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391"
},
{
"url": "https://git.kernel.org/stable/c/1123eadb843588b361c96f53a771202b7953154f"
},
{
"url": "https://git.kernel.org/stable/c/0612704b6f6ddf2ae223019c52148c5ac76cf70e"
},
{
"url": "https://git.kernel.org/stable/c/98dd5143447af0ee33551776d8b2560c35d0bc4a"
}
],
"title": "drm/panthor: Fix UAF on kernel BO VA nodes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68747",
"datePublished": "2025-12-24T12:09:42.925Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-02-09T08:32:52.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40235 (GCVE-0-2025-40235)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()
If fs_info->super_copy or fs_info->super_for_commit allocated failed in
btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info().
Otherwise btrfs_check_leaked_roots() would access NULL pointer because
fs_info->allocated_roots had not been initialised.
syzkaller reported the following information:
------------[ cut here ]------------
BUG: unable to handle page fault for address: fffffffffffffbb0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
RIP: 0010:refcount_read include/linux/refcount.h:170 [inline]
RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230
[...]
Call Trace:
<TASK>
btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280
btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029
btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097
vfs_get_tree+0x98/0x320 fs/super.c:1759
do_new_mount+0x357/0x660 fs/namespace.c:3899
path_mount+0x716/0x19c0 fs/namespace.c:4226
do_mount fs/namespace.c:4239 [inline]
__do_sys_mount fs/namespace.c:4450 [inline]
__se_sys_mount fs/namespace.c:4427 [inline]
__x64_sys_mount+0x28c/0x310 fs/namespace.c:4427
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f032eaffa8d
[...]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd , < b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73
(git)
Affected: 3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd , < 0c2b2d4d053e9840e6da6ed581befa20309f281a (git) Affected: 3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd , < 17679ac6df6c4830ba711835aa8cf961be36cfa1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73",
"status": "affected",
"version": "3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd",
"versionType": "git"
},
{
"lessThan": "0c2b2d4d053e9840e6da6ed581befa20309f281a",
"status": "affected",
"version": "3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd",
"versionType": "git"
},
{
"lessThan": "17679ac6df6c4830ba711835aa8cf961be36cfa1",
"status": "affected",
"version": "3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()\n\nIf fs_info-\u003esuper_copy or fs_info-\u003esuper_for_commit allocated failed in\nbtrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info().\nOtherwise btrfs_check_leaked_roots() would access NULL pointer because\nfs_info-\u003eallocated_roots had not been initialised.\n\nsyzkaller reported the following information:\n ------------[ cut here ]------------\n BUG: unable to handle page fault for address: fffffffffffffbb0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0\n Oops: Oops: 0000 [#1] SMP KASAN PTI\n CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)\n RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]\n RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]\n RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]\n RIP: 0010:refcount_read include/linux/refcount.h:170 [inline]\n RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230\n [...]\n Call Trace:\n \u003cTASK\u003e\n btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280\n btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029\n btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097\n vfs_get_tree+0x98/0x320 fs/super.c:1759\n do_new_mount+0x357/0x660 fs/namespace.c:3899\n path_mount+0x716/0x19c0 fs/namespace.c:4226\n do_mount fs/namespace.c:4239 [inline]\n __do_sys_mount fs/namespace.c:4450 [inline]\n __se_sys_mount fs/namespace.c:4427 [inline]\n __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f032eaffa8d\n [...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:25.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73"
},
{
"url": "https://git.kernel.org/stable/c/0c2b2d4d053e9840e6da6ed581befa20309f281a"
},
{
"url": "https://git.kernel.org/stable/c/17679ac6df6c4830ba711835aa8cf961be36cfa1"
}
],
"title": "btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40235",
"datePublished": "2025-12-04T15:31:25.785Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:25.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39885 (GCVE-0-2025-39885)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
ocfs2: fix recursive semaphore deadlock in fiemap call
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix recursive semaphore deadlock in fiemap call
syzbot detected a OCFS2 hang due to a recursive semaphore on a
FS_IOC_FIEMAP of the extent list on a specially crafted mmap file.
context_switch kernel/sched/core.c:5357 [inline]
__schedule+0x1798/0x4cc0 kernel/sched/core.c:6961
__schedule_loop kernel/sched/core.c:7043 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7058
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115
rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591
ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142
do_page_mkwrite+0x14d/0x310 mm/memory.c:3361
wp_page_shared mm/memory.c:3762 [inline]
do_wp_page+0x268d/0x5800 mm/memory.c:3981
handle_pte_fault mm/memory.c:6068 [inline]
__handle_mm_fault+0x1033/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]
RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26
Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89
f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f
1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffffc9000403f950 EFLAGS: 00050256
RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038
RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060
RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42
R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098
R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060
copy_to_user include/linux/uaccess.h:225 [inline]
fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145
ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806
ioctl_fiemap fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532
__do_sys_ioctl fs/ioctl.c:596 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f13850fd9
RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9
RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0
R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b
ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since
v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the
extent list of this running mmap executable. The user supplied buffer to
hold the fiemap information page faults calling ocfs2_page_mkwrite() which
will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same
semaphore. This recursive semaphore will hold filesystem locks and causes
a hang of the fileystem.
The ip_alloc_sem protects the inode extent list and size. Release the
read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()
and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock
on the last extent but simplifies the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 16e518ca84dfe860c20a62f3615e14e8af0ace57
(git)
Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 7e1514bd44ef68007703c752c99ff7319f35bce6 (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < ef30404980e4c832ef9bba1b10c08f67fa77a9ec (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 36054554772f95d090eb45793faf6aa3c0254b02 (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 0709bc11b942870fc0a7be150e42aea42321093a (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 9efcb7a8b97310efed995397941a292cf89fa94f (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 04100f775c2ea501927f508f17ad824ad1f23c8d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:25.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16e518ca84dfe860c20a62f3615e14e8af0ace57",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "7e1514bd44ef68007703c752c99ff7319f35bce6",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "ef30404980e4c832ef9bba1b10c08f67fa77a9ec",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "36054554772f95d090eb45793faf6aa3c0254b02",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "0709bc11b942870fc0a7be150e42aea42321093a",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "9efcb7a8b97310efed995397941a292cf89fa94f",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "04100f775c2ea501927f508f17ad824ad1f23c8d",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 \u003cf3\u003e a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:32.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16e518ca84dfe860c20a62f3615e14e8af0ace57"
},
{
"url": "https://git.kernel.org/stable/c/7e1514bd44ef68007703c752c99ff7319f35bce6"
},
{
"url": "https://git.kernel.org/stable/c/ef30404980e4c832ef9bba1b10c08f67fa77a9ec"
},
{
"url": "https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02"
},
{
"url": "https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a"
},
{
"url": "https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e"
},
{
"url": "https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f"
},
{
"url": "https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d"
}
],
"title": "ocfs2: fix recursive semaphore deadlock in fiemap call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39885",
"datePublished": "2025-09-23T06:00:52.584Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:25.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68306 (GCVE-0-2025-68306)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface
When performing reset tests and encountering abnormal card drop issues
that lead to a kernel crash, it is necessary to perform a null check
before releasing resources to avoid attempting to release a null pointer.
<4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)
<4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]
<4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<4>[ 29.158162] pc : klist_remove+0x90/0x158
<4>[ 29.158174] lr : klist_remove+0x88/0x158
<4>[ 29.158180] sp : ffffffc0846b3c00
<4>[ 29.158185] pmr_save: 000000e0
<4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058
<4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0
<4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290
<4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781
<4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428
<4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018
<4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000
<4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d
<4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e
<4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c
<4>[ 29.158285] Call trace:
<4>[ 29.158290] klist_remove+0x90/0x158
<4>[ 29.158298] device_release_driver_internal+0x20c/0x268
<4>[ 29.158308] device_release_driver+0x1c/0x30
<4>[ 29.158316] usb_driver_release_interface+0x70/0x88
<4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]
<4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]
<4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]
<4>[ 29.158430] process_scheduled_works+0x258/0x4e8
<4>[ 29.158441] worker_thread+0x300/0x428
<4>[ 29.158448] kthread+0x108/0x1d0
<4>[ 29.158455] ret_from_fork+0x10/0x20
<0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)
<4>[ 29.158474] ---[ end trace 0000000000000000 ]---
<0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception
<2>[ 29.167144] SMP: stopping secondary CPUs
<4>[ 29.167158] ------------[ cut here ]------------
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < 421e88a0d85782786b7a1764c75518b4845e07b3
(git)
Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < faae9f2ea8806f2499186448adbf94689b47b82b (git) Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < 4015b979767125cf8a2233a145a3b3af78bfd8fb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c",
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "421e88a0d85782786b7a1764c75518b4845e07b3",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
},
{
"lessThan": "faae9f2ea8806f2499186448adbf94689b47b82b",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
},
{
"lessThan": "4015b979767125cf8a2233a145a3b3af78bfd8fb",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c",
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface\n\nWhen performing reset tests and encountering abnormal card drop issues\nthat lead to a kernel crash, it is necessary to perform a null check\nbefore releasing resources to avoid attempting to release a null pointer.\n\n\u003c4\u003e[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)\n\u003c4\u003e[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]\n\u003c4\u003e[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\u003c4\u003e[ 29.158162] pc : klist_remove+0x90/0x158\n\u003c4\u003e[ 29.158174] lr : klist_remove+0x88/0x158\n\u003c4\u003e[ 29.158180] sp : ffffffc0846b3c00\n\u003c4\u003e[ 29.158185] pmr_save: 000000e0\n\u003c4\u003e[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058\n\u003c4\u003e[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0\n\u003c4\u003e[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290\n\u003c4\u003e[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781\n\u003c4\u003e[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428\n\u003c4\u003e[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018\n\u003c4\u003e[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000\n\u003c4\u003e[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d\n\u003c4\u003e[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e\n\u003c4\u003e[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c\n\u003c4\u003e[ 29.158285] Call trace:\n\u003c4\u003e[ 29.158290] klist_remove+0x90/0x158\n\u003c4\u003e[ 29.158298] device_release_driver_internal+0x20c/0x268\n\u003c4\u003e[ 29.158308] device_release_driver+0x1c/0x30\n\u003c4\u003e[ 29.158316] usb_driver_release_interface+0x70/0x88\n\u003c4\u003e[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]\n\u003c4\u003e[ 29.158430] process_scheduled_works+0x258/0x4e8\n\u003c4\u003e[ 29.158441] worker_thread+0x300/0x428\n\u003c4\u003e[ 29.158448] kthread+0x108/0x1d0\n\u003c4\u003e[ 29.158455] ret_from_fork+0x10/0x20\n\u003c0\u003e[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)\n\u003c4\u003e[ 29.158474] ---[ end trace 0000000000000000 ]---\n\u003c0\u003e[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception\n\u003c2\u003e[ 29.167144] SMP: stopping secondary CPUs\n\u003c4\u003e[ 29.167158] ------------[ cut here ]------------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:23.486Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3"
},
{
"url": "https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b"
},
{
"url": "https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb"
}
],
"title": "Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68306",
"datePublished": "2025-12-16T15:06:23.486Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:23.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39923 (GCVE-0-2025-39923)
Vulnerability from cvelistv5 – Published: 2025-10-01 08:07 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
When we don't have a clock specified in the device tree, we have no way to
ensure the BAM is on. This is often the case for remotely-controlled or
remotely-powered BAM instances. In this case, we need to read num-channels
from the DT to have all the necessary information to complete probing.
However, at the moment invalid device trees without clock and without
num-channels still continue probing, because the error handling is missing
return statements. The driver will then later try to read the number of
channels from the registers. This is unsafe, because it relies on boot
firmware and lucky timing to succeed. Unfortunately, the lack of proper
error handling here has been abused for several Qualcomm SoCs upstream,
causing early boot crashes in several situations [1, 2].
Avoid these early crashes by erroring out when any of the required DT
properties are missing. Note that this will break some of the existing DTs
upstream (mainly BAM instances related to the crypto engine). However,
clearly these DTs have never been tested properly, since the error in the
kernel log was just ignored. It's safer to disable the crypto engine for
these broken DTBs.
[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 2e257a6125c63350f00dc42b9674f20fd3cf4a9f
(git)
Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 555bd16351a35c79efb029a196975a5a27f7fbc4 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < ebf6c7c908e5999531c3517289598f187776124f (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 1fc14731f0be4885e60702b9596d14d9a79cf053 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 0ff9df758af7022d749718fb6b8385cc5693acf3 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 5068b5254812433e841a40886e695633148d362d (git) Affected: cecf8a69042b3a54cb843223756c10ee8a8665e3 (git) Affected: 909474cd384cb206f33461fbd18089cf170533f8 (git) Affected: 5e0986f7caf17d7b1acd2092975360bf8e88a57d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:41.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e257a6125c63350f00dc42b9674f20fd3cf4a9f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "555bd16351a35c79efb029a196975a5a27f7fbc4",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "ebf6c7c908e5999531c3517289598f187776124f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1fc14731f0be4885e60702b9596d14d9a79cf053",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "0ff9df758af7022d749718fb6b8385cc5693acf3",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "5068b5254812433e841a40886e695633148d362d",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"status": "affected",
"version": "cecf8a69042b3a54cb843223756c10ee8a8665e3",
"versionType": "git"
},
{
"status": "affected",
"version": "909474cd384cb206f33461fbd18089cf170533f8",
"versionType": "git"
},
{
"status": "affected",
"version": "5e0986f7caf17d7b1acd2092975360bf8e88a57d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don\u0027t have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It\u0027s safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:52.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e257a6125c63350f00dc42b9674f20fd3cf4a9f"
},
{
"url": "https://git.kernel.org/stable/c/1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2"
},
{
"url": "https://git.kernel.org/stable/c/6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c"
},
{
"url": "https://git.kernel.org/stable/c/555bd16351a35c79efb029a196975a5a27f7fbc4"
},
{
"url": "https://git.kernel.org/stable/c/ebf6c7c908e5999531c3517289598f187776124f"
},
{
"url": "https://git.kernel.org/stable/c/1fc14731f0be4885e60702b9596d14d9a79cf053"
},
{
"url": "https://git.kernel.org/stable/c/0ff9df758af7022d749718fb6b8385cc5693acf3"
},
{
"url": "https://git.kernel.org/stable/c/5068b5254812433e841a40886e695633148d362d"
}
],
"title": "dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39923",
"datePublished": "2025-10-01T08:07:11.469Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:41.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40070 (GCVE-0-2025-40070)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
pps: fix warning in pps_register_cdev when register device fail
Summary
In the Linux kernel, the following vulnerability has been resolved:
pps: fix warning in pps_register_cdev when register device fail
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call Trace:
<TASK>
kobject_cleanup+0x136/0x410 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737
put_device+0x24/0x30 drivers/base/core.c:3797
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.
Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
785c78ed0d39d1717cca3ef931d3e51337b5e90e , < 38c7bb10aae5118dd48fa7a82f7bf93839bcc320
(git)
Affected: 1a7735ab2cb9747518a7416fb5929e85442dec62 , < 2a194707ca27a3b0523023fa8b446e5ec922dc51 (git) Affected: c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 , < 125527db41805693208ee1aacd7f3ffe6a3a489c (git) Affected: 91932db1d96b2952299ce30c1c693d834d10ace6 , < 4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8 (git) Affected: cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 , < cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e (git) Affected: 7e5ee3281dc09014367f5112b6d566ba36ea2d49 , < f01fa3588e0b3cb1540f56d2c6bd99e5b3810234 (git) Affected: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe , < 0f97564a1fb62f34b3b498e2f12caffbe99c004a (git) Affected: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe , < b0531cdba5029f897da5156815e3bdafe1e9b88d (git) Affected: 85241f7de216f8298f6e48540ea13d7dcd100870 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38c7bb10aae5118dd48fa7a82f7bf93839bcc320",
"status": "affected",
"version": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
"versionType": "git"
},
{
"lessThan": "2a194707ca27a3b0523023fa8b446e5ec922dc51",
"status": "affected",
"version": "1a7735ab2cb9747518a7416fb5929e85442dec62",
"versionType": "git"
},
{
"lessThan": "125527db41805693208ee1aacd7f3ffe6a3a489c",
"status": "affected",
"version": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
"versionType": "git"
},
{
"lessThan": "4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8",
"status": "affected",
"version": "91932db1d96b2952299ce30c1c693d834d10ace6",
"versionType": "git"
},
{
"lessThan": "cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e",
"status": "affected",
"version": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
"versionType": "git"
},
{
"lessThan": "f01fa3588e0b3cb1540f56d2c6bd99e5b3810234",
"status": "affected",
"version": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
"versionType": "git"
},
{
"lessThan": "0f97564a1fb62f34b3b498e2f12caffbe99c004a",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"lessThan": "b0531cdba5029f897da5156815e3bdafe1e9b88d",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"status": "affected",
"version": "85241f7de216f8298f6e48540ea13d7dcd100870",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n \u003cTASK\u003e\n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps-\u003edev, which will\ninit dev-\u003erelease to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, \u0027kfree_pps\u0027 should be removed\nin pps_register_source() to avoid a double free in the failure case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:24.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320"
},
{
"url": "https://git.kernel.org/stable/c/2a194707ca27a3b0523023fa8b446e5ec922dc51"
},
{
"url": "https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c"
},
{
"url": "https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
},
{
"url": "https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
},
{
"url": "https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
},
{
"url": "https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a"
},
{
"url": "https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d"
}
],
"title": "pps: fix warning in pps_register_cdev when register device fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40070",
"datePublished": "2025-10-28T11:48:38.838Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:24.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40121 (GCVE-0-2025-40121)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver just ignores and leaves as is, which may lead to
unepxected results like OOB access.
This patch adds the sanity check and corrects the input mapping to the
certain default value if an invalid value is passed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < bff827b0d507e52b23efab9f67c232a4f037ab2c
(git)
Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 64a36a7032082b4c330ce081acb6efb99246020e (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 95e29db33b5f73218ae08ebb48c61c9a8d28e2ff (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 2204e582b4eea872e1e7a5c90edcb84b928c68b0 (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < f197894de2f4ef46c7d53827d9df294b75c35e13 (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < fdf99978a6480e14405212472b6c747e0fa43bed (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < c60f269c123210a6846d6d1367de0eaa402c10b0 (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 4336efb59ef364e691ef829a73d9dbd4d5ed7c7b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5651.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bff827b0d507e52b23efab9f67c232a4f037ab2c",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "64a36a7032082b4c330ce081acb6efb99246020e",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "95e29db33b5f73218ae08ebb48c61c9a8d28e2ff",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "2204e582b4eea872e1e7a5c90edcb84b928c68b0",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "f197894de2f4ef46c7d53827d9df294b75c35e13",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "fdf99978a6480e14405212472b6c747e0fa43bed",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "c60f269c123210a6846d6d1367de0eaa402c10b0",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "4336efb59ef364e691ef829a73d9dbd4d5ed7c7b",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5651.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver just ignores and leaves as is, which may lead to\nunepxected results like OOB access.\n\nThis patch adds the sanity check and corrects the input mapping to the\ncertain default value if an invalid value is passed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:25.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bff827b0d507e52b23efab9f67c232a4f037ab2c"
},
{
"url": "https://git.kernel.org/stable/c/64a36a7032082b4c330ce081acb6efb99246020e"
},
{
"url": "https://git.kernel.org/stable/c/95e29db33b5f73218ae08ebb48c61c9a8d28e2ff"
},
{
"url": "https://git.kernel.org/stable/c/2204e582b4eea872e1e7a5c90edcb84b928c68b0"
},
{
"url": "https://git.kernel.org/stable/c/f197894de2f4ef46c7d53827d9df294b75c35e13"
},
{
"url": "https://git.kernel.org/stable/c/fdf99978a6480e14405212472b6c747e0fa43bed"
},
{
"url": "https://git.kernel.org/stable/c/c60f269c123210a6846d6d1367de0eaa402c10b0"
},
{
"url": "https://git.kernel.org/stable/c/4336efb59ef364e691ef829a73d9dbd4d5ed7c7b"
}
],
"title": "ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40121",
"datePublished": "2025-11-12T10:23:19.000Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68376 (GCVE-0-2025-68376)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
coresight: ETR: Fix ETR buffer use-after-free issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: ETR: Fix ETR buffer use-after-free issue
When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed
and enabled again, currently sysfs_buf will point to the newly
allocated memory(buf_new) and free the old memory(buf_old). But the
etr_buf that is being used by the ETR remains pointed to buf_old, not
updated to buf_new. In this case, it will result in a memory
use-after-free issue.
Fix this by checking ETR's mode before updating and releasing buf_old,
if the mode is CS_MODE_SYSFS, then skip updating and releasing it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bd2767ec3df2775bc336f441f9068a989ccb919d , < 70acbc9c77686b7a521af6d7a543dcd9c324cf07
(git)
Affected: bd2767ec3df2775bc336f441f9068a989ccb919d , < cda077a19f5c8d6ec61e5b97deca203d95e3a422 (git) Affected: bd2767ec3df2775bc336f441f9068a989ccb919d , < 35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3 (git) Affected: fdd3ceb0001da6768bede9779a0190a42e65c404 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-tmc-etr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70acbc9c77686b7a521af6d7a543dcd9c324cf07",
"status": "affected",
"version": "bd2767ec3df2775bc336f441f9068a989ccb919d",
"versionType": "git"
},
{
"lessThan": "cda077a19f5c8d6ec61e5b97deca203d95e3a422",
"status": "affected",
"version": "bd2767ec3df2775bc336f441f9068a989ccb919d",
"versionType": "git"
},
{
"lessThan": "35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3",
"status": "affected",
"version": "bd2767ec3df2775bc336f441f9068a989ccb919d",
"versionType": "git"
},
{
"status": "affected",
"version": "fdd3ceb0001da6768bede9779a0190a42e65c404",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-tmc-etr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: ETR: Fix ETR buffer use-after-free issue\n\nWhen ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed\nand enabled again, currently sysfs_buf will point to the newly\nallocated memory(buf_new) and free the old memory(buf_old). But the\netr_buf that is being used by the ETR remains pointed to buf_old, not\nupdated to buf_new. In this case, it will result in a memory\nuse-after-free issue.\n\nFix this by checking ETR\u0027s mode before updating and releasing buf_old,\nif the mode is CS_MODE_SYSFS, then skip updating and releasing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:14.493Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70acbc9c77686b7a521af6d7a543dcd9c324cf07"
},
{
"url": "https://git.kernel.org/stable/c/cda077a19f5c8d6ec61e5b97deca203d95e3a422"
},
{
"url": "https://git.kernel.org/stable/c/35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3"
}
],
"title": "coresight: ETR: Fix ETR buffer use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68376",
"datePublished": "2025-12-24T10:33:05.503Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:14.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39991 (GCVE-0-2025-39991)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()
If ab->fw.m3_data points to data, then fw pointer remains null.
Further, if m3_mem is not allocated, then fw is dereferenced to be
passed to ath11k_err function.
Replace fw->size by m3_len.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7db88b962f06a52af5e9a32971012e8f3427cec0 , < 1f52119809b76d43759fc47da1cf708690b740a1
(git)
Affected: 7db88b962f06a52af5e9a32971012e8f3427cec0 , < 888830b2cbc035838bebefe94502976da94332a5 (git) Affected: 7db88b962f06a52af5e9a32971012e8f3427cec0 , < 500fcc31e488d798937a23dbb1f62db46820c5b2 (git) Affected: 7db88b962f06a52af5e9a32971012e8f3427cec0 , < 3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/qmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f52119809b76d43759fc47da1cf708690b740a1",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
},
{
"lessThan": "888830b2cbc035838bebefe94502976da94332a5",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
},
{
"lessThan": "500fcc31e488d798937a23dbb1f62db46820c5b2",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
},
{
"lessThan": "3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/qmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()\n\nIf ab-\u003efw.m3_data points to data, then fw pointer remains null.\nFurther, if m3_mem is not allocated, then fw is dereferenced to be\npassed to ath11k_err function.\n\nReplace fw-\u003esize by m3_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:01.038Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f52119809b76d43759fc47da1cf708690b740a1"
},
{
"url": "https://git.kernel.org/stable/c/888830b2cbc035838bebefe94502976da94332a5"
},
{
"url": "https://git.kernel.org/stable/c/500fcc31e488d798937a23dbb1f62db46820c5b2"
},
{
"url": "https://git.kernel.org/stable/c/3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782"
}
],
"title": "wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39991",
"datePublished": "2025-10-15T07:58:17.257Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-12-01T06:16:01.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68727 (GCVE-0-2025-68727)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
ntfs3: Fix uninit buffer allocated by __getname()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: Fix uninit buffer allocated by __getname()
Fix uninit errors caused after buffer allocation given to 'de'; by
initializing the buffer with zeroes. The fix was found by using KMSAN.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 90e23db1a85956026999c18e76f402542cb004da
(git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 53f4d6cb97096590410f3719f75cdf9fc5120f37 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 4b1fd82848fdf0e01b3320815b261006c1722c3e (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < d88d4b455b6794f48d7adad52593f1700c7bd50e (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < b40a4eb4a0543d49686a6e693745009dac3b86a9 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e23db1a85956026999c18e76f402542cb004da",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "53f4d6cb97096590410f3719f75cdf9fc5120f37",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "4b1fd82848fdf0e01b3320815b261006c1722c3e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "d88d4b455b6794f48d7adad52593f1700c7bd50e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "b40a4eb4a0543d49686a6e693745009dac3b86a9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Fix uninit buffer allocated by __getname()\n\nFix uninit errors caused after buffer allocation given to \u0027de\u0027; by\ninitializing the buffer with zeroes. The fix was found by using KMSAN."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:23.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e23db1a85956026999c18e76f402542cb004da"
},
{
"url": "https://git.kernel.org/stable/c/53f4d6cb97096590410f3719f75cdf9fc5120f37"
},
{
"url": "https://git.kernel.org/stable/c/dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9"
},
{
"url": "https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e"
},
{
"url": "https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e"
},
{
"url": "https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9"
},
{
"url": "https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6"
}
],
"title": "ntfs3: Fix uninit buffer allocated by __getname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68727",
"datePublished": "2025-12-24T10:33:11.085Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:23.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40095 (GCVE-0-2025-40095)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
usb: gadget: f_rndis: Refactor bind path to use __free()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_rndis: Refactor bind path to use __free()
After an bind/unbind cycle, the rndis->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
45fe3b8e5342cd1ce307099459c74011d8e01986 , < ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1
(git)
Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < 5f65c8ad8c7292ed7e3716343fcd590a51818cc3 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < 380353c3a92be7d928e6f973bd065c5b79755ac3 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < a8366263b7e5b663d7fb489d3a9ba1e2600049a6 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < 08228941436047bdcd35a612c1aec0912a29d8cd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_rndis.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1",
"status": "affected",
"version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
"versionType": "git"
},
{
"lessThan": "5f65c8ad8c7292ed7e3716343fcd590a51818cc3",
"status": "affected",
"version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
"versionType": "git"
},
{
"lessThan": "380353c3a92be7d928e6f973bd065c5b79755ac3",
"status": "affected",
"version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
"versionType": "git"
},
{
"lessThan": "a8366263b7e5b663d7fb489d3a9ba1e2600049a6",
"status": "affected",
"version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
"versionType": "git"
},
{
"lessThan": "08228941436047bdcd35a612c1aec0912a29d8cd",
"status": "affected",
"version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_rndis.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the rndis-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:55.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1"
},
{
"url": "https://git.kernel.org/stable/c/5f65c8ad8c7292ed7e3716343fcd590a51818cc3"
},
{
"url": "https://git.kernel.org/stable/c/380353c3a92be7d928e6f973bd065c5b79755ac3"
},
{
"url": "https://git.kernel.org/stable/c/a8366263b7e5b663d7fb489d3a9ba1e2600049a6"
},
{
"url": "https://git.kernel.org/stable/c/08228941436047bdcd35a612c1aec0912a29d8cd"
}
],
"title": "usb: gadget: f_rndis: Refactor bind path to use __free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40095",
"datePublished": "2025-10-30T09:48:03.276Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:55.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40059 (GCVE-0-2025-40059)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
coresight: Fix incorrect handling for return value of devm_kzalloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: Fix incorrect handling for return value of devm_kzalloc
The return value of devm_kzalloc could be an null pointer,
use "!desc.pdata" to fix incorrect handling return value
of devm_kzalloc.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4277f035d227e829133df284be7e35b7236a5b0f , < 8c4e7e646d5d9050b374baf5c6bb3a00fb79e206
(git)
Affected: 4277f035d227e829133df284be7e35b7236a5b0f , < 9688b66d0a5e0eecf44f6286b8d9f7a161264035 (git) Affected: 4277f035d227e829133df284be7e35b7236a5b0f , < 70714eb7243eaf333d23501d4c7bdd9daf011c01 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c4e7e646d5d9050b374baf5c6bb3a00fb79e206",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
},
{
"lessThan": "9688b66d0a5e0eecf44f6286b8d9f7a161264035",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
},
{
"lessThan": "70714eb7243eaf333d23501d4c7bdd9daf011c01",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: Fix incorrect handling for return value of devm_kzalloc\n\nThe return value of devm_kzalloc could be an null pointer,\nuse \"!desc.pdata\" to fix incorrect handling return value\nof devm_kzalloc."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:08.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c4e7e646d5d9050b374baf5c6bb3a00fb79e206"
},
{
"url": "https://git.kernel.org/stable/c/9688b66d0a5e0eecf44f6286b8d9f7a161264035"
},
{
"url": "https://git.kernel.org/stable/c/70714eb7243eaf333d23501d4c7bdd9daf011c01"
}
],
"title": "coresight: Fix incorrect handling for return value of devm_kzalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40059",
"datePublished": "2025-10-28T11:48:32.186Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:08.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38643 (GCVE-0-2025-38643)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-02-19 15:39
VLAI?
EPSS
Title
wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
Callers of wdev_chandef() must hold the wiphy mutex.
But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
Which triggers the warning below with the mesh_peer_connected_dfs
test from hostapd and not (yet) released mac80211 code changes:
WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
Modules linked in:
CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
Stack:
00000000 00000001 ffffff00 6093267c
00000000 6002ec30 6d577c50 60037608
00000000 67e8d108 6063717b 00000000
Call Trace:
[<6002ec30>] ? _printk+0x0/0x98
[<6003c2b3>] show_stack+0x10e/0x11a
[<6002ec30>] ? _printk+0x0/0x98
[<60037608>] dump_stack_lvl+0x71/0xb8
[<6063717b>] ? wdev_chandef+0x60/0x165
[<6003766d>] dump_stack+0x1e/0x20
[<6005d1b7>] __warn+0x101/0x20f
[<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
[<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
[<60751191>] ? __this_cpu_preempt_check+0x0/0x16
[<600b11a2>] ? mark_held_locks+0x5a/0x6e
[<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
[<60052e53>] ? unblock_signals+0x3a/0xe7
[<60052f2d>] ? um_set_signals+0x2d/0x43
[<60751191>] ? __this_cpu_preempt_check+0x0/0x16
[<607508b2>] ? lock_is_held_type+0x207/0x21f
[<6063717b>] wdev_chandef+0x60/0x165
[<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
[<60052f00>] ? um_set_signals+0x0/0x43
[<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
[<6007e460>] process_scheduled_works+0x3bc/0x60e
[<6007d0ec>] ? move_linked_works+0x4d/0x81
[<6007d120>] ? assign_work+0x0/0xaa
[<6007f81f>] worker_thread+0x220/0x2dc
[<600786ef>] ? set_pf_worker+0x0/0x57
[<60087c96>] ? to_kthread+0x0/0x43
[<6008ab3c>] kthread+0x2d3/0x2e2
[<6007f5ff>] ? worker_thread+0x0/0x2dc
[<6006c05b>] ? calculate_sigpending+0x0/0x56
[<6003b37d>] new_thread_handler+0x4a/0x64
irq event stamp: 614611
hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d , < defe9ce121160788547e8e6ec4438ad8a14f40dd
(git)
Affected: 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d , < b3d24038eb775f2f7a1dfef58d8e1dc444a12820 (git) Affected: 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d , < 4a63523d3541eef4cf504a9682e6fbe94ffe79a6 (git) Affected: 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d , < 7022df2248c08c6f75a01714163ac902333bf3db (git) Affected: 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d , < dbce810607726408f889d3358f4780fd1436861e (git) Affected: 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d , < 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 (git) Affected: 2dbb6faebb94d6d5ae87e5ea6be9280c366393e1 (git) Affected: a4f85674e4693904ade7cbf6722d0d105d8062d8 (git) Affected: e233cbaf8ecc5859f0417dd53899da4edb477991 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "defe9ce121160788547e8e6ec4438ad8a14f40dd",
"status": "affected",
"version": "26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d",
"versionType": "git"
},
{
"lessThan": "b3d24038eb775f2f7a1dfef58d8e1dc444a12820",
"status": "affected",
"version": "26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d",
"versionType": "git"
},
{
"lessThan": "4a63523d3541eef4cf504a9682e6fbe94ffe79a6",
"status": "affected",
"version": "26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d",
"versionType": "git"
},
{
"lessThan": "7022df2248c08c6f75a01714163ac902333bf3db",
"status": "affected",
"version": "26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d",
"versionType": "git"
},
{
"lessThan": "dbce810607726408f889d3358f4780fd1436861e",
"status": "affected",
"version": "26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d",
"versionType": "git"
},
{
"lessThan": "2c5dee15239f3f3e31aa5c8808f18996c039e2c1",
"status": "affected",
"version": "26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d",
"versionType": "git"
},
{
"status": "affected",
"version": "2dbb6faebb94d6d5ae87e5ea6be9280c366393e1",
"versionType": "git"
},
{
"status": "affected",
"version": "a4f85674e4693904ade7cbf6722d0d105d8062d8",
"versionType": "git"
},
{
"status": "affected",
"version": "e233cbaf8ecc5859f0417dd53899da4edb477991",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()\n\nCallers of wdev_chandef() must hold the wiphy mutex.\n\nBut the worker cfg80211_propagate_cac_done_wk() never takes the lock.\nWhich triggers the warning below with the mesh_peer_connected_dfs\ntest from hostapd and not (yet) released mac80211 code changes:\n\nWARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165\nModules linked in:\nCPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf\nWorkqueue: cfg80211 cfg80211_propagate_cac_done_wk\nStack:\n 00000000 00000001 ffffff00 6093267c\n 00000000 6002ec30 6d577c50 60037608\n 00000000 67e8d108 6063717b 00000000\nCall Trace:\n [\u003c6002ec30\u003e] ? _printk+0x0/0x98\n [\u003c6003c2b3\u003e] show_stack+0x10e/0x11a\n [\u003c6002ec30\u003e] ? _printk+0x0/0x98\n [\u003c60037608\u003e] dump_stack_lvl+0x71/0xb8\n [\u003c6063717b\u003e] ? wdev_chandef+0x60/0x165\n [\u003c6003766d\u003e] dump_stack+0x1e/0x20\n [\u003c6005d1b7\u003e] __warn+0x101/0x20f\n [\u003c6005d3a8\u003e] warn_slowpath_fmt+0xe3/0x15d\n [\u003c600b0c5c\u003e] ? mark_lock.part.0+0x0/0x4ec\n [\u003c60751191\u003e] ? __this_cpu_preempt_check+0x0/0x16\n [\u003c600b11a2\u003e] ? mark_held_locks+0x5a/0x6e\n [\u003c6005d2c5\u003e] ? warn_slowpath_fmt+0x0/0x15d\n [\u003c60052e53\u003e] ? unblock_signals+0x3a/0xe7\n [\u003c60052f2d\u003e] ? um_set_signals+0x2d/0x43\n [\u003c60751191\u003e] ? __this_cpu_preempt_check+0x0/0x16\n [\u003c607508b2\u003e] ? lock_is_held_type+0x207/0x21f\n [\u003c6063717b\u003e] wdev_chandef+0x60/0x165\n [\u003c605f89b4\u003e] regulatory_propagate_dfs_state+0x247/0x43f\n [\u003c60052f00\u003e] ? um_set_signals+0x0/0x43\n [\u003c605e6bfd\u003e] cfg80211_propagate_cac_done_wk+0x3a/0x4a\n [\u003c6007e460\u003e] process_scheduled_works+0x3bc/0x60e\n [\u003c6007d0ec\u003e] ? move_linked_works+0x4d/0x81\n [\u003c6007d120\u003e] ? assign_work+0x0/0xaa\n [\u003c6007f81f\u003e] worker_thread+0x220/0x2dc\n [\u003c600786ef\u003e] ? set_pf_worker+0x0/0x57\n [\u003c60087c96\u003e] ? to_kthread+0x0/0x43\n [\u003c6008ab3c\u003e] kthread+0x2d3/0x2e2\n [\u003c6007f5ff\u003e] ? worker_thread+0x0/0x2dc\n [\u003c6006c05b\u003e] ? calculate_sigpending+0x0/0x56\n [\u003c6003b37d\u003e] new_thread_handler+0x4a/0x64\nirq event stamp: 614611\nhardirqs last enabled at (614621): [\u003c00000000600bc96b\u003e] __up_console_sem+0x82/0xaf\nhardirqs last disabled at (614630): [\u003c00000000600bc92c\u003e] __up_console_sem+0x43/0xaf\nsoftirqs last enabled at (614268): [\u003c00000000606c55c6\u003e] __ieee80211_wake_queue+0x933/0x985\nsoftirqs last disabled at (614266): [\u003c00000000606c52d6\u003e] __ieee80211_wake_queue+0x643/0x985"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T15:39:17.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/defe9ce121160788547e8e6ec4438ad8a14f40dd"
},
{
"url": "https://git.kernel.org/stable/c/b3d24038eb775f2f7a1dfef58d8e1dc444a12820"
},
{
"url": "https://git.kernel.org/stable/c/4a63523d3541eef4cf504a9682e6fbe94ffe79a6"
},
{
"url": "https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db"
},
{
"url": "https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e"
},
{
"url": "https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1"
}
],
"title": "wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38643",
"datePublished": "2025-08-22T16:00:49.172Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2026-02-19T15:39:17.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40277 (GCVE-0-2025-40277)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < e58559845021c3bad5e094219378b869157fad53
(git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 54d458b244893e47bda52ec3943fdfbc8d7d068b (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < a3abb54c27b2c393c44362399777ad2f6e1ff17e (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e58559845021c3bad5e094219378b869157fad53",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:00.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
},
{
"url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
},
{
"url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
},
{
"url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
},
{
"url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
},
{
"url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
},
{
"url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
},
{
"url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
}
],
"title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40277",
"datePublished": "2025-12-06T21:51:00.437Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:00.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71097 (GCVE-0-2025-71097)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ipv4: Fix reference count leak when using error routes with nexthop objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 5de7ad7e18356e39e8fbf7edd185a5faaf4f385a
(git)
Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 33ff5c207c873215e54e6176624ed57423cb7dea (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 30386e090c49e803c0616a7147e43409c32a2b0e (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 5979338c83012110ccd45cae6517591770bfe536 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < ee4183501ea556dca31f5ffd8690aa9fd25b609f (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < e3fc381320d04e4a74311e576a86cac49a16fc43 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < ac782f4e3bfcde145b8a7f8af31d9422d94d172a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5de7ad7e18356e39e8fbf7edd185a5faaf4f385a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "33ff5c207c873215e54e6176624ed57423cb7dea",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "30386e090c49e803c0616a7147e43409c32a2b0e",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "5979338c83012110ccd45cae6517591770bfe536",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ee4183501ea556dca31f5ffd8690aa9fd25b609f",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "e3fc381320d04e4a74311e576a86cac49a16fc43",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ac782f4e3bfcde145b8a7f8af31d9422d94d172a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:49.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"
},
{
"url": "https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea"
},
{
"url": "https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e"
},
{
"url": "https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536"
},
{
"url": "https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f"
},
{
"url": "https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43"
},
{
"url": "https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a"
}
],
"title": "ipv4: Fix reference count leak when using error routes with nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71097",
"datePublished": "2026-01-13T15:34:56.814Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:49.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68804 (GCVE-0-2025-68804)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26a14267aff218c60b89007fdb44ca392ba6122c , < 27037916db38e6b78a0242031d3b93d997b84020
(git)
Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < e1da6e399df976dd04c7c73ec008bc81da368a95 (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 8dc1f5a85286290dbf04dd5951d020570f49779b (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 393b8f9bedc7806acb9c47cefdbdb223b4b6164b (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 4701493ba37654b3c38b526f6591cf0b02aa172f (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 24a2062257bbdfc831de5ed21c27b04b5bdf2437 (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 944edca81e7aea15f83cf9a13a6ab67f711e8abd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27037916db38e6b78a0242031d3b93d997b84020",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "e1da6e399df976dd04c7c73ec008bc81da368a95",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "8dc1f5a85286290dbf04dd5951d020570f49779b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "393b8f9bedc7806acb9c47cefdbdb223b4b6164b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "4701493ba37654b3c38b526f6591cf0b02aa172f",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "24a2062257bbdfc831de5ed21c27b04b5bdf2437",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "944edca81e7aea15f83cf9a13a6ab67f711e8abd",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver\n\nAfter unbinding the driver, another kthread `cros_ec_console_log_work`\nis still accessing the device, resulting an UAF and crash.\n\nThe driver doesn\u0027t unregister the EC device in .remove() which should\nshutdown sub-devices synchronously. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:53.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020"
},
{
"url": "https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95"
},
{
"url": "https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b"
},
{
"url": "https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b"
},
{
"url": "https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f"
},
{
"url": "https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437"
},
{
"url": "https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd"
}
],
"title": "platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68804",
"datePublished": "2026-01-13T15:29:12.418Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:53.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68289 (GCVE-0-2025-68289)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
usb: gadget: f_eem: Fix memory leak in eem_unwrap
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_eem: Fix memory leak in eem_unwrap
The existing code did not handle the failure case of usb_ep_queue in the
command path, potentially leading to memory leaks.
Improve error handling to free all allocated resources on usb_ep_queue
failure. This patch continues to use goto logic for error handling, as the
existing error handling is complex and not easily adaptable to auto-cleanup
helpers.
kmemleak results:
unreferenced object 0xffffff895a512300 (size 240):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
kmem_cache_alloc+0x1b4/0x358
skb_clone+0x90/0xd8
eem_unwrap+0x1cc/0x36c
unreferenced object 0xffffff8a157f4000 (size 256):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
dwc3_gadget_ep_alloc_request+0x58/0x11c
usb_ep_alloc_request+0x40/0xe4
eem_unwrap+0x204/0x36c
unreferenced object 0xffffff8aadbaac00 (size 128):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
__kmalloc+0x64/0x1a8
eem_unwrap+0x218/0x36c
unreferenced object 0xffffff89ccef3500 (size 64):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
eem_unwrap+0x238/0x36c
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b545788505b2e2883aff13bdddeacaf88942a4f , < a9985a88b2fc29fbe1657fe8518908e261d6889c
(git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 5a1628283cd9dccf1e44acfb74e77504f4dc7472 (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 0ac07e476944a5e4c2b8b087dd167dec248c1bdf (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 41434488ca714ab15cb2a4d0378418d1be8052d2 (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < e72c963177c708a167a7e17ed6c76320815157cf (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 0dea2e0069a7e9aa034696f8065945b7be6dd6b7 (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < e4f5ce990818d37930cd9fb0be29eee0553c59d9 (git) Affected: d55a236f1bab102e353ea5abb7b7b6ff7e847294 (git) Affected: 8e275d3d5915a8f7db3786e3f84534bb48245f4c (git) Affected: 3680a6ff9a9ccd3c664663da04bef2534397d591 (git) Affected: d654be97e1b679616e3337b871a9ec8f31a88841 (git) Affected: 8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9 (git) Affected: 77d7f071883cf2921a7547f82e41f15f7f860e35 (git) Affected: a55093941e38113dd6f5f5d5d2705fec3018f332 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9985a88b2fc29fbe1657fe8518908e261d6889c",
"status": "affected",
"version": "3b545788505b2e2883aff13bdddeacaf88942a4f",
"versionType": "git"
},
{
"lessThan": "5a1628283cd9dccf1e44acfb74e77504f4dc7472",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "0ac07e476944a5e4c2b8b087dd167dec248c1bdf",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "41434488ca714ab15cb2a4d0378418d1be8052d2",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "e72c963177c708a167a7e17ed6c76320815157cf",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "0dea2e0069a7e9aa034696f8065945b7be6dd6b7",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "e4f5ce990818d37930cd9fb0be29eee0553c59d9",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"status": "affected",
"version": "d55a236f1bab102e353ea5abb7b7b6ff7e847294",
"versionType": "git"
},
{
"status": "affected",
"version": "8e275d3d5915a8f7db3786e3f84534bb48245f4c",
"versionType": "git"
},
{
"status": "affected",
"version": "3680a6ff9a9ccd3c664663da04bef2534397d591",
"versionType": "git"
},
{
"status": "affected",
"version": "d654be97e1b679616e3337b871a9ec8f31a88841",
"versionType": "git"
},
{
"status": "affected",
"version": "8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9",
"versionType": "git"
},
{
"status": "affected",
"version": "77d7f071883cf2921a7547f82e41f15f7f860e35",
"versionType": "git"
},
{
"status": "affected",
"version": "a55093941e38113dd6f5f5d5d2705fec3018f332",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix memory leak in eem_unwrap\n\nThe existing code did not handle the failure case of usb_ep_queue in the\ncommand path, potentially leading to memory leaks.\n\nImprove error handling to free all allocated resources on usb_ep_queue\nfailure. This patch continues to use goto logic for error handling, as the\nexisting error handling is complex and not easily adaptable to auto-cleanup\nhelpers.\n\nkmemleak results:\n unreferenced object 0xffffff895a512300 (size 240):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n kmem_cache_alloc+0x1b4/0x358\n skb_clone+0x90/0xd8\n eem_unwrap+0x1cc/0x36c\n unreferenced object 0xffffff8a157f4000 (size 256):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n dwc3_gadget_ep_alloc_request+0x58/0x11c\n usb_ep_alloc_request+0x40/0xe4\n eem_unwrap+0x204/0x36c\n unreferenced object 0xffffff8aadbaac00 (size 128):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n __kmalloc+0x64/0x1a8\n eem_unwrap+0x218/0x36c\n unreferenced object 0xffffff89ccef3500 (size 64):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n eem_unwrap+0x238/0x36c"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:10.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c"
},
{
"url": "https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472"
},
{
"url": "https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf"
},
{
"url": "https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2"
},
{
"url": "https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf"
},
{
"url": "https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7"
},
{
"url": "https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9"
}
],
"title": "usb: gadget: f_eem: Fix memory leak in eem_unwrap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68289",
"datePublished": "2025-12-16T15:06:10.450Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:10.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68732 (GCVE-0-2025-68732)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
gpu: host1x: Fix race in syncpt alloc/free
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix race in syncpt alloc/free
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5ba33fb9690566c382624637125827b5512e766 , < ca9388fba50dac2eb71c13702b7022a801bef90e
(git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4aeaece518fa4436af93d1d8b786200d9656ff4b (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 6245cce711e2cdb2cc75c0bb8632952e36f8c972 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < d138f73ffb0c57ded473c577719e6e551b7b1f27 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 79197c6007f2afbfd7bcf5b9b80ccabf8483d774 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < c7d393267c497502fa737607f435f05dfe6e3d9b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca9388fba50dac2eb71c13702b7022a801bef90e",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4aeaece518fa4436af93d1d8b786200d9656ff4b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "6245cce711e2cdb2cc75c0bb8632952e36f8c972",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4e6e07ce0197aecfb6c4a62862acc93b3efedeb7",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "d138f73ffb0c57ded473c577719e6e551b7b1f27",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "79197c6007f2afbfd7bcf5b9b80ccabf8483d774",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "c7d393267c497502fa737607f435f05dfe6e3d9b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:28.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca9388fba50dac2eb71c13702b7022a801bef90e"
},
{
"url": "https://git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4b"
},
{
"url": "https://git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972"
},
{
"url": "https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7"
},
{
"url": "https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27"
},
{
"url": "https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774"
},
{
"url": "https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b"
}
],
"title": "gpu: host1x: Fix race in syncpt alloc/free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68732",
"datePublished": "2025-12-24T10:33:14.664Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:28.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68322 (GCVE-0-2025-68322)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:44 – Updated: 2026-01-02 15:35
VLAI?
EPSS
Title
parisc: Avoid crash due to unaligned access in unwinder
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Avoid crash due to unaligned access in unwinder
Guenter Roeck reported this kernel crash on his emulated B160L machine:
Starting network: udhcpc: started, v1.36.1
Backtrace:
[<104320d4>] unwind_once+0x1c/0x5c
[<10434a00>] walk_stackframe.isra.0+0x74/0xb8
[<10434a6c>] arch_stack_walk+0x28/0x38
[<104e5efc>] stack_trace_save+0x48/0x5c
[<105d1bdc>] set_track_prepare+0x44/0x6c
[<105d9c80>] ___slab_alloc+0xfc4/0x1024
[<105d9d38>] __slab_alloc.isra.0+0x58/0x90
[<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0
[<105b8e54>] __anon_vma_prepare+0x60/0x280
[<105a823c>] __vmf_anon_prepare+0x68/0x94
[<105a8b34>] do_wp_page+0x8cc/0xf10
[<105aad88>] handle_mm_fault+0x6c0/0xf08
[<10425568>] do_page_fault+0x110/0x440
[<10427938>] handle_interruption+0x184/0x748
[<11178398>] schedule+0x4c/0x190
BUG: spinlock recursion on CPU#0, ifconfig/2420
lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0
While creating the stack trace, the unwinder uses the stack pointer to guess
the previous frame to read the previous stack pointer from memory. The crash
happens, because the unwinder tries to read from unaligned memory and as such
triggers the unalignment trap handler which then leads to the spinlock
recursion and finally to a deadlock.
Fix it by checking the alignment before accessing the memory.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c8921d72e390cb6fca3fb2b0c2badfda851647eb , < 9ac1f44723f26881b9fe7e69c7bc25397b879155
(git)
Affected: c8921d72e390cb6fca3fb2b0c2badfda851647eb , < 009270208f76456c2cefcd565da263b90bb2eadb (git) Affected: c8921d72e390cb6fca3fb2b0c2badfda851647eb , < fd9f30d1038ee1624baa17a6ff11effe5f7617cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/unwind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ac1f44723f26881b9fe7e69c7bc25397b879155",
"status": "affected",
"version": "c8921d72e390cb6fca3fb2b0c2badfda851647eb",
"versionType": "git"
},
{
"lessThan": "009270208f76456c2cefcd565da263b90bb2eadb",
"status": "affected",
"version": "c8921d72e390cb6fca3fb2b0c2badfda851647eb",
"versionType": "git"
},
{
"lessThan": "fd9f30d1038ee1624baa17a6ff11effe5f7617cb",
"status": "affected",
"version": "c8921d72e390cb6fca3fb2b0c2badfda851647eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/unwind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Avoid crash due to unaligned access in unwinder\n\nGuenter Roeck reported this kernel crash on his emulated B160L machine:\n\nStarting network: udhcpc: started, v1.36.1\n Backtrace:\n [\u003c104320d4\u003e] unwind_once+0x1c/0x5c\n [\u003c10434a00\u003e] walk_stackframe.isra.0+0x74/0xb8\n [\u003c10434a6c\u003e] arch_stack_walk+0x28/0x38\n [\u003c104e5efc\u003e] stack_trace_save+0x48/0x5c\n [\u003c105d1bdc\u003e] set_track_prepare+0x44/0x6c\n [\u003c105d9c80\u003e] ___slab_alloc+0xfc4/0x1024\n [\u003c105d9d38\u003e] __slab_alloc.isra.0+0x58/0x90\n [\u003c105dc80c\u003e] kmem_cache_alloc_noprof+0x2ac/0x4a0\n [\u003c105b8e54\u003e] __anon_vma_prepare+0x60/0x280\n [\u003c105a823c\u003e] __vmf_anon_prepare+0x68/0x94\n [\u003c105a8b34\u003e] do_wp_page+0x8cc/0xf10\n [\u003c105aad88\u003e] handle_mm_fault+0x6c0/0xf08\n [\u003c10425568\u003e] do_page_fault+0x110/0x440\n [\u003c10427938\u003e] handle_interruption+0x184/0x748\n [\u003c11178398\u003e] schedule+0x4c/0x190\n BUG: spinlock recursion on CPU#0, ifconfig/2420\n lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0\n\nWhile creating the stack trace, the unwinder uses the stack pointer to guess\nthe previous frame to read the previous stack pointer from memory. The crash\nhappens, because the unwinder tries to read from unaligned memory and as such\ntriggers the unalignment trap handler which then leads to the spinlock\nrecursion and finally to a deadlock.\n\nFix it by checking the alignment before accessing the memory."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:07.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ac1f44723f26881b9fe7e69c7bc25397b879155"
},
{
"url": "https://git.kernel.org/stable/c/009270208f76456c2cefcd565da263b90bb2eadb"
},
{
"url": "https://git.kernel.org/stable/c/fd9f30d1038ee1624baa17a6ff11effe5f7617cb"
}
],
"title": "parisc: Avoid crash due to unaligned access in unwinder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68322",
"datePublished": "2025-12-16T15:44:19.850Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-01-02T15:35:07.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40207 (GCVE-0-2025-40207)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
v4l2_subdev_call_state_try() macro allocates a subdev state with
__v4l2_subdev_state_alloc(), but does not check the returned value. If
__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would
cause v4l2_subdev_call_state_try() to crash.
Add proper error handling to v4l2_subdev_call_state_try().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
982c0487185bd466059ff618f398a8d074ddb654 , < 5b0057459cdc243ffb35617603142dcace09c711
(git)
Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < ed30811fbed40751deb952bde534aa2632dc0bf7 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < 94e6336dc1f06a06f5b4cd04d4a012bba34f2857 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < a553530b3314a0bdc98cf114cdbe204551a70a00 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-subdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b0057459cdc243ffb35617603142dcace09c711",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "ed30811fbed40751deb952bde534aa2632dc0bf7",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "94e6336dc1f06a06f5b4cd04d4a012bba34f2857",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "a553530b3314a0bdc98cf114cdbe204551a70a00",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-subdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()\n\nv4l2_subdev_call_state_try() macro allocates a subdev state with\n__v4l2_subdev_state_alloc(), but does not check the returned value. If\n__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would\ncause v4l2_subdev_call_state_try() to crash.\n\nAdd proper error handling to v4l2_subdev_call_state_try()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:11.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b0057459cdc243ffb35617603142dcace09c711"
},
{
"url": "https://git.kernel.org/stable/c/ed30811fbed40751deb952bde534aa2632dc0bf7"
},
{
"url": "https://git.kernel.org/stable/c/94e6336dc1f06a06f5b4cd04d4a012bba34f2857"
},
{
"url": "https://git.kernel.org/stable/c/a553530b3314a0bdc98cf114cdbe204551a70a00"
},
{
"url": "https://git.kernel.org/stable/c/f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e"
}
],
"title": "media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40207",
"datePublished": "2025-11-12T21:56:35.988Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:11.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23133 (GCVE-0-2025-23133)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-09-09 17:05
VLAI?
EPSS
Title
wifi: ath11k: update channel list in reg notifier instead reg worker
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: update channel list in reg notifier instead reg worker
Currently when ath11k gets a new channel list, it will be processed
according to the following steps:
1. update new channel list to cfg80211 and queue reg_work.
2. cfg80211 handles new channel list during reg_work.
3. update cfg80211's handled channel list to firmware by
ath11k_reg_update_chan_list().
But ath11k will immediately execute step 3 after reg_work is just
queued. Since step 2 is asynchronous, cfg80211 may not have completed
handling the new channel list, which may leading to an out-of-bounds
write error:
BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list
Call Trace:
ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]
kfree+0x109/0x3a0
ath11k_regd_update+0x1cf/0x350 [ath11k]
ath11k_regd_update_work+0x14/0x20 [ath11k]
process_one_work+0xe35/0x14c0
Should ensure step 2 is completely done before executing step 3. Thus
Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,
cfg80211 will notify ath11k after step 2 is done.
So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will
notify ath11k after step 2 is done. At this time, there will be no
KASAN bug during the execution of the step 3.
[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f45cb6b29cd36514e13f7519770873d8c0457008 , < 26618c039b78a76c373d4e02c5fbd52e3a73aead
(git)
Affected: f45cb6b29cd36514e13f7519770873d8c0457008 , < f952fb83c9c6f908d27500764c4aee1df04b9d3f (git) Affected: f45cb6b29cd36514e13f7519770873d8c0457008 , < 933ab187e679e6fbdeea1835ae39efcc59c022d2 (git) Affected: f96fd36936310cefe0ea1370a9ae30e6746e6f62 (git) Affected: c97b120950b49d76bdce013bd4d9577d769465f4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26618c039b78a76c373d4e02c5fbd52e3a73aead",
"status": "affected",
"version": "f45cb6b29cd36514e13f7519770873d8c0457008",
"versionType": "git"
},
{
"lessThan": "f952fb83c9c6f908d27500764c4aee1df04b9d3f",
"status": "affected",
"version": "f45cb6b29cd36514e13f7519770873d8c0457008",
"versionType": "git"
},
{
"lessThan": "933ab187e679e6fbdeea1835ae39efcc59c022d2",
"status": "affected",
"version": "f45cb6b29cd36514e13f7519770873d8c0457008",
"versionType": "git"
},
{
"status": "affected",
"version": "f96fd36936310cefe0ea1370a9ae30e6746e6f62",
"versionType": "git"
},
{
"status": "affected",
"version": "c97b120950b49d76bdce013bd4d9577d769465f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: update channel list in reg notifier instead reg worker\n\nCurrently when ath11k gets a new channel list, it will be processed\naccording to the following steps:\n1. update new channel list to cfg80211 and queue reg_work.\n2. cfg80211 handles new channel list during reg_work.\n3. update cfg80211\u0027s handled channel list to firmware by\nath11k_reg_update_chan_list().\n\nBut ath11k will immediately execute step 3 after reg_work is just\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\nhandling the new channel list, which may leading to an out-of-bounds\nwrite error:\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\nCall Trace:\n ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\n kfree+0x109/0x3a0\n ath11k_regd_update+0x1cf/0x350 [ath11k]\n ath11k_regd_update_work+0x14/0x20 [ath11k]\n process_one_work+0xe35/0x14c0\n\nShould ensure step 2 is completely done before executing step 3. Thus\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\ncfg80211 will notify ath11k after step 2 is done.\n\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\nnotify ath11k after step 2 is done. At this time, there will be no\nKASAN bug during the execution of the step 3.\n\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:05:55.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead"
},
{
"url": "https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f"
},
{
"url": "https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2"
}
],
"title": "wifi: ath11k: update channel list in reg notifier instead reg worker",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23133",
"datePublished": "2025-04-16T14:13:14.485Z",
"dateReserved": "2025-01-11T14:28:41.511Z",
"dateUpdated": "2025-09-09T17:05:55.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71104 (GCVE-0-2025-71104)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
When advancing the target expiration for the guest's APIC timer in periodic
mode, set the expiration to "now" if the target expiration is in the past
(similar to what is done in update_target_expiration()). Blindly adding
the period to the previous target expiration can result in KVM generating
a practically unbounded number of hrtimer IRQs due to programming an
expired timer over and over. In extreme scenarios, e.g. if userspace
pauses/suspends a VM for an extended duration, this can even cause hard
lockups in the host.
Currently, the bug only affects Intel CPUs when using the hypervisor timer
(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,
a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the
HV timer only runs while the guest is active. As a result, if the vCPU
does not run for an extended duration, there will be a huge gap between
the target expiration and the current time the vCPU resumes running.
Because the target expiration is incremented by only one period on each
timer expiration, this leads to a series of timer expirations occurring
rapidly after the vCPU/VM resumes.
More critically, when the vCPU first triggers a periodic HV timer
expiration after resuming, advancing the expiration by only one period
will result in a target expiration in the past. As a result, the delta
may be calculated as a negative value. When the delta is converted into
an absolute value (tscdeadline is an unsigned u64), the resulting value
can overflow what the HV timer is capable of programming. I.e. the large
value will exceed the VMX Preemption Timer's maximum bit width of
cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the
HV timer to the software timer (hrtimers).
After switching to the software timer, periodic timer expiration callbacks
may be executed consecutively within a single clock interrupt handler,
because hrtimers honors KVM's request for an expiration in the past and
immediately re-invokes KVM's callback after reprogramming. And because
the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer
over and over until the target expiration is advanced to "now" can result
in a hard lockup.
E.g. the following hard lockup was triggered in the host when running a
Windows VM (only relevant because it used the APIC timer in periodic mode)
after resuming the VM from a long suspend (in the host).
NMI watchdog: Watchdog detected hard LOCKUP on cpu 45
...
RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]
...
RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046
RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc
RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500
RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0
R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0
R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8
FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0
PKRU: 55555554
Call Trace:
<IRQ>
apic_timer_fn+0x31/0x50 [kvm]
__hrtimer_run_queues+0x100/0x280
hrtimer_interrupt+0x100/0x210
? ttwu_do_wakeup+0x19/0x160
smp_apic_timer_interrupt+0x6a/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
Moreover, if the suspend duration of the virtual machine is not long enough
to trigger a hard lockup in this scenario, since commit 98c25ead5eda
("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM
will continue using the software timer until the guest reprograms the APIC
timer in some way. Since the periodic timer does not require frequent APIC
timer register programming, the guest may continue to use the software
timer in
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 786ed625c125c5cd180d6aaa37e653e3e4ffb8d9
(git)
Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 807dbe8f3862fa7c164155857550ce94b36a11b9 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < e746e51947053a02af2ea964593dc4887108d379 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < e23f46f1a971c73dad2fd63e1408696114ddebe2 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 18ab3fc8e880791aa9f7c000261320fc812b5465 (git) Affected: 421e1fadb0b0a648cc75afd5b3c826fa7daeaffc (git) Affected: 5a69b7b69beae9bb86e7e1b095685087976cba47 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "786ed625c125c5cd180d6aaa37e653e3e4ffb8d9",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "807dbe8f3862fa7c164155857550ce94b36a11b9",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "e746e51947053a02af2ea964593dc4887108d379",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "e23f46f1a971c73dad2fd63e1408696114ddebe2",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "18ab3fc8e880791aa9f7c000261320fc812b5465",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"status": "affected",
"version": "421e1fadb0b0a648cc75afd5b3c826fa7daeaffc",
"versionType": "git"
},
{
"status": "affected",
"version": "5a69b7b69beae9bb86e7e1b095685087976cba47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer\n\nWhen advancing the target expiration for the guest\u0027s APIC timer in periodic\nmode, set the expiration to \"now\" if the target expiration is in the past\n(similar to what is done in update_target_expiration()). Blindly adding\nthe period to the previous target expiration can result in KVM generating\na practically unbounded number of hrtimer IRQs due to programming an\nexpired timer over and over. In extreme scenarios, e.g. if userspace\npauses/suspends a VM for an extended duration, this can even cause hard\nlockups in the host.\n\nCurrently, the bug only affects Intel CPUs when using the hypervisor timer\n(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,\na.k.a. hrtimer, which KVM keeps running even on exits to userspace, the\nHV timer only runs while the guest is active. As a result, if the vCPU\ndoes not run for an extended duration, there will be a huge gap between\nthe target expiration and the current time the vCPU resumes running.\nBecause the target expiration is incremented by only one period on each\ntimer expiration, this leads to a series of timer expirations occurring\nrapidly after the vCPU/VM resumes.\n\nMore critically, when the vCPU first triggers a periodic HV timer\nexpiration after resuming, advancing the expiration by only one period\nwill result in a target expiration in the past. As a result, the delta\nmay be calculated as a negative value. When the delta is converted into\nan absolute value (tscdeadline is an unsigned u64), the resulting value\ncan overflow what the HV timer is capable of programming. I.e. the large\nvalue will exceed the VMX Preemption Timer\u0027s maximum bit width of\ncpu_preemption_timer_multi + 32, and thus cause KVM to switch from the\nHV timer to the software timer (hrtimers).\n\nAfter switching to the software timer, periodic timer expiration callbacks\nmay be executed consecutively within a single clock interrupt handler,\nbecause hrtimers honors KVM\u0027s request for an expiration in the past and\nimmediately re-invokes KVM\u0027s callback after reprogramming. And because\nthe interrupt handler runs with IRQs disabled, restarting KVM\u0027s hrtimer\nover and over until the target expiration is advanced to \"now\" can result\nin a hard lockup.\n\nE.g. the following hard lockup was triggered in the host when running a\nWindows VM (only relevant because it used the APIC timer in periodic mode)\nafter resuming the VM from a long suspend (in the host).\n\n NMI watchdog: Watchdog detected hard LOCKUP on cpu 45\n ...\n RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]\n ...\n RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046\n RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc\n RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500\n RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0\n R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0\n R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8\n FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n apic_timer_fn+0x31/0x50 [kvm]\n __hrtimer_run_queues+0x100/0x280\n hrtimer_interrupt+0x100/0x210\n ? ttwu_do_wakeup+0x19/0x160\n smp_apic_timer_interrupt+0x6a/0x130\n apic_timer_interrupt+0xf/0x20\n \u003c/IRQ\u003e\n\nMoreover, if the suspend duration of the virtual machine is not long enough\nto trigger a hard lockup in this scenario, since commit 98c25ead5eda\n(\"KVM: VMX: Move preemption timer \u003c=\u003e hrtimer dance to common x86\"), KVM\nwill continue using the software timer until the guest reprograms the APIC\ntimer in some way. Since the periodic timer does not require frequent APIC\ntimer register programming, the guest may continue to use the software\ntimer in \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:57.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9"
},
{
"url": "https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73"
},
{
"url": "https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9"
},
{
"url": "https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed"
},
{
"url": "https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379"
},
{
"url": "https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2"
},
{
"url": "https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465"
}
],
"title": "KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71104",
"datePublished": "2026-01-14T15:05:53.802Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:57.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68219 (GCVE-0-2025-68219)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
cifs: fix memory leak in smb3_fs_context_parse_param error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix memory leak in smb3_fs_context_parse_param error path
Add proper cleanup of ctx->source and fc->source to the
cifs_parse_mount_err error handler. This ensures that memory allocated
for the source strings is correctly freed on all error paths, matching
the cleanup already performed in the success path by
smb3_cleanup_fs_context_contents().
Pointers are also set to NULL after freeing to prevent potential
double-free issues.
This change fixes a memory leak originally detected by syzbot. The
leak occurred when processing Opt_source mount options if an error
happened after ctx->source and fc->source were successfully
allocated but before the function completed.
The specific leak sequence was:
1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory
2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory
3. A subsequent error jumps to cifs_parse_mount_err
4. The old error handler freed passwords but not the source strings,
causing the memory to leak.
This issue was not addressed by commit e8c73eb7db0a ("cifs: client:
fix memory leak in smb3_fs_context_parse_param"), which only fixed
leaks from repeated fsconfig() calls but not this error path.
Patch updated with minor change suggested by kernel test robot
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f , < 7627864dc3121f39e220f5253a227edf472de59e
(git)
Affected: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f , < 48d69290270891f988e72edddd9688c20515421d (git) Affected: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f , < 37010021d7e0341bb241ca00bcbae31f2c50b23f (git) Affected: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f , < 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7627864dc3121f39e220f5253a227edf472de59e",
"status": "affected",
"version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
"versionType": "git"
},
{
"lessThan": "48d69290270891f988e72edddd9688c20515421d",
"status": "affected",
"version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
"versionType": "git"
},
{
"lessThan": "37010021d7e0341bb241ca00bcbae31f2c50b23f",
"status": "affected",
"version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
"versionType": "git"
},
{
"lessThan": "7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5",
"status": "affected",
"version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix memory leak in smb3_fs_context_parse_param error path\n\nAdd proper cleanup of ctx-\u003esource and fc-\u003esource to the\ncifs_parse_mount_err error handler. This ensures that memory allocated\nfor the source strings is correctly freed on all error paths, matching\nthe cleanup already performed in the success path by\nsmb3_cleanup_fs_context_contents().\nPointers are also set to NULL after freeing to prevent potential\ndouble-free issues.\n\nThis change fixes a memory leak originally detected by syzbot. The\nleak occurred when processing Opt_source mount options if an error\nhappened after ctx-\u003esource and fc-\u003esource were successfully\nallocated but before the function completed.\n\nThe specific leak sequence was:\n1. ctx-\u003esource = smb3_fs_context_fullpath(ctx, \u0027/\u0027) allocates memory\n2. fc-\u003esource = kstrdup(ctx-\u003esource, GFP_KERNEL) allocates more memory\n3. A subsequent error jumps to cifs_parse_mount_err\n4. The old error handler freed passwords but not the source strings,\ncausing the memory to leak.\n\nThis issue was not addressed by commit e8c73eb7db0a (\"cifs: client:\nfix memory leak in smb3_fs_context_parse_param\"), which only fixed\nleaks from repeated fsconfig() calls but not this error path.\n\nPatch updated with minor change suggested by kernel test robot"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:13.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7627864dc3121f39e220f5253a227edf472de59e"
},
{
"url": "https://git.kernel.org/stable/c/48d69290270891f988e72edddd9688c20515421d"
},
{
"url": "https://git.kernel.org/stable/c/37010021d7e0341bb241ca00bcbae31f2c50b23f"
},
{
"url": "https://git.kernel.org/stable/c/7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5"
}
],
"title": "cifs: fix memory leak in smb3_fs_context_parse_param error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68219",
"datePublished": "2025-12-16T13:57:13.461Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:13.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40052 (GCVE-0-2025-40052)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
smb: client: fix crypto buffers in non-linear memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix crypto buffers in non-linear memory
The crypto API, through the scatterlist API, expects input buffers to be
in linear memory. We handle this with the cifs_sg_set_buf() helper
that converts vmalloc'd memory to their corresponding pages.
However, when we allocate our aead_request buffer (@creq in
smb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly
puts aead_request->__ctx in vmalloc area.
AEAD algorithm then uses ->__ctx for its private/internal data and
operations, and uses sg_set_buf() for such data on a few places.
This works fine as long as @creq falls into kmalloc zone (small
requests) or vmalloc'd memory is still within linear range.
Tasks' stacks are vmalloc'd by default (CONFIG_VMAP_STACK=y), so too
many tasks will increment the base stacks' addresses to a point where
virt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when that
happens.
In practice: too many parallel reads and writes on an encrypted mount
will trigger this bug.
To fix this, always alloc @creq with kmalloc() instead.
Also drop the @sensitive_size variable/arguments since
kfree_sensitive() doesn't need it.
Backtrace:
[ 945.272081] ------------[ cut here ]------------
[ 945.272774] kernel BUG at include/linux/scatterlist.h:209!
[ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)
[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014
[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)
[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220
[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b
[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246
[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030
[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070
[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000
[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070
[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010
[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000
[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0
[ 945.286683] Call Trace:
[ 945.286952] <TASK>
[ 945.287184] ? crypt_message+0x33f/0xad0 [cifs]
[ 945.287719] crypto_gcm_encrypt+0x36/0xe0
[ 945.288152] crypt_message+0x54a/0xad0 [cifs]
[ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs]
[ 945.289300] smb_send_rqst+0xa3/0x160 [cifs]
[ 945.289944] cifs_call_async+0x178/0x340 [cifs]
[ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]
[ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs]
[ 945.291759] ? find_held_lock+0x32/0x90
[ 945.292212] ? netfs_advance_write+0xf2/0x310
[ 945.292723] netfs_advance_write+0xf2/0x310
[ 945.293210] netfs_write_folio+0x346/0xcc0
[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10
[ 945.294250] netfs_writepages+0x117/0x460
[ 945.294724] do_writepages+0xbe/0x170
[ 945.295152] ? find_held_lock+0x32/0x90
[ 945.295600] ? kvm_sched_clock_read+0x11/0x20
[ 945.296103] __writeback_single_inode+0x56/0x4b0
[ 945.296643] writeback_sb_inodes+0x229/0x550
[ 945.297140] __writeback_inodes_wb+0x4c/0xe0
[ 945.297642] wb_writeback+0x2f1/0x3f0
[ 945.298069] wb_workfn+0x300/0x490
[ 945.298472] process_one_work+0x1fe/0x590
[ 945.298949] worker_thread+0x1ce/0x3c0
[ 945.299397] ? __pfx_worker_thread+0x10/0x10
[ 945.299900] kthr
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08089f649a0cfb2099c8551ac47eef0cc23fdf2 , < ba905a567105dde21cdb8e6d3a87110fa434b393
(git)
Affected: d08089f649a0cfb2099c8551ac47eef0cc23fdf2 , < 7a8a8c15468f0c99685e9964451feffd1a3cc859 (git) Affected: d08089f649a0cfb2099c8551ac47eef0cc23fdf2 , < 4a61b68abd2788db0364c9a0b6a39f1699fea440 (git) Affected: d08089f649a0cfb2099c8551ac47eef0cc23fdf2 , < 998a67b954680f26f3734040aeeed08642d49721 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba905a567105dde21cdb8e6d3a87110fa434b393",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
},
{
"lessThan": "7a8a8c15468f0c99685e9964451feffd1a3cc859",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
},
{
"lessThan": "4a61b68abd2788db0364c9a0b6a39f1699fea440",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
},
{
"lessThan": "998a67b954680f26f3734040aeeed08642d49721",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix crypto buffers in non-linear memory\n\nThe crypto API, through the scatterlist API, expects input buffers to be\nin linear memory. We handle this with the cifs_sg_set_buf() helper\nthat converts vmalloc\u0027d memory to their corresponding pages.\n\nHowever, when we allocate our aead_request buffer (@creq in\nsmb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly\nputs aead_request-\u003e__ctx in vmalloc area.\n\nAEAD algorithm then uses -\u003e__ctx for its private/internal data and\noperations, and uses sg_set_buf() for such data on a few places.\n\nThis works fine as long as @creq falls into kmalloc zone (small\nrequests) or vmalloc\u0027d memory is still within linear range.\n\nTasks\u0027 stacks are vmalloc\u0027d by default (CONFIG_VMAP_STACK=y), so too\nmany tasks will increment the base stacks\u0027 addresses to a point where\nvirt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when that\nhappens.\n\nIn practice: too many parallel reads and writes on an encrypted mount\nwill trigger this bug.\n\nTo fix this, always alloc @creq with kmalloc() instead.\nAlso drop the @sensitive_size variable/arguments since\nkfree_sensitive() doesn\u0027t need it.\n\nBacktrace:\n\n[ 945.272081] ------------[ cut here ]------------\n[ 945.272774] kernel BUG at include/linux/scatterlist.h:209!\n[ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)\n[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)\n[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220\n[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff \u003c0f\u003e 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b\n[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246\n[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030\n[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070\n[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000\n[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070\n[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010\n[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000\n[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0\n[ 945.286683] Call Trace:\n[ 945.286952] \u003cTASK\u003e\n[ 945.287184] ? crypt_message+0x33f/0xad0 [cifs]\n[ 945.287719] crypto_gcm_encrypt+0x36/0xe0\n[ 945.288152] crypt_message+0x54a/0xad0 [cifs]\n[ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs]\n[ 945.289300] smb_send_rqst+0xa3/0x160 [cifs]\n[ 945.289944] cifs_call_async+0x178/0x340 [cifs]\n[ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]\n[ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs]\n[ 945.291759] ? find_held_lock+0x32/0x90\n[ 945.292212] ? netfs_advance_write+0xf2/0x310\n[ 945.292723] netfs_advance_write+0xf2/0x310\n[ 945.293210] netfs_write_folio+0x346/0xcc0\n[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10\n[ 945.294250] netfs_writepages+0x117/0x460\n[ 945.294724] do_writepages+0xbe/0x170\n[ 945.295152] ? find_held_lock+0x32/0x90\n[ 945.295600] ? kvm_sched_clock_read+0x11/0x20\n[ 945.296103] __writeback_single_inode+0x56/0x4b0\n[ 945.296643] writeback_sb_inodes+0x229/0x550\n[ 945.297140] __writeback_inodes_wb+0x4c/0xe0\n[ 945.297642] wb_writeback+0x2f1/0x3f0\n[ 945.298069] wb_workfn+0x300/0x490\n[ 945.298472] process_one_work+0x1fe/0x590\n[ 945.298949] worker_thread+0x1ce/0x3c0\n[ 945.299397] ? __pfx_worker_thread+0x10/0x10\n[ 945.299900] kthr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:58.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba905a567105dde21cdb8e6d3a87110fa434b393"
},
{
"url": "https://git.kernel.org/stable/c/7a8a8c15468f0c99685e9964451feffd1a3cc859"
},
{
"url": "https://git.kernel.org/stable/c/4a61b68abd2788db0364c9a0b6a39f1699fea440"
},
{
"url": "https://git.kernel.org/stable/c/998a67b954680f26f3734040aeeed08642d49721"
}
],
"title": "smb: client: fix crypto buffers in non-linear memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40052",
"datePublished": "2025-10-28T11:48:27.854Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:16:58.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68185 (GCVE-0-2025-68185)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
Theoretically it's an oopsable race, but I don't believe one can manage
to hit it on real hardware; might become doable on a KVM, but it still
won't be easy to attack.
Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of
put_unaligned_be64(), we can put that under ->d_lock and be done with that.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6025f641a0e30afdc5aa62017397b1860ad9f677
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e6cafe71eb3b5579b245ba1bd528a181e77f3df1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fa4daf7d11e45b72aad5d943a7ab991f869fff79 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 504b3fb9948a9e96ebbabdee0d33966a8bab15cb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eacfd08b26a062f1095b18719715bc82ad35312e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 40be5b9080114f18b0cea386db415b68a7273c1a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f5e570eaab36a110c6ffda32b87c51170990c2d1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a890a2e339b929dbd843328f9a92a1625404fe63 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6025f641a0e30afdc5aa62017397b1860ad9f677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6cafe71eb3b5579b245ba1bd528a181e77f3df1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa4daf7d11e45b72aad5d943a7ab991f869fff79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "504b3fb9948a9e96ebbabdee0d33966a8bab15cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eacfd08b26a062f1095b18719715bc82ad35312e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40be5b9080114f18b0cea386db415b68a7273c1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5e570eaab36a110c6ffda32b87c51170990c2d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a890a2e339b929dbd843328f9a92a1625404fe63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing\n\nTheoretically it\u0027s an oopsable race, but I don\u0027t believe one can manage\nto hit it on real hardware; might become doable on a KVM, but it still\nwon\u0027t be easy to attack.\n\nAnyway, it\u0027s easy to deal with - since xdr_encode_hyper() is just a call of\nput_unaligned_be64(), we can put that under -\u003ed_lock and be done with that."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:15.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677"
},
{
"url": "https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1"
},
{
"url": "https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79"
},
{
"url": "https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb"
},
{
"url": "https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e"
},
{
"url": "https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a"
},
{
"url": "https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1"
},
{
"url": "https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63"
}
],
"title": "nfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68185",
"datePublished": "2025-12-16T13:43:02.894Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-01-02T15:34:15.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39832 (GCVE-0-2025-39832)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:08 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
net/mlx5: Fix lockdep assertion on sync reset unload event
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix lockdep assertion on sync reset unload event
Fix lockdep assertion triggered during sync reset unload event. When the
sync reset flow is initiated using the devlink reload fw_activate
option, the PF already holds the devlink lock while handling unload
event. In this case, delegate sync reset unload event handling back to
the devlink callback process to avoid double-locking and resolve the
lockdep warning.
Kernel log:
WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40
[...]
Call Trace:
<TASK>
mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]
mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]
process_one_work+0x222/0x640
worker_thread+0x199/0x350
kthread+0x10b/0x230
? __pfx_worker_thread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x8e/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Severity ?
5.5 (Medium)
CWE
- CWE-667 - Improper Locking
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a9770f1bfeaeddf5afabd3244e2c4c4966be37d , < ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959
(git)
Affected: 7a9770f1bfeaeddf5afabd3244e2c4c4966be37d , < 0c87dba9ccd3801d3b503f0b4fd41be343af4f06 (git) Affected: 7a9770f1bfeaeddf5afabd3244e2c4c4966be37d , < 06d897148e79638651800d851a69547b56b4be2e (git) Affected: 7a9770f1bfeaeddf5afabd3244e2c4c4966be37d , < 902a8bc23a24882200f57cadc270e15a2cfaf2bb (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:18:09.564546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:56.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/devlink.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "0c87dba9ccd3801d3b503f0b4fd41be343af4f06",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "06d897148e79638651800d851a69547b56b4be2e",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "902a8bc23a24882200f57cadc270e15a2cfaf2bb",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/devlink.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix lockdep assertion on sync reset unload event\n\nFix lockdep assertion triggered during sync reset unload event. When the\nsync reset flow is initiated using the devlink reload fw_activate\noption, the PF already holds the devlink lock while handling unload\nevent. In this case, delegate sync reset unload event handling back to\nthe devlink callback process to avoid double-locking and resolve the\nlockdep warning.\n\nKernel log:\nWARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40\n[...]\nCall Trace:\n\u003cTASK\u003e\n mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]\n mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]\n process_one_work+0x222/0x640\n worker_thread+0x199/0x350\n kthread+0x10b/0x230\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x8e/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:35.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959"
},
{
"url": "https://git.kernel.org/stable/c/0c87dba9ccd3801d3b503f0b4fd41be343af4f06"
},
{
"url": "https://git.kernel.org/stable/c/06d897148e79638651800d851a69547b56b4be2e"
},
{
"url": "https://git.kernel.org/stable/c/902a8bc23a24882200f57cadc270e15a2cfaf2bb"
}
],
"title": "net/mlx5: Fix lockdep assertion on sync reset unload event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39832",
"datePublished": "2025-09-16T13:08:49.513Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2026-01-14T18:22:56.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40088 (GCVE-0-2025-40088)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
The hfsplus_strcasecmp() logic can trigger the issue:
[ 117.317703][ T9855] ==================================================================
[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490
[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855
[ 117.319577][ T9855]
[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)
[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 117.319783][ T9855] Call Trace:
[ 117.319785][ T9855] <TASK>
[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0
[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10
[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0
[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0
[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40
[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319842][ T9855] print_report+0x17e/0x7e0
[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180
[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319876][ T9855] kasan_report+0x147/0x180
[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490
[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10
[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0
[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470
[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10
[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10
[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510
[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10
[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510
[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0
[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120
[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890
[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10
[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0
[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80
[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10
[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100
[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150
[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0
[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10
[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0
[ 117.320055][ T9855] lookup_slow+0x53/0x70
[ 117.320065][ T9855] walk_component+0x2f0/0x430
[ 117.320073][ T9855] path_lookupat+0x169/0x440
[ 117.320081][ T9855] filename_lookup+0x212/0x590
[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10
[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290
[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540
[ 117.320112][ T9855] user_path_at+0x3a/0x60
[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160
[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10
[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0
[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0
[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0
[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07
[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08
[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 603158d4efa98a13a746bd586c20f194f4a31ec8
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef250c3edd995d7bb5a5e5122ffad1c28a8686eb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7ab44236b32ed41eb0636797e8e8e885a2f3b18a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b47a75b6f762321f9eb6f31aab7bce47a37063b7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 586c75dfd1d265c4150f6529debb85c9d62e101f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4bc081ba6c52b0c88c92701e3fbc33c7e2277afb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 42520df65bf67189541a425f7d36b0b3e7bd7844 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "603158d4efa98a13a746bd586c20f194f4a31ec8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef250c3edd995d7bb5a5e5122ffad1c28a8686eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ab44236b32ed41eb0636797e8e8e885a2f3b18a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b47a75b6f762321f9eb6f31aab7bce47a37063b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "586c75dfd1d265c4150f6529debb85c9d62e101f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bc081ba6c52b0c88c92701e3fbc33c7e2277afb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "42520df65bf67189541a425f7d36b0b3e7bd7844",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n\nThe hfsplus_strcasecmp() logic can trigger the issue:\n\n[ 117.317703][ T9855] ==================================================================\n[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490\n[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855\n[ 117.319577][ T9855]\n[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)\n[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 117.319783][ T9855] Call Trace:\n[ 117.319785][ T9855] \u003cTASK\u003e\n[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0\n[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10\n[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0\n[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0\n[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40\n[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319842][ T9855] print_report+0x17e/0x7e0\n[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180\n[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319876][ T9855] kasan_report+0x147/0x180\n[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10\n[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0\n[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470\n[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10\n[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10\n[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510\n[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10\n[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510\n[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0\n[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120\n[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890\n[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10\n[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0\n[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80\n[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10\n[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100\n[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150\n[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0\n[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10\n[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0\n[ 117.320055][ T9855] lookup_slow+0x53/0x70\n[ 117.320065][ T9855] walk_component+0x2f0/0x430\n[ 117.320073][ T9855] path_lookupat+0x169/0x440\n[ 117.320081][ T9855] filename_lookup+0x212/0x590\n[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10\n[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290\n[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540\n[ 117.320112][ T9855] user_path_at+0x3a/0x60\n[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160\n[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10\n[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0\n[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0\n[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0\n[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07\n[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08\n[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:59.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8"
},
{
"url": "https://git.kernel.org/stable/c/ef250c3edd995d7bb5a5e5122ffad1c28a8686eb"
},
{
"url": "https://git.kernel.org/stable/c/7ab44236b32ed41eb0636797e8e8e885a2f3b18a"
},
{
"url": "https://git.kernel.org/stable/c/b47a75b6f762321f9eb6f31aab7bce47a37063b7"
},
{
"url": "https://git.kernel.org/stable/c/4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241"
},
{
"url": "https://git.kernel.org/stable/c/586c75dfd1d265c4150f6529debb85c9d62e101f"
},
{
"url": "https://git.kernel.org/stable/c/4bc081ba6c52b0c88c92701e3fbc33c7e2277afb"
},
{
"url": "https://git.kernel.org/stable/c/42520df65bf67189541a425f7d36b0b3e7bd7844"
}
],
"title": "hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40088",
"datePublished": "2025-10-30T09:47:57.333Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2026-01-02T15:32:59.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68307 (GCVE-0-2025-68307)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
The driver lacks the cleanup of failed transfers of URBs. This reduces the
number of available URBs per error by 1. This leads to reduced performance
and ultimately to a complete stop of the transmission.
If the sending of a bulk URB fails do proper cleanup:
- increase netdev stats
- mark the echo_sbk as free
- free the driver's context and do accounting
- wake the send queue
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < f7a5560675bd85efaf16ab01a43053670ff2b000
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 1a588c40a422a3663a52f1c5535e8fb6b044167d (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 4a82072e451eacf24fc66a445e906f5095d215db (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 9c8eb33b7008178b6ce88aa7593d12063ce60ca3 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 516a0cd1c03fa266bb67dd87940a209fd4e53ce7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7a5560675bd85efaf16ab01a43053670ff2b000",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "1a588c40a422a3663a52f1c5535e8fb6b044167d",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "4a82072e451eacf24fc66a445e906f5095d215db",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "9c8eb33b7008178b6ce88aa7593d12063ce60ca3",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "516a0cd1c03fa266bb67dd87940a209fd4e53ce7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs\n\nThe driver lacks the cleanup of failed transfers of URBs. This reduces the\nnumber of available URBs per error by 1. This leads to reduced performance\nand ultimately to a complete stop of the transmission.\n\nIf the sending of a bulk URB fails do proper cleanup:\n- increase netdev stats\n- mark the echo_sbk as free\n- free the driver\u0027s context and do accounting\n- wake the send queue"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:24.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000"
},
{
"url": "https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d"
},
{
"url": "https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db"
},
{
"url": "https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3"
},
{
"url": "https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7"
}
],
"title": "can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68307",
"datePublished": "2025-12-16T15:06:24.271Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:24.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68338 (GCVE-0-2025-68338)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
net: dsa: microchip: Don't free uninitialized ksz_irq
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: microchip: Don't free uninitialized ksz_irq
If something goes wrong at setup, ksz_irq_free() can be called on
uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It
leads to freeing uninitialized IRQ numbers and/or domains.
Use dsa_switch_for_each_user_port_continue_reverse() in the error path
to iterate only over the fully initialized ports.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cc13ab18b201ab630f03511060ba289b70052959 , < 9428654c827fa8d38b898135d26d39ee2d544246
(git)
Affected: cc13ab18b201ab630f03511060ba289b70052959 , < 32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0 (git) Affected: cc13ab18b201ab630f03511060ba289b70052959 , < 25b62cc5b22c45face094ae3e8717258e46d1d19 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9428654c827fa8d38b898135d26d39ee2d544246",
"status": "affected",
"version": "cc13ab18b201ab630f03511060ba289b70052959",
"versionType": "git"
},
{
"lessThan": "32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0",
"status": "affected",
"version": "cc13ab18b201ab630f03511060ba289b70052959",
"versionType": "git"
},
{
"lessThan": "25b62cc5b22c45face094ae3e8717258e46d1d19",
"status": "affected",
"version": "cc13ab18b201ab630f03511060ba289b70052959",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Don\u0027t free uninitialized ksz_irq\n\nIf something goes wrong at setup, ksz_irq_free() can be called on\nuninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It\nleads to freeing uninitialized IRQ numbers and/or domains.\n\nUse dsa_switch_for_each_user_port_continue_reverse() in the error path\nto iterate only over the fully initialized ports."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:24.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9428654c827fa8d38b898135d26d39ee2d544246"
},
{
"url": "https://git.kernel.org/stable/c/32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0"
},
{
"url": "https://git.kernel.org/stable/c/25b62cc5b22c45face094ae3e8717258e46d1d19"
}
],
"title": "net: dsa: microchip: Don\u0027t free uninitialized ksz_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68338",
"datePublished": "2025-12-23T13:58:24.121Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:24.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39813 (GCVE-0-2025-39813)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
When calling ftrace_dump_one() concurrently with reading trace_pipe,
a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race
condition.
The issue occurs because:
CPU0 (ftrace_dump) CPU1 (reader)
echo z > /proc/sysrq-trigger
!trace_empty(&iter)
trace_iterator_reset(&iter) <- len = size = 0
cat /sys/kernel/tracing/trace_pipe
trace_find_next_entry_inc(&iter)
__find_next_entry
ring_buffer_empty_cpu <- all empty
return NULL
trace_printk_seq(&iter.seq)
WARN_ON_ONCE(s->seq.len >= s->seq.size)
In the context between trace_empty() and trace_find_next_entry_inc()
during ftrace_dump, the ring buffer data was consumed by other readers.
This caused trace_find_next_entry_inc to return NULL, failing to populate
`iter.seq`. At this point, due to the prior trace_iterator_reset, both
`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,
the WARN_ON_ONCE condition is triggered.
Move the trace_printk_seq() into the if block that checks to make sure the
return value of trace_find_next_entry_inc() is non-NULL in
ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before
subsequent operations.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d769041f865330034131525ee6a7f72eb4af2a24 , < f299353e7ccbcc5c2ed8993c48fbe7609cbe729a
(git)
Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < 5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85 (git) Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < a6f0f8873cc30fd4543b09adf03f7f51d293f0e6 (git) Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < e80ff23ba8bdb0f41a1afe2657078e4097d13a9a (git) Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < 28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa (git) Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < ced94e137e6cd5e79c65564841d3b7695d0f5fa3 (git) Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < fbd4cf7ee4db65ef36796769fe978e9eba6f0de4 (git) Affected: d769041f865330034131525ee6a7f72eb4af2a24 , < 4013aef2ced9b756a410f50d12df9ebe6a883e4a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:38.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f299353e7ccbcc5c2ed8993c48fbe7609cbe729a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "a6f0f8873cc30fd4543b09adf03f7f51d293f0e6",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "e80ff23ba8bdb0f41a1afe2657078e4097d13a9a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "ced94e137e6cd5e79c65564841d3b7695d0f5fa3",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "fbd4cf7ee4db65ef36796769fe978e9eba6f0de4",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "4013aef2ced9b756a410f50d12df9ebe6a883e4a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n\nWhen calling ftrace_dump_one() concurrently with reading trace_pipe,\na WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race\ncondition.\n\nThe issue occurs because:\n\nCPU0 (ftrace_dump) CPU1 (reader)\necho z \u003e /proc/sysrq-trigger\n\n!trace_empty(\u0026iter)\ntrace_iterator_reset(\u0026iter) \u003c- len = size = 0\n cat /sys/kernel/tracing/trace_pipe\ntrace_find_next_entry_inc(\u0026iter)\n __find_next_entry\n ring_buffer_empty_cpu \u003c- all empty\n return NULL\n\ntrace_printk_seq(\u0026iter.seq)\n WARN_ON_ONCE(s-\u003eseq.len \u003e= s-\u003eseq.size)\n\nIn the context between trace_empty() and trace_find_next_entry_inc()\nduring ftrace_dump, the ring buffer data was consumed by other readers.\nThis caused trace_find_next_entry_inc to return NULL, failing to populate\n`iter.seq`. At this point, due to the prior trace_iterator_reset, both\n`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,\nthe WARN_ON_ONCE condition is triggered.\n\nMove the trace_printk_seq() into the if block that checks to make sure the\nreturn value of trace_find_next_entry_inc() is non-NULL in\nftrace_dump_one(), ensuring the \u0027iter.seq\u0027 is properly populated before\nsubsequent operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:57.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f299353e7ccbcc5c2ed8993c48fbe7609cbe729a"
},
{
"url": "https://git.kernel.org/stable/c/5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85"
},
{
"url": "https://git.kernel.org/stable/c/a6f0f8873cc30fd4543b09adf03f7f51d293f0e6"
},
{
"url": "https://git.kernel.org/stable/c/e80ff23ba8bdb0f41a1afe2657078e4097d13a9a"
},
{
"url": "https://git.kernel.org/stable/c/28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa"
},
{
"url": "https://git.kernel.org/stable/c/ced94e137e6cd5e79c65564841d3b7695d0f5fa3"
},
{
"url": "https://git.kernel.org/stable/c/fbd4cf7ee4db65ef36796769fe978e9eba6f0de4"
},
{
"url": "https://git.kernel.org/stable/c/4013aef2ced9b756a410f50d12df9ebe6a883e4a"
}
],
"title": "ftrace: Fix potential warning in trace_printk_seq during ftrace_dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39813",
"datePublished": "2025-09-16T13:00:14.846Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-11-03T17:43:38.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39810 (GCVE-0-2025-39810)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
bnxt_en: Fix memory corruption when FW resources change during ifdown
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix memory corruption when FW resources change during ifdown
bnxt_set_dflt_rings() assumes that it is always called before any TC has
been created. So it doesn't take bp->num_tc into account and assumes
that it is always 0 or 1.
In the FW resource or capability change scenario, the FW will return
flags in bnxt_hwrm_if_change() that will cause the driver to
reinitialize and call bnxt_cancel_reservations(). This will lead to
bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc
may be greater than 1. This will cause bp->tx_ring[] to be sized too
small and cause memory corruption in bnxt_alloc_cp_rings().
Fix it by properly scaling the TX rings by bp->num_tc in the code
paths mentioned above. Add 2 helper functions to determine
bp->tx_nr_rings and bp->tx_nr_rings_per_tc.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec5d31e3c15d5233b491400133c67f78a320062c , < d00e98977ef519280b075d783653e2c492fffbb6
(git)
Affected: ec5d31e3c15d5233b491400133c67f78a320062c , < 9ab6a9950f152e094395d2e3967f889857daa185 (git) Affected: ec5d31e3c15d5233b491400133c67f78a320062c , < 2747328ba2714f1a7454208dbbc1dc0631990b4a (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:14:51.954727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:55.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00e98977ef519280b075d783653e2c492fffbb6",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
},
{
"lessThan": "9ab6a9950f152e094395d2e3967f889857daa185",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
},
{
"lessThan": "2747328ba2714f1a7454208dbbc1dc0631990b4a",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix memory corruption when FW resources change during ifdown\n\nbnxt_set_dflt_rings() assumes that it is always called before any TC has\nbeen created. So it doesn\u0027t take bp-\u003enum_tc into account and assumes\nthat it is always 0 or 1.\n\nIn the FW resource or capability change scenario, the FW will return\nflags in bnxt_hwrm_if_change() that will cause the driver to\nreinitialize and call bnxt_cancel_reservations(). This will lead to\nbnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-\u003enum_tc\nmay be greater than 1. This will cause bp-\u003etx_ring[] to be sized too\nsmall and cause memory corruption in bnxt_alloc_cp_rings().\n\nFix it by properly scaling the TX rings by bp-\u003enum_tc in the code\npaths mentioned above. Add 2 helper functions to determine\nbp-\u003etx_nr_rings and bp-\u003etx_nr_rings_per_tc."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:53.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00e98977ef519280b075d783653e2c492fffbb6"
},
{
"url": "https://git.kernel.org/stable/c/9ab6a9950f152e094395d2e3967f889857daa185"
},
{
"url": "https://git.kernel.org/stable/c/2747328ba2714f1a7454208dbbc1dc0631990b4a"
}
],
"title": "bnxt_en: Fix memory corruption when FW resources change during ifdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39810",
"datePublished": "2025-09-16T13:00:12.677Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2026-01-14T18:22:55.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40248 (GCVE-0-2025-40248)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
vsock: Ignore signal/timeout on connect() if already established
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Ignore signal/timeout on connect() if already established
During connect(), acting on a signal/timeout by disconnecting an already
established socket leads to several issues:
1. connect() invoking vsock_transport_cancel_pkt() ->
virtio_transport_purge_skbs() may race with sendmsg() invoking
virtio_transport_get_credit(). This results in a permanently elevated
`vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
2. connect() resetting a connected socket's state may race with socket
being placed in a sockmap. A disconnected socket remaining in a sockmap
breaks sockmap's assumptions. And gives rise to WARNs.
3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
transport change/drop after TCP_ESTABLISHED. Which poses a problem for
any simultaneous sendmsg() or connect() and may result in a
use-after-free/null-ptr-deref.
Do not disconnect socket on signal/timeout. Keep the logic for unconnected
sockets: they don't linger, can't be placed in a sockmap, are rejected by
sendmsg().
[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d021c344051af91f42c5ba9fdedc176740cbd238 , < 3f71753935d648082a8279a97d30efe6b85be680
(git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < da664101fb4a0de5cb70d2bae6a650df954df2af (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 67432915145848658149683101104e32f9fd6559 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < eeca93f06df89be5a36305b7b9dae1ed65550dfc (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 5998da5a8208ae9ad7838ba322bccb2bdcd95e81 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < f1c170cae285e4b8f61be043bb17addc3d0a14b5 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < ab6b19f690d89ae4709fba73a3c4a7911f495b7a (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 002541ef650b742a198e4be363881439bb9d86b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f71753935d648082a8279a97d30efe6b85be680",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "da664101fb4a0de5cb70d2bae6a650df954df2af",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "67432915145848658149683101104e32f9fd6559",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "eeca93f06df89be5a36305b7b9dae1ed65550dfc",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "5998da5a8208ae9ad7838ba322bccb2bdcd95e81",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f1c170cae285e4b8f61be043bb17addc3d0a14b5",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "ab6b19f690d89ae4709fba73a3c4a7911f495b7a",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "002541ef650b742a198e4be363881439bb9d86b4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Ignore signal/timeout on connect() if already established\n\nDuring connect(), acting on a signal/timeout by disconnecting an already\nestablished socket leads to several issues:\n\n1. connect() invoking vsock_transport_cancel_pkt() -\u003e\n virtio_transport_purge_skbs() may race with sendmsg() invoking\n virtio_transport_get_credit(). This results in a permanently elevated\n `vvs-\u003ebytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\n\n2. connect() resetting a connected socket\u0027s state may race with socket\n being placed in a sockmap. A disconnected socket remaining in a sockmap\n breaks sockmap\u0027s assumptions. And gives rise to WARNs.\n\n3. connect() transitioning SS_CONNECTED -\u003e SS_UNCONNECTED allows for a\n transport change/drop after TCP_ESTABLISHED. Which poses a problem for\n any simultaneous sendmsg() or connect() and may result in a\n use-after-free/null-ptr-deref.\n\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\nsockets: they don\u0027t linger, can\u0027t be placed in a sockmap, are rejected by\nsendmsg().\n\n[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/\n[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/\n[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:46.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680"
},
{
"url": "https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af"
},
{
"url": "https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559"
},
{
"url": "https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc"
},
{
"url": "https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81"
},
{
"url": "https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5"
},
{
"url": "https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a"
},
{
"url": "https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4"
}
],
"title": "vsock: Ignore signal/timeout on connect() if already established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40248",
"datePublished": "2025-12-04T16:08:11.509Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:46.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36903 (GCVE-0-2024-36903)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:29 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
ipv6: Fix potential uninit-value access in __ip6_make_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix potential uninit-value access in __ip6_make_skb()
As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in
__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags
instead of testing HDRINCL on the socket to avoid a race condition which
causes uninit-value access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
605b056d63302ae84eb136e88d4df49124bd5e0d , < 59d74c843ebf46264c7903726cf6f2673a93b07a
(git)
Affected: d65ff2fe877c471aa6e79efa7bd8ff66e147c317 , < 40e5444a3ac315b60e94d82226b73cd82145d09e (git) Affected: 2c9cefc142c1dc2759e19a92d3b2b3715e985beb , < a05c1ede50e9656f0752e523c7b54f3a3489e9a8 (git) Affected: ea30388baebcce37fd594d425a65037ca35e59e8 , < 68c8ba16ab712eb709c6bab80ff151079d11d97a (git) Affected: ea30388baebcce37fd594d425a65037ca35e59e8 , < 2367bf254f3a27ecc6e229afd7a8b0a1395f7be3 (git) Affected: ea30388baebcce37fd594d425a65037ca35e59e8 , < 4e13d3a9c25b7080f8a619f961e943fe08c2672c (git) Affected: 165370522cc48127da564a08584a7391e6341908 (git) Affected: f394f690a30a5ec0413c62777a058eaf3d6e10d5 (git) Affected: 0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1 (git) Affected: 02ed5700f40445af02d1c97db25ffc2d04971d9f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T18:50:05.807509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:08.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:07.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59d74c843ebf46264c7903726cf6f2673a93b07a",
"status": "affected",
"version": "605b056d63302ae84eb136e88d4df49124bd5e0d",
"versionType": "git"
},
{
"lessThan": "40e5444a3ac315b60e94d82226b73cd82145d09e",
"status": "affected",
"version": "d65ff2fe877c471aa6e79efa7bd8ff66e147c317",
"versionType": "git"
},
{
"lessThan": "a05c1ede50e9656f0752e523c7b54f3a3489e9a8",
"status": "affected",
"version": "2c9cefc142c1dc2759e19a92d3b2b3715e985beb",
"versionType": "git"
},
{
"lessThan": "68c8ba16ab712eb709c6bab80ff151079d11d97a",
"status": "affected",
"version": "ea30388baebcce37fd594d425a65037ca35e59e8",
"versionType": "git"
},
{
"lessThan": "2367bf254f3a27ecc6e229afd7a8b0a1395f7be3",
"status": "affected",
"version": "ea30388baebcce37fd594d425a65037ca35e59e8",
"versionType": "git"
},
{
"lessThan": "4e13d3a9c25b7080f8a619f961e943fe08c2672c",
"status": "affected",
"version": "ea30388baebcce37fd594d425a65037ca35e59e8",
"versionType": "git"
},
{
"status": "affected",
"version": "165370522cc48127da564a08584a7391e6341908",
"versionType": "git"
},
{
"status": "affected",
"version": "f394f690a30a5ec0413c62777a058eaf3d6e10d5",
"versionType": "git"
},
{
"status": "affected",
"version": "0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1",
"versionType": "git"
},
{
"status": "affected",
"version": "02ed5700f40445af02d1c97db25ffc2d04971d9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.313",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6-\u003eflowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:45.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59d74c843ebf46264c7903726cf6f2673a93b07a"
},
{
"url": "https://git.kernel.org/stable/c/40e5444a3ac315b60e94d82226b73cd82145d09e"
},
{
"url": "https://git.kernel.org/stable/c/a05c1ede50e9656f0752e523c7b54f3a3489e9a8"
},
{
"url": "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a"
},
{
"url": "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3"
},
{
"url": "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c"
}
],
"title": "ipv6: Fix potential uninit-value access in __ip6_make_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36903",
"datePublished": "2024-05-30T15:29:04.866Z",
"dateReserved": "2024-05-30T15:25:07.066Z",
"dateUpdated": "2026-01-19T12:17:45.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68759 (GCVE-0-2025-68759)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f653211197f3841f383fa9757ef8ce182c6cf627 , < 3677c01891fb0239361e444afee8398868e34bdf
(git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 89caaeee8dd95fae8bb4f4964e6fe3ca688500c4 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a4fb7cca9837378878e6c94d9e7af019c8fdfcdb (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < bf8513dfa31ea015c9cf415796dca2113d293840 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < ee7db11742b30641f21306105ad27a275e3c61d7 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a813a74570212cb5f3a7d3b05c0cb0cd00bace1d (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < c9d1c4152e6d32fa74034464854bee262a60bc43 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 9b5b9c042b30befc5b37e4539ace95af70843473 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3677c01891fb0239361e444afee8398868e34bdf",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "89caaeee8dd95fae8bb4f4964e6fe3ca688500c4",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a4fb7cca9837378878e6c94d9e7af019c8fdfcdb",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "bf8513dfa31ea015c9cf415796dca2113d293840",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "ee7db11742b30641f21306105ad27a275e3c61d7",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a813a74570212cb5f3a7d3b05c0cb0cd00bace1d",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "c9d1c4152e6d32fa74034464854bee262a60bc43",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "9b5b9c042b30befc5b37e4539ace95af70843473",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv-\u003erx_buf entry to null, to avoid double free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:03.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3677c01891fb0239361e444afee8398868e34bdf"
},
{
"url": "https://git.kernel.org/stable/c/89caaeee8dd95fae8bb4f4964e6fe3ca688500c4"
},
{
"url": "https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb"
},
{
"url": "https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840"
},
{
"url": "https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7"
},
{
"url": "https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d"
},
{
"url": "https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43"
},
{
"url": "https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473"
}
],
"title": "wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68759",
"datePublished": "2026-01-05T09:32:32.174Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:03.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40116 (GCVE-0-2025-40116)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
The kthread_run() function returns error pointers so the
max3421_hcd->spi_thread pointer can be either error pointers or NULL.
Check for both before dereferencing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 89838fe5c6c010ff8d3924f22afd9c18c5c95310
(git)
Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 3facf69a735e730ae36387f18780fe420708aa91 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < e0e0ce06f3571be9b26790e4df56ba37b1de8543 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 3723c3dda1cc82c9bbca08fcbd46705a361bfd56 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < b0439e3762ac9ea580f714e1504a1827d1ad32f5 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < b682ce44bf20ada752a2f6ce70d5a575c56f6a35 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 186e8f2bdba551f3ae23396caccd452d985c23e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/max3421-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89838fe5c6c010ff8d3924f22afd9c18c5c95310",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "3facf69a735e730ae36387f18780fe420708aa91",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "e0e0ce06f3571be9b26790e4df56ba37b1de8543",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "3723c3dda1cc82c9bbca08fcbd46705a361bfd56",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "b0439e3762ac9ea580f714e1504a1827d1ad32f5",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "b682ce44bf20ada752a2f6ce70d5a575c56f6a35",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "186e8f2bdba551f3ae23396caccd452d985c23e3",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/max3421-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: max3421-hcd: Fix error pointer dereference in probe cleanup\n\nThe kthread_run() function returns error pointers so the\nmax3421_hcd-\u003espi_thread pointer can be either error pointers or NULL.\nCheck for both before dereferencing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:19.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89838fe5c6c010ff8d3924f22afd9c18c5c95310"
},
{
"url": "https://git.kernel.org/stable/c/3facf69a735e730ae36387f18780fe420708aa91"
},
{
"url": "https://git.kernel.org/stable/c/e0e0ce06f3571be9b26790e4df56ba37b1de8543"
},
{
"url": "https://git.kernel.org/stable/c/3723c3dda1cc82c9bbca08fcbd46705a361bfd56"
},
{
"url": "https://git.kernel.org/stable/c/b0439e3762ac9ea580f714e1504a1827d1ad32f5"
},
{
"url": "https://git.kernel.org/stable/c/e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc"
},
{
"url": "https://git.kernel.org/stable/c/b682ce44bf20ada752a2f6ce70d5a575c56f6a35"
},
{
"url": "https://git.kernel.org/stable/c/186e8f2bdba551f3ae23396caccd452d985c23e3"
}
],
"title": "usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40116",
"datePublished": "2025-11-12T10:23:17.569Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:19.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68200 (GCVE-0-2025-68200)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
bpf: Add bpf_prog_run_data_pointers()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Add bpf_prog_run_data_pointers()
syzbot found that cls_bpf_classify() is able to change
tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
Extend qdisc control block with tc control block"), which added a wrong
interaction with db58ba459202 ("bpf: wire in data and data_end for
cls_act_bpf").
drop_reason was added later.
Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
storage colliding with BPF data_meta/data_end.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0d76daf2013ce1da20eab5e26bd81d983e1c18fb , < c4cdd143c35974a2cedd000fa9eb3accc3023b20
(git)
Affected: ec624fe740b416fb68d536b37fb8eef46f90b5c2 , < 5e149d8a8e732126fb6014efd60075cf63a73f91 (git) Affected: ec624fe740b416fb68d536b37fb8eef46f90b5c2 , < baa61dcaa50b7141048c8d2aede7fe9ed8f21d11 (git) Affected: ec624fe740b416fb68d536b37fb8eef46f90b5c2 , < 6392e5f4b1a3cce10e828309baf35d22abd3457d (git) Affected: ec624fe740b416fb68d536b37fb8eef46f90b5c2 , < 8dd2fe5f5d586c8e87307b7a271f6b994afcc006 (git) Affected: ec624fe740b416fb68d536b37fb8eef46f90b5c2 , < 4ef92743625818932b9c320152b58274c05e5053 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"net/sched/act_bpf.c",
"net/sched/cls_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4cdd143c35974a2cedd000fa9eb3accc3023b20",
"status": "affected",
"version": "0d76daf2013ce1da20eab5e26bd81d983e1c18fb",
"versionType": "git"
},
{
"lessThan": "5e149d8a8e732126fb6014efd60075cf63a73f91",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "baa61dcaa50b7141048c8d2aede7fe9ed8f21d11",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "6392e5f4b1a3cce10e828309baf35d22abd3457d",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "8dd2fe5f5d586c8e87307b7a271f6b994afcc006",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "4ef92743625818932b9c320152b58274c05e5053",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"net/sched/act_bpf.c",
"net/sched/cls_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add bpf_prog_run_data_pointers()\n\nsyzbot found that cls_bpf_classify() is able to change\ntc_skb_cb(skb)-\u003edrop_reason triggering a warning in sk_skb_reason_drop().\n\nWARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]\nWARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214\n\nstruct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched:\nExtend qdisc control block with tc control block\"), which added a wrong\ninteraction with db58ba459202 (\"bpf: wire in data and data_end for\ncls_act_bpf\").\n\ndrop_reason was added later.\n\nAdd bpf_prog_run_data_pointers() helper to save/restore the net_sched\nstorage colliding with BPF data_meta/data_end."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:28.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4cdd143c35974a2cedd000fa9eb3accc3023b20"
},
{
"url": "https://git.kernel.org/stable/c/5e149d8a8e732126fb6014efd60075cf63a73f91"
},
{
"url": "https://git.kernel.org/stable/c/baa61dcaa50b7141048c8d2aede7fe9ed8f21d11"
},
{
"url": "https://git.kernel.org/stable/c/6392e5f4b1a3cce10e828309baf35d22abd3457d"
},
{
"url": "https://git.kernel.org/stable/c/8dd2fe5f5d586c8e87307b7a271f6b994afcc006"
},
{
"url": "https://git.kernel.org/stable/c/4ef92743625818932b9c320152b58274c05e5053"
}
],
"title": "bpf: Add bpf_prog_run_data_pointers()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68200",
"datePublished": "2025-12-16T13:48:28.793Z",
"dateReserved": "2025-12-16T13:41:40.254Z",
"dateUpdated": "2025-12-16T13:48:28.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40056 (GCVE-0-2025-40056)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
vhost: vringh: Fix copy_to_iter return value check
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost: vringh: Fix copy_to_iter return value check
The return value of copy_to_iter can't be negative, check whether the
copied length is equal to the requested length instead of checking for
negative values.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < bd71e7e0a612740e4de5524880c7cd40293af5f7
(git)
Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < 781226e11d5bdea0d69c7b5aa3cda874093c73b8 (git) Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < b3a950d236e98440c07405ba597b11bce56a8050 (git) Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < 68aac2b335d474b938d154b9c95cbc58838cb2ce (git) Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < 439263376c2c4e126cac0d07e4987568de4eaba5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd71e7e0a612740e4de5524880c7cd40293af5f7",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "781226e11d5bdea0d69c7b5aa3cda874093c73b8",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "b3a950d236e98440c07405ba597b11bce56a8050",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "68aac2b335d474b938d154b9c95cbc58838cb2ce",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "439263376c2c4e126cac0d07e4987568de4eaba5",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: vringh: Fix copy_to_iter return value check\n\nThe return value of copy_to_iter can\u0027t be negative, check whether the\ncopied length is equal to the requested length instead of checking for\nnegative values."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:04.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd71e7e0a612740e4de5524880c7cd40293af5f7"
},
{
"url": "https://git.kernel.org/stable/c/781226e11d5bdea0d69c7b5aa3cda874093c73b8"
},
{
"url": "https://git.kernel.org/stable/c/b3a950d236e98440c07405ba597b11bce56a8050"
},
{
"url": "https://git.kernel.org/stable/c/68aac2b335d474b938d154b9c95cbc58838cb2ce"
},
{
"url": "https://git.kernel.org/stable/c/439263376c2c4e126cac0d07e4987568de4eaba5"
}
],
"title": "vhost: vringh: Fix copy_to_iter return value check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40056",
"datePublished": "2025-10-28T11:48:30.249Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:04.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40311 (GCVE-0-2025-40311)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return
addresses from the vmalloc range. If such an address is mapped without
VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the
VM_PFNMAP restriction.
Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP
in the VMA before mapping. This ensures safe mapping and avoids kernel
crashes. The memory is still driver-allocated and cannot be accessed
directly by userspace.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 7ec8ac9f73d4a9438c2186768d6de27ace37531e
(git)
Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < d1dfe21a332d38a6a09658ec29a55940afb5fe36 (git) Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9 (git) Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 513024d5a0e34fd34247043f1876b6138ca52847 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/habanalabs/gaudi/gaudi.c",
"drivers/accel/habanalabs/gaudi2/gaudi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ec8ac9f73d4a9438c2186768d6de27ace37531e",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
},
{
"lessThan": "d1dfe21a332d38a6a09658ec29a55940afb5fe36",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
},
{
"lessThan": "73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
},
{
"lessThan": "513024d5a0e34fd34247043f1876b6138ca52847",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/habanalabs/gaudi/gaudi.c",
"drivers/accel/habanalabs/gaudi2/gaudi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: support mapping cb with vmalloc-backed coherent memory\n\nWhen IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return\naddresses from the vmalloc range. If such an address is mapped without\nVM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the\nVM_PFNMAP restriction.\n\nFix this by checking for vmalloc addresses and setting VM_MIXEDMAP\nin the VMA before mapping. This ensures safe mapping and avoids kernel\ncrashes. The memory is still driver-allocated and cannot be accessed\ndirectly by userspace."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:00.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ec8ac9f73d4a9438c2186768d6de27ace37531e"
},
{
"url": "https://git.kernel.org/stable/c/d1dfe21a332d38a6a09658ec29a55940afb5fe36"
},
{
"url": "https://git.kernel.org/stable/c/73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9"
},
{
"url": "https://git.kernel.org/stable/c/513024d5a0e34fd34247043f1876b6138ca52847"
}
],
"title": "accel/habanalabs: support mapping cb with vmalloc-backed coherent memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40311",
"datePublished": "2025-12-08T00:46:36.903Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:00.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68766 (GCVE-0-2025-68766)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
it results in an out of bounds access.
The code checks for invalid values, but doesn't set the error code. Return
-EINVAL in that case, instead of returning success.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00fa3461c86dd289b441d4d5a6bb236064bd207b , < 324c60a67c4b9668497940f667db14d216cc7b1b
(git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < c21c606ad398eeb86a0f3aaff9ba4f2665e286c6 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 3873afcb57614c1aaa5b6715554d6d1c22cac95a (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 09efe7cfbf919c4d763bc425473fcfee0dc98356 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "324c60a67c4b9668497940f667db14d216cc7b1b",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "c21c606ad398eeb86a0f3aaff9ba4f2665e286c6",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "3873afcb57614c1aaa5b6715554d6d1c22cac95a",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "09efe7cfbf919c4d763bc425473fcfee0dc98356",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to \u003e= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn\u0027t set the error code. Return\n-EINVAL in that case, instead of returning success."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:11.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b"
},
{
"url": "https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6"
},
{
"url": "https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a"
},
{
"url": "https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356"
},
{
"url": "https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552"
},
{
"url": "https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7"
}
],
"title": "irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68766",
"datePublished": "2026-01-05T09:44:13.935Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:11.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22113 (GCVE-0-2025-22113)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-09-09 17:05
VLAI?
EPSS
Title
ext4: avoid journaling sb update on error if journal is destroying
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid journaling sb update on error if journal is destroying
Presently we always BUG_ON if trying to start a transaction on a journal marked
with JBD2_UNMOUNT, since this should never happen. However, while ltp running
stress tests, it was observed that in case of some error handling paths, it is
possible for update_super_work to start a transaction after the journal is
destroyed eg:
(umount)
ext4_kill_sb
kill_block_super
generic_shutdown_super
sync_filesystem /* commits all txns */
evict_inodes
/* might start a new txn */
ext4_put_super
flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
jbd2_journal_destroy
journal_kill_thread
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_commit_transaction
jbd2_journal_get_descriptor_buffer
jbd2_journal_bmap
ext4_journal_bmap
ext4_map_blocks
...
ext4_inode_error
ext4_handle_error
schedule_work(&sbi->s_sb_upd_work)
/* work queue kicks in */
update_super_work
jbd2_journal_start
start_this_handle
BUG_ON(journal->j_flags &
JBD2_UNMOUNT)
Hence, introduce a new mount flag to indicate journal is destroying and only do
a journaled (and deferred) update of sb if this flag is not set. Otherwise, just
fallback to an un-journaled commit.
Further, in the journal destroy path, we have the following sequence:
1. Set mount flag indicating journal is destroying
2. force a commit and wait for it
3. flush pending sb updates
This sequence is important as it ensures that, after this point, there is no sb
update that might be journaled so it is safe to update the sb outside the
journal. (To avoid race discussed in 2d01ddc86606)
Also, we don't need a similar check in ext4_grp_locked_error since it is only
called from mballoc and AFAICT it would be always valid to schedule work here.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d01ddc86606564fb08c56e3bc93a0693895f710 , < eddca44ddf810e27f0c96913aa3cc92ebd679ddb
(git)
Affected: 2d01ddc86606564fb08c56e3bc93a0693895f710 , < db05767b5bc307143d99fe2afd8c43af58d2ebef (git) Affected: 2d01ddc86606564fb08c56e3bc93a0693895f710 , < ce2f26e73783b4a7c46a86e3af5b5c8de0971790 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/ext4_jbd2.h",
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eddca44ddf810e27f0c96913aa3cc92ebd679ddb",
"status": "affected",
"version": "2d01ddc86606564fb08c56e3bc93a0693895f710",
"versionType": "git"
},
{
"lessThan": "db05767b5bc307143d99fe2afd8c43af58d2ebef",
"status": "affected",
"version": "2d01ddc86606564fb08c56e3bc93a0693895f710",
"versionType": "git"
},
{
"lessThan": "ce2f26e73783b4a7c46a86e3af5b5c8de0971790",
"status": "affected",
"version": "2d01ddc86606564fb08c56e3bc93a0693895f710",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/ext4_jbd2.h",
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid journaling sb update on error if journal is destroying\n\nPresently we always BUG_ON if trying to start a transaction on a journal marked\nwith JBD2_UNMOUNT, since this should never happen. However, while ltp running\nstress tests, it was observed that in case of some error handling paths, it is\npossible for update_super_work to start a transaction after the journal is\ndestroyed eg:\n\n(umount)\next4_kill_sb\n kill_block_super\n generic_shutdown_super\n sync_filesystem /* commits all txns */\n evict_inodes\n /* might start a new txn */\n ext4_put_super\n\tflush_work(\u0026sbi-\u003es_sb_upd_work) /* flush the workqueue */\n jbd2_journal_destroy\n journal_kill_thread\n journal-\u003ej_flags |= JBD2_UNMOUNT;\n jbd2_journal_commit_transaction\n jbd2_journal_get_descriptor_buffer\n jbd2_journal_bmap\n ext4_journal_bmap\n ext4_map_blocks\n ...\n ext4_inode_error\n ext4_handle_error\n schedule_work(\u0026sbi-\u003es_sb_upd_work)\n\n /* work queue kicks in */\n update_super_work\n jbd2_journal_start\n start_this_handle\n BUG_ON(journal-\u003ej_flags \u0026\n JBD2_UNMOUNT)\n\nHence, introduce a new mount flag to indicate journal is destroying and only do\na journaled (and deferred) update of sb if this flag is not set. Otherwise, just\nfallback to an un-journaled commit.\n\nFurther, in the journal destroy path, we have the following sequence:\n\n 1. Set mount flag indicating journal is destroying\n 2. force a commit and wait for it\n 3. flush pending sb updates\n\nThis sequence is important as it ensures that, after this point, there is no sb\nupdate that might be journaled so it is safe to update the sb outside the\njournal. (To avoid race discussed in 2d01ddc86606)\n\nAlso, we don\u0027t need a similar check in ext4_grp_locked_error since it is only\ncalled from mballoc and AFAICT it would be always valid to schedule work here."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:05:50.940Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eddca44ddf810e27f0c96913aa3cc92ebd679ddb"
},
{
"url": "https://git.kernel.org/stable/c/db05767b5bc307143d99fe2afd8c43af58d2ebef"
},
{
"url": "https://git.kernel.org/stable/c/ce2f26e73783b4a7c46a86e3af5b5c8de0971790"
}
],
"title": "ext4: avoid journaling sb update on error if journal is destroying",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22113",
"datePublished": "2025-04-16T14:12:59.228Z",
"dateReserved": "2024-12-29T08:45:45.821Z",
"dateUpdated": "2025-09-09T17:05:50.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39901 (GCVE-0-2025-39901)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
i40e: remove read access to debugfs files
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: remove read access to debugfs files
The 'command' and 'netdev_ops' debugfs files are a legacy debugging
interface supported by the i40e driver since its early days by commit
02e9c290814c ("i40e: debugfs interface").
Both of these debugfs files provide a read handler which is mostly useless,
and which is implemented with questionable logic. They both use a static
256 byte buffer which is initialized to the empty string. In the case of
the 'command' file this buffer is literally never used and simply wastes
space. In the case of the 'netdev_ops' file, the last command written is
saved here.
On read, the files contents are presented as the name of the device
followed by a colon and then the contents of their respective static
buffer. For 'command' this will always be "<device>: ". For 'netdev_ops',
this will be "<device>: <last command written>". But note the buffer is
shared between all devices operated by this module. At best, it is mostly
meaningless information, and at worse it could be accessed simultaneously
as there doesn't appear to be any locking mechanism.
We have also recently received multiple reports for both read functions
about their use of snprintf and potential overflow that could result in
reading arbitrary kernel memory. For the 'command' file, this is definitely
impossible, since the static buffer is always zero and never written to.
For the 'netdev_ops' file, it does appear to be possible, if the user
carefully crafts the command input, it will be copied into the buffer,
which could be large enough to cause snprintf to truncate, which then
causes the copy_to_user to read beyond the length of the buffer allocated
by kzalloc.
A minimal fix would be to replace snprintf() with scnprintf() which would
cap the return to the number of bytes written, preventing an overflow. A
more involved fix would be to drop the mostly useless static buffers,
saving 512 bytes and modifying the read functions to stop needing those as
input.
Instead, lets just completely drop the read access to these files. These
are debug interfaces exposed as part of debugfs, and I don't believe that
dropping read access will break any script, as the provided output is
pretty useless. You can find the netdev name through other more standard
interfaces, and the 'netdev_ops' interface can easily result in garbage if
you issue simultaneous writes to multiple devices at once.
In order to properly remove the i40e_dbg_netdev_ops_buf, we need to
refactor its write function to avoid using the static buffer. Instead, use
the same logic as the i40e_dbg_command_write, with an allocated buffer.
Update the code to use this instead of the static buffer, and ensure we
free the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on
multiple devices, and allows us to remove the now unused static buffer
along with removing the read access.
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
02e9c290814cc143ceccecb14eac3e7a05da745e , < 70d3dad7d5ad077965d7a63eed1942b7ba49bfb4
(git)
Affected: 02e9c290814cc143ceccecb14eac3e7a05da745e , < 7d190963b80f4cd99d7008615600aa7cc993c6ba (git) Affected: 02e9c290814cc143ceccecb14eac3e7a05da745e , < 9fcdb1c3c4ba134434694c001dbff343f1ffa319 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:29:38.664446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:14.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70d3dad7d5ad077965d7a63eed1942b7ba49bfb4",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
},
{
"lessThan": "7d190963b80f4cd99d7008615600aa7cc993c6ba",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
},
{
"lessThan": "9fcdb1c3c4ba134434694c001dbff343f1ffa319",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: remove read access to debugfs files\n\nThe \u0027command\u0027 and \u0027netdev_ops\u0027 debugfs files are a legacy debugging\ninterface supported by the i40e driver since its early days by commit\n02e9c290814c (\"i40e: debugfs interface\").\n\nBoth of these debugfs files provide a read handler which is mostly useless,\nand which is implemented with questionable logic. They both use a static\n256 byte buffer which is initialized to the empty string. In the case of\nthe \u0027command\u0027 file this buffer is literally never used and simply wastes\nspace. In the case of the \u0027netdev_ops\u0027 file, the last command written is\nsaved here.\n\nOn read, the files contents are presented as the name of the device\nfollowed by a colon and then the contents of their respective static\nbuffer. For \u0027command\u0027 this will always be \"\u003cdevice\u003e: \". For \u0027netdev_ops\u0027,\nthis will be \"\u003cdevice\u003e: \u003clast command written\u003e\". But note the buffer is\nshared between all devices operated by this module. At best, it is mostly\nmeaningless information, and at worse it could be accessed simultaneously\nas there doesn\u0027t appear to be any locking mechanism.\n\nWe have also recently received multiple reports for both read functions\nabout their use of snprintf and potential overflow that could result in\nreading arbitrary kernel memory. For the \u0027command\u0027 file, this is definitely\nimpossible, since the static buffer is always zero and never written to.\nFor the \u0027netdev_ops\u0027 file, it does appear to be possible, if the user\ncarefully crafts the command input, it will be copied into the buffer,\nwhich could be large enough to cause snprintf to truncate, which then\ncauses the copy_to_user to read beyond the length of the buffer allocated\nby kzalloc.\n\nA minimal fix would be to replace snprintf() with scnprintf() which would\ncap the return to the number of bytes written, preventing an overflow. A\nmore involved fix would be to drop the mostly useless static buffers,\nsaving 512 bytes and modifying the read functions to stop needing those as\ninput.\n\nInstead, lets just completely drop the read access to these files. These\nare debug interfaces exposed as part of debugfs, and I don\u0027t believe that\ndropping read access will break any script, as the provided output is\npretty useless. You can find the netdev name through other more standard\ninterfaces, and the \u0027netdev_ops\u0027 interface can easily result in garbage if\nyou issue simultaneous writes to multiple devices at once.\n\nIn order to properly remove the i40e_dbg_netdev_ops_buf, we need to\nrefactor its write function to avoid using the static buffer. Instead, use\nthe same logic as the i40e_dbg_command_write, with an allocated buffer.\nUpdate the code to use this instead of the static buffer, and ensure we\nfree the buffer on exit. This fixes simultaneous writes to \u0027netdev_ops\u0027 on\nmultiple devices, and allows us to remove the now unused static buffer\nalong with removing the read access."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:48.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70d3dad7d5ad077965d7a63eed1942b7ba49bfb4"
},
{
"url": "https://git.kernel.org/stable/c/7d190963b80f4cd99d7008615600aa7cc993c6ba"
},
{
"url": "https://git.kernel.org/stable/c/9fcdb1c3c4ba134434694c001dbff343f1ffa319"
}
],
"title": "i40e: remove read access to debugfs files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39901",
"datePublished": "2025-10-01T07:42:48.606Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2026-01-14T19:33:14.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49072 (GCVE-0-2022-49072)
Vulnerability from cvelistv5 – Published: 2025-02-26 01:54 – Updated: 2025-12-23 13:21
VLAI?
EPSS
Title
gpio: Restrict usage of GPIO chip irq members before initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: Restrict usage of GPIO chip irq members before initialization
GPIO chip irq members are exposed before they could be completely
initialized and this leads to race conditions.
One such issue was observed for the gc->irq.domain variable which
was accessed through the I2C interface in gpiochip_to_irq() before
it could be initialized by gpiochip_add_irqchip(). This resulted in
Kernel NULL pointer dereference.
Following are the logs for reference :-
kernel: Call Trace:
kernel: gpiod_to_irq+0x53/0x70
kernel: acpi_dev_gpio_irq_get_by+0x113/0x1f0
kernel: i2c_acpi_get_irq+0xc0/0xd0
kernel: i2c_device_probe+0x28a/0x2a0
kernel: really_probe+0xf2/0x460
kernel: RIP: 0010:gpiochip_to_irq+0x47/0xc0
To avoid such scenarios, restrict usage of GPIO chip irq members before
they are completely initialized.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
48057ed1840fde9239b1e000bea1a0a1f07c5e99 , < 7e88a50704b0c49ad3f2d11e8b963341cf68a89f
(git)
Affected: 48057ed1840fde9239b1e000bea1a0a1f07c5e99 , < 0912cf021fb5749372b3782611d8b1de4986c13a (git) Affected: 48057ed1840fde9239b1e000bea1a0a1f07c5e99 , < 2c1fa3614795e2b24da1ba95de0b27b8f6ea4537 (git) Affected: 48057ed1840fde9239b1e000bea1a0a1f07c5e99 , < f8dea54f74cae8c2e4d7b2952e8fed7743a85c87 (git) Affected: 48057ed1840fde9239b1e000bea1a0a1f07c5e99 , < 5467801f1fcbdc46bc7298a84dbf3ca1ff2a7320 (git) Affected: 44dfa46aaf7cf594ac89bc1a0c0e56c498b31269 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib.c",
"include/linux/gpio/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e88a50704b0c49ad3f2d11e8b963341cf68a89f",
"status": "affected",
"version": "48057ed1840fde9239b1e000bea1a0a1f07c5e99",
"versionType": "git"
},
{
"lessThan": "0912cf021fb5749372b3782611d8b1de4986c13a",
"status": "affected",
"version": "48057ed1840fde9239b1e000bea1a0a1f07c5e99",
"versionType": "git"
},
{
"lessThan": "2c1fa3614795e2b24da1ba95de0b27b8f6ea4537",
"status": "affected",
"version": "48057ed1840fde9239b1e000bea1a0a1f07c5e99",
"versionType": "git"
},
{
"lessThan": "f8dea54f74cae8c2e4d7b2952e8fed7743a85c87",
"status": "affected",
"version": "48057ed1840fde9239b1e000bea1a0a1f07c5e99",
"versionType": "git"
},
{
"lessThan": "5467801f1fcbdc46bc7298a84dbf3ca1ff2a7320",
"status": "affected",
"version": "48057ed1840fde9239b1e000bea1a0a1f07c5e99",
"versionType": "git"
},
{
"status": "affected",
"version": "44dfa46aaf7cf594ac89bc1a0c0e56c498b31269",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib.c",
"include/linux/gpio/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: Restrict usage of GPIO chip irq members before initialization\n\nGPIO chip irq members are exposed before they could be completely\ninitialized and this leads to race conditions.\n\nOne such issue was observed for the gc-\u003eirq.domain variable which\nwas accessed through the I2C interface in gpiochip_to_irq() before\nit could be initialized by gpiochip_add_irqchip(). This resulted in\nKernel NULL pointer dereference.\n\nFollowing are the logs for reference :-\n\nkernel: Call Trace:\nkernel: gpiod_to_irq+0x53/0x70\nkernel: acpi_dev_gpio_irq_get_by+0x113/0x1f0\nkernel: i2c_acpi_get_irq+0xc0/0xd0\nkernel: i2c_device_probe+0x28a/0x2a0\nkernel: really_probe+0xf2/0x460\nkernel: RIP: 0010:gpiochip_to_irq+0x47/0xc0\n\nTo avoid such scenarios, restrict usage of GPIO chip irq members before\nthey are completely initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:21:49.316Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e88a50704b0c49ad3f2d11e8b963341cf68a89f"
},
{
"url": "https://git.kernel.org/stable/c/0912cf021fb5749372b3782611d8b1de4986c13a"
},
{
"url": "https://git.kernel.org/stable/c/2c1fa3614795e2b24da1ba95de0b27b8f6ea4537"
},
{
"url": "https://git.kernel.org/stable/c/f8dea54f74cae8c2e4d7b2952e8fed7743a85c87"
},
{
"url": "https://git.kernel.org/stable/c/5467801f1fcbdc46bc7298a84dbf3ca1ff2a7320"
}
],
"title": "gpio: Restrict usage of GPIO chip irq members before initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49072",
"datePublished": "2025-02-26T01:54:37.314Z",
"dateReserved": "2025-02-26T01:49:39.245Z",
"dateUpdated": "2025-12-23T13:21:49.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39952 (GCVE-0-2025-39952)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
wifi: wilc1000: avoid buffer overflow in WID string configuration
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: avoid buffer overflow in WID string configuration
Fix the following copy overflow warning identified by Smatch checker.
drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()
error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)
This patch introduces size check before accessing the memory buffer.
The checks are base on the WID type of received data from the firmware.
For WID string configuration, the size limit is determined by individual
element size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field
of 'struct wilc_cfg_str'.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c5c77ba18ea66aa05441c71e38473efb787705a4 , < 6085291a1a5865d4ad70f0e5812d524ebd5d1711
(git)
Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < 2203ef417044b10a8563ade6a17c74183745d72e (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < ae50f8562306a7ea1cf3c9722f97ee244f974729 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < fe9e4d0c39311d0f97b024147a0d155333f388b5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.c",
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6085291a1a5865d4ad70f0e5812d524ebd5d1711",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "2203ef417044b10a8563ade6a17c74183745d72e",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "ae50f8562306a7ea1cf3c9722f97ee244f974729",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "fe9e4d0c39311d0f97b024147a0d155333f388b5",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.c",
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: avoid buffer overflow in WID string configuration\n\nFix the following copy overflow warning identified by Smatch checker.\n\n drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()\n error: \u0027__memcpy()\u0027 \u0027cfg-\u003es[i]-\u003estr\u0027 copy overflow (512 vs 65537)\n\nThis patch introduces size check before accessing the memory buffer.\nThe checks are base on the WID type of received data from the firmware.\nFor WID string configuration, the size limit is determined by individual\nelement size in \u0027struct wilc_cfg_str_vals\u0027 that is maintained in \u0027len\u0027 field\nof \u0027struct wilc_cfg_str\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:43.137Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6085291a1a5865d4ad70f0e5812d524ebd5d1711"
},
{
"url": "https://git.kernel.org/stable/c/2203ef417044b10a8563ade6a17c74183745d72e"
},
{
"url": "https://git.kernel.org/stable/c/ae50f8562306a7ea1cf3c9722f97ee244f974729"
},
{
"url": "https://git.kernel.org/stable/c/fe9e4d0c39311d0f97b024147a0d155333f388b5"
}
],
"title": "wifi: wilc1000: avoid buffer overflow in WID string configuration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39952",
"datePublished": "2025-10-04T07:31:12.445Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2026-01-02T15:32:43.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40044 (GCVE-0-2025-40044)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
fs: udf: fix OOB read in lengthAllocDescs handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
udf_release_file+0xc1/0x120 fs/udf/file.c:185
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 14496175b264d30c2045584ee31d062af2e3a660
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1d1847812a1a5375c10a2a779338df643f79c047 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 918649364fbca7d5df72522ca795479edcd25f91 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a70dcfa8d0a0cc530a6af59483dfca260b652c1b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 459404f858213967ccfff336c41747d8dd186d38 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3bd5e45c2ce30e239d596becd5db720f7eb83c99 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14496175b264d30c2045584ee31d062af2e3a660",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d1847812a1a5375c10a2a779338df643f79c047",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "918649364fbca7d5df72522ca795479edcd25f91",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a70dcfa8d0a0cc530a6af59483dfca260b652c1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "459404f858213967ccfff336c41747d8dd186d38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3bd5e45c2ce30e239d596becd5db720f7eb83c99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: udf: fix OOB read in lengthAllocDescs handling\n\nWhen parsing Allocation Extent Descriptor, lengthAllocDescs comes from\non-disk data and must be validated against the block size. Crafted or\ncorrupted images may set lengthAllocDescs so that the total descriptor\nlength (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,\nleading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and\ntrigger a KASAN use-after-free read.\n\nBUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\nRead of size 1 at addr ffff888041e7d000 by task syz-executor317/5309\n\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\n udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261\n udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179\n extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46\n udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106\n udf_release_file+0xc1/0x120 fs/udf/file.c:185\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xa2f/0x28e0 kernel/exit.c:939\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [inline]\n __se_sys_exit_group kernel/exit.c:1097 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nValidate the computed total length against epos-\u003ebh-\u003eb_size.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:49.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14496175b264d30c2045584ee31d062af2e3a660"
},
{
"url": "https://git.kernel.org/stable/c/d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818"
},
{
"url": "https://git.kernel.org/stable/c/1d1847812a1a5375c10a2a779338df643f79c047"
},
{
"url": "https://git.kernel.org/stable/c/918649364fbca7d5df72522ca795479edcd25f91"
},
{
"url": "https://git.kernel.org/stable/c/a70dcfa8d0a0cc530a6af59483dfca260b652c1b"
},
{
"url": "https://git.kernel.org/stable/c/b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24"
},
{
"url": "https://git.kernel.org/stable/c/459404f858213967ccfff336c41747d8dd186d38"
},
{
"url": "https://git.kernel.org/stable/c/3bd5e45c2ce30e239d596becd5db720f7eb83c99"
}
],
"title": "fs: udf: fix OOB read in lengthAllocDescs handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40044",
"datePublished": "2025-10-28T11:48:22.827Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:49.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40079 (GCVE-0-2025-40079)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
riscv, bpf: Sign extend struct ops return values properly
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv, bpf: Sign extend struct ops return values properly
The ns_bpf_qdisc selftest triggers a kernel panic:
Unable to handle kernel paging request at virtual address ffffffffa38dbf58
Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000
[ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000
Oops [#1]
Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]
CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE
Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024
epc : __qdisc_run+0x82/0x6f0
ra : __qdisc_run+0x6e/0x6f0
epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550
gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180
t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0
s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001
a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000
a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049
s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000
s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0
s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000
s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000
t5 : 0000000000000000 t6 : ff60000093a6a8b6
status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d
[<ffffffff80bd5c7a>] __qdisc_run+0x82/0x6f0
[<ffffffff80b6fe58>] __dev_queue_xmit+0x4c0/0x1128
[<ffffffff80b80ae0>] neigh_resolve_output+0xd0/0x170
[<ffffffff80d2daf6>] ip6_finish_output2+0x226/0x6c8
[<ffffffff80d31254>] ip6_finish_output+0x10c/0x2a0
[<ffffffff80d31446>] ip6_output+0x5e/0x178
[<ffffffff80d2e232>] ip6_xmit+0x29a/0x608
[<ffffffff80d6f4c6>] inet6_csk_xmit+0xe6/0x140
[<ffffffff80c985e4>] __tcp_transmit_skb+0x45c/0xaa8
[<ffffffff80c995fe>] tcp_connect+0x9ce/0xd10
[<ffffffff80d66524>] tcp_v6_connect+0x4ac/0x5e8
[<ffffffff80cc19b8>] __inet_stream_connect+0xd8/0x318
[<ffffffff80cc1c36>] inet_stream_connect+0x3e/0x68
[<ffffffff80b42b20>] __sys_connect_file+0x50/0x88
[<ffffffff80b42bee>] __sys_connect+0x96/0xc8
[<ffffffff80b42c40>] __riscv_sys_connect+0x20/0x30
[<ffffffff80e5bcae>] do_trap_ecall_u+0x256/0x378
[<ffffffff80e69af2>] handle_exception+0x14a/0x156
Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709
---[ end trace 0000000000000000 ]---
The bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer
is treated as a 32bit value and sign extend to 64bit in epilogue. This
behavior is right for most bpf prog types but wrong for struct ops which
requires RISC-V ABI.
So let's sign extend struct ops return values according to the function
model and RISC-V ABI([0]).
[0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
25ad10658dc1068a671553ff10e19a812c2a3783 , < 92751937f12a7d34ad492577a251c94a55e97e72
(git)
Affected: 25ad10658dc1068a671553ff10e19a812c2a3783 , < 918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1 (git) Affected: 25ad10658dc1068a671553ff10e19a812c2a3783 , < fd2e08128944a7679e753f920e9eda72057e427c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/net/bpf_jit_comp64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92751937f12a7d34ad492577a251c94a55e97e72",
"status": "affected",
"version": "25ad10658dc1068a671553ff10e19a812c2a3783",
"versionType": "git"
},
{
"lessThan": "918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1",
"status": "affected",
"version": "25ad10658dc1068a671553ff10e19a812c2a3783",
"versionType": "git"
},
{
"lessThan": "fd2e08128944a7679e753f920e9eda72057e427c",
"status": "affected",
"version": "25ad10658dc1068a671553ff10e19a812c2a3783",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/net/bpf_jit_comp64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Sign extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n Unable to handle kernel paging request at virtual address ffffffffa38dbf58\n Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000\n [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000\n Oops [#1]\n Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]\n CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE\n Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024\n epc : __qdisc_run+0x82/0x6f0\n ra : __qdisc_run+0x6e/0x6f0\n epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550\n gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180\n t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0\n s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001\n a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000\n a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049\n s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000\n s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0\n s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000\n s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000\n t5 : 0000000000000000 t6 : ff60000093a6a8b6\n status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d\n [\u003cffffffff80bd5c7a\u003e] __qdisc_run+0x82/0x6f0\n [\u003cffffffff80b6fe58\u003e] __dev_queue_xmit+0x4c0/0x1128\n [\u003cffffffff80b80ae0\u003e] neigh_resolve_output+0xd0/0x170\n [\u003cffffffff80d2daf6\u003e] ip6_finish_output2+0x226/0x6c8\n [\u003cffffffff80d31254\u003e] ip6_finish_output+0x10c/0x2a0\n [\u003cffffffff80d31446\u003e] ip6_output+0x5e/0x178\n [\u003cffffffff80d2e232\u003e] ip6_xmit+0x29a/0x608\n [\u003cffffffff80d6f4c6\u003e] inet6_csk_xmit+0xe6/0x140\n [\u003cffffffff80c985e4\u003e] __tcp_transmit_skb+0x45c/0xaa8\n [\u003cffffffff80c995fe\u003e] tcp_connect+0x9ce/0xd10\n [\u003cffffffff80d66524\u003e] tcp_v6_connect+0x4ac/0x5e8\n [\u003cffffffff80cc19b8\u003e] __inet_stream_connect+0xd8/0x318\n [\u003cffffffff80cc1c36\u003e] inet_stream_connect+0x3e/0x68\n [\u003cffffffff80b42b20\u003e] __sys_connect_file+0x50/0x88\n [\u003cffffffff80b42bee\u003e] __sys_connect+0x96/0xc8\n [\u003cffffffff80b42c40\u003e] __riscv_sys_connect+0x20/0x30\n [\u003cffffffff80e5bcae\u003e] do_trap_ecall_u+0x256/0x378\n [\u003cffffffff80e69af2\u003e] handle_exception+0x14a/0x156\n Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709\n ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires RISC-V ABI.\n\nSo let\u0027s sign extend struct ops return values according to the function\nmodel and RISC-V ABI([0]).\n\n [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:36.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92751937f12a7d34ad492577a251c94a55e97e72"
},
{
"url": "https://git.kernel.org/stable/c/918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1"
},
{
"url": "https://git.kernel.org/stable/c/fd2e08128944a7679e753f920e9eda72057e427c"
}
],
"title": "riscv, bpf: Sign extend struct ops return values properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40079",
"datePublished": "2025-10-28T11:48:44.122Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:36.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68218 (GCVE-0-2025-68218)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
nvme-multipath: fix lockdep WARN due to partition scan work
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-multipath: fix lockdep WARN due to partition scan work
Blktests test cases nvme/014, 057 and 058 fail occasionally due to a
lockdep WARN. As reported in the Closes tag URL, the WARN indicates that
a deadlock can happen due to the dependency among disk->open_mutex,
kblockd workqueue completion and partition_scan_work completion.
To avoid the lockdep WARN and the potential deadlock, cut the dependency
by running the partition_scan_work not by kblockd workqueue but by
nvme_wq.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
60de2e03f984cfbcdc12fa552f95087c35a05a98 , < 89456dab7ba5ab63d60945440926673a3205e829
(git)
Affected: 4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e , < e2a897ad5f538d314955c747a0a2edb184fcdecd (git) Affected: 1f021341eef41e77a633186e9be5223de2ce5d48 , < ef4ab2a8abe554379e10303ae86f7c501336ba0d (git) Affected: 1f021341eef41e77a633186e9be5223de2ce5d48 , < b03eb63288a8ffe3adfb34e68309c8e2edb06d0b (git) Affected: 1f021341eef41e77a633186e9be5223de2ce5d48 , < 6d87cd5335784351280f82c47cc8a657271929c3 (git) Affected: a91b7eddf45afeeb9c5ece11dddff5de0921b00f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89456dab7ba5ab63d60945440926673a3205e829",
"status": "affected",
"version": "60de2e03f984cfbcdc12fa552f95087c35a05a98",
"versionType": "git"
},
{
"lessThan": "e2a897ad5f538d314955c747a0a2edb184fcdecd",
"status": "affected",
"version": "4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e",
"versionType": "git"
},
{
"lessThan": "ef4ab2a8abe554379e10303ae86f7c501336ba0d",
"status": "affected",
"version": "1f021341eef41e77a633186e9be5223de2ce5d48",
"versionType": "git"
},
{
"lessThan": "b03eb63288a8ffe3adfb34e68309c8e2edb06d0b",
"status": "affected",
"version": "1f021341eef41e77a633186e9be5223de2ce5d48",
"versionType": "git"
},
{
"lessThan": "6d87cd5335784351280f82c47cc8a657271929c3",
"status": "affected",
"version": "1f021341eef41e77a633186e9be5223de2ce5d48",
"versionType": "git"
},
{
"status": "affected",
"version": "a91b7eddf45afeeb9c5ece11dddff5de0921b00f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.6.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: fix lockdep WARN due to partition scan work\n\nBlktests test cases nvme/014, 057 and 058 fail occasionally due to a\nlockdep WARN. As reported in the Closes tag URL, the WARN indicates that\na deadlock can happen due to the dependency among disk-\u003eopen_mutex,\nkblockd workqueue completion and partition_scan_work completion.\n\nTo avoid the lockdep WARN and the potential deadlock, cut the dependency\nby running the partition_scan_work not by kblockd workqueue but by\nnvme_wq."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:12.733Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89456dab7ba5ab63d60945440926673a3205e829"
},
{
"url": "https://git.kernel.org/stable/c/e2a897ad5f538d314955c747a0a2edb184fcdecd"
},
{
"url": "https://git.kernel.org/stable/c/ef4ab2a8abe554379e10303ae86f7c501336ba0d"
},
{
"url": "https://git.kernel.org/stable/c/b03eb63288a8ffe3adfb34e68309c8e2edb06d0b"
},
{
"url": "https://git.kernel.org/stable/c/6d87cd5335784351280f82c47cc8a657271929c3"
}
],
"title": "nvme-multipath: fix lockdep WARN due to partition scan work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68218",
"datePublished": "2025-12-16T13:57:12.733Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:12.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38502 (GCVE-0-2025-38502)
Vulnerability from cvelistv5 – Published: 2025-08-16 09:34 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
bpf: Fix oob access in cgroup local storage
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix oob access in cgroup local storage
Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:
ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
storage = ctx->prog_item->cgroup_storage[stype];
if (stype == BPF_CGROUP_STORAGE_SHARED)
ptr = &READ_ONCE(storage->buf)->data[0];
else
ptr = this_cpu_ptr(storage->percpu_buf);
For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.
To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d9c3427894fe70d1347b4820476bf37736d2ff0 , < c1c74584b9b4043c52e41fec415226e582d266a3
(git)
Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 66da7cee78590259b400e51a70622ccd41da7bb2 (git) Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 7acfa07c585e3d7a64654d38f0a5c762877d0b9b (git) Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 41688d1fc5d163a6c2c0e95c0419e2cb31a44648 (git) Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 19341d5c59e8c7e8528e40f8663e99d67810473c (git) Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < abad3d0bad72a52137e0c350c59542d75ae4f513 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:11.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1c74584b9b4043c52e41fec415226e582d266a3",
"status": "affected",
"version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
"versionType": "git"
},
{
"lessThan": "66da7cee78590259b400e51a70622ccd41da7bb2",
"status": "affected",
"version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
"versionType": "git"
},
{
"lessThan": "7acfa07c585e3d7a64654d38f0a5c762877d0b9b",
"status": "affected",
"version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
"versionType": "git"
},
{
"lessThan": "41688d1fc5d163a6c2c0e95c0419e2cb31a44648",
"status": "affected",
"version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
"versionType": "git"
},
{
"lessThan": "19341d5c59e8c7e8528e40f8663e99d67810473c",
"status": "affected",
"version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
"versionType": "git"
},
{
"lessThan": "abad3d0bad72a52137e0c350c59542d75ae4f513",
"status": "affected",
"version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix oob access in cgroup local storage\n\nLonial reported that an out-of-bounds access in cgroup local storage\ncan be crafted via tail calls. Given two programs each utilizing a\ncgroup local storage with a different value size, and one program\ndoing a tail call into the other. The verifier will validate each of\nthe indivial programs just fine. However, in the runtime context\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\nBPF program as well as any cgroup local storage flavor the program\nuses. Helpers such as bpf_get_local_storage() pick this up from the\nruntime context:\n\n ctx = container_of(current-\u003ebpf_ctx, struct bpf_cg_run_ctx, run_ctx);\n storage = ctx-\u003eprog_item-\u003ecgroup_storage[stype];\n\n if (stype == BPF_CGROUP_STORAGE_SHARED)\n ptr = \u0026READ_ONCE(storage-\u003ebuf)-\u003edata[0];\n else\n ptr = this_cpu_ptr(storage-\u003epercpu_buf);\n\nFor the second program which was called from the originally attached\none, this means bpf_get_local_storage() will pick up the former\nprogram\u0027s map, not its own. With mismatching sizes, this can result\nin an unintended out-of-bounds access.\n\nTo fix this issue, we need to extend bpf_map_owner with an array of\nstorage_cookie[] to match on i) the exact maps from the original\nprogram if the second program was using bpf_get_local_storage(), or\nii) allow the tail call combination if the second program was not\nusing any of the cgroup local storage maps."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:38.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3"
},
{
"url": "https://git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2"
},
{
"url": "https://git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9b"
},
{
"url": "https://git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648"
},
{
"url": "https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c"
},
{
"url": "https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513"
}
],
"title": "bpf: Fix oob access in cgroup local storage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38502",
"datePublished": "2025-08-16T09:34:25.135Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-11-03T17:39:11.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40081 (GCVE-0-2025-40081)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
Cast nr_pages to unsigned long to avoid overflow when handling large
AUX buffer sizes (>= 2 GiB).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d5d9696b03808bc6be723cc85288c912c3a05606 , < 656e9a5d69acdd1b20462f4a33378b90ddcb9626
(git)
Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 9c045d4501f7f70724a3bbb561f4f22d292bbfe6 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 5d01f2b81568289443d22f1e13a363f829de6343 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 7500384d3c9587593d75ded3b006835e7aa73ef8 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 379cae2cb982f571cda9493ac573ab71125fd299 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 1a19ba8e1f4ff24ece8ca69b79df8442c431db90 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < e516cfd19b0f4c774a57b17fb43a7f41991f0735 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < a29fea30dd93da16652930162b177941abd8c75e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_spe_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "656e9a5d69acdd1b20462f4a33378b90ddcb9626",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "9c045d4501f7f70724a3bbb561f4f22d292bbfe6",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "5d01f2b81568289443d22f1e13a363f829de6343",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "7500384d3c9587593d75ded3b006835e7aa73ef8",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "379cae2cb982f571cda9493ac573ab71125fd299",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "1a19ba8e1f4ff24ece8ca69b79df8442c431db90",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "e516cfd19b0f4c774a57b17fb43a7f41991f0735",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "a29fea30dd93da16652930162b177941abd8c75e",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_spe_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm_spe: Prevent overflow in PERF_IDX2OFF()\n\nCast nr_pages to unsigned long to avoid overflow when handling large\nAUX buffer sizes (\u003e= 2 GiB)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:38.737Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/656e9a5d69acdd1b20462f4a33378b90ddcb9626"
},
{
"url": "https://git.kernel.org/stable/c/9c045d4501f7f70724a3bbb561f4f22d292bbfe6"
},
{
"url": "https://git.kernel.org/stable/c/5d01f2b81568289443d22f1e13a363f829de6343"
},
{
"url": "https://git.kernel.org/stable/c/7500384d3c9587593d75ded3b006835e7aa73ef8"
},
{
"url": "https://git.kernel.org/stable/c/379cae2cb982f571cda9493ac573ab71125fd299"
},
{
"url": "https://git.kernel.org/stable/c/1a19ba8e1f4ff24ece8ca69b79df8442c431db90"
},
{
"url": "https://git.kernel.org/stable/c/e516cfd19b0f4c774a57b17fb43a7f41991f0735"
},
{
"url": "https://git.kernel.org/stable/c/a29fea30dd93da16652930162b177941abd8c75e"
}
],
"title": "perf: arm_spe: Prevent overflow in PERF_IDX2OFF()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40081",
"datePublished": "2025-10-28T11:48:45.392Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:38.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39938 (GCVE-0-2025-39938)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed
If earlier opening of source graph fails (e.g. ADSP rejects due to
incorrect audioreach topology), the graph is closed and
"dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink
graph continues though and next call to q6apm_lpass_dai_prepare()
receives dai_data->graph[dai->id]=NULL leading to NULL pointer
exception:
qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd
qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1
q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78
q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8
...
Call trace:
q6apm_graph_media_format_pcm+0x48/0x120 (P)
q6apm_lpass_dai_prepare+0x110/0x1b4
snd_soc_pcm_dai_prepare+0x74/0x108
__soc_pcm_prepare+0x44/0x160
dpcm_be_dai_prepare+0x124/0x1c0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
30ad723b93ade607a678698e5947a55a4375c3a1 , < 01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa
(git)
Affected: 30ad723b93ade607a678698e5947a55a4375c3a1 , < 411f7d4f7038200cdf6d4f71ee31026ebf2dfedb (git) Affected: 30ad723b93ade607a678698e5947a55a4375c3a1 , < 9c534dbfd1726502abcf0bd393a04214f62c050b (git) Affected: 30ad723b93ade607a678698e5947a55a4375c3a1 , < cc336b242ea7e7a09b3ab9f885341455ca0a3bdb (git) Affected: 30ad723b93ade607a678698e5947a55a4375c3a1 , < 68f27f7c7708183e7873c585ded2f1b057ac5b97 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/q6apm-lpass-dais.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "411f7d4f7038200cdf6d4f71ee31026ebf2dfedb",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "9c534dbfd1726502abcf0bd393a04214f62c050b",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "cc336b242ea7e7a09b3ab9f885341455ca0a3bdb",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "68f27f7c7708183e7873c585ded2f1b057ac5b97",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/q6apm-lpass-dais.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed\n\nIf earlier opening of source graph fails (e.g. ADSP rejects due to\nincorrect audioreach topology), the graph is closed and\n\"dai_data-\u003egraph[dai-\u003eid]\" is assigned NULL. Preparing the DAI for sink\ngraph continues though and next call to q6apm_lpass_dai_prepare()\nreceives dai_data-\u003egraph[dai-\u003eid]=NULL leading to NULL pointer\nexception:\n\n qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd\n qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22\n Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\n ...\n Call trace:\n q6apm_graph_media_format_pcm+0x48/0x120 (P)\n q6apm_lpass_dai_prepare+0x110/0x1b4\n snd_soc_pcm_dai_prepare+0x74/0x108\n __soc_pcm_prepare+0x44/0x160\n dpcm_be_dai_prepare+0x124/0x1c0"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:01.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa"
},
{
"url": "https://git.kernel.org/stable/c/411f7d4f7038200cdf6d4f71ee31026ebf2dfedb"
},
{
"url": "https://git.kernel.org/stable/c/9c534dbfd1726502abcf0bd393a04214f62c050b"
},
{
"url": "https://git.kernel.org/stable/c/cc336b242ea7e7a09b3ab9f885341455ca0a3bdb"
},
{
"url": "https://git.kernel.org/stable/c/68f27f7c7708183e7873c585ded2f1b057ac5b97"
}
],
"title": "ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39938",
"datePublished": "2025-10-04T07:31:01.736Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:01.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-22984 (GCVE-0-2026-22984)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 194cfe2af4d2a1de599d39dad636b47c2f6c2c96
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 79fe3511db416d2f2edcfd93569807cb02736e5e (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < ef208ea331ef688729f64089b895ed1b49e842e3 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2d653bb63d598ae4b096dd678744bdcc34ee89e8 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 818156caffbf55cb4d368f9c3cac64e458fb49c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "194cfe2af4d2a1de599d39dad636b47c2f6c2c96",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "79fe3511db416d2f2edcfd93569807cb02736e5e",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "ef208ea331ef688729f64089b895ed1b49e842e3",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2802ef3380fa8c4a08cda51ec1f085b1a712e9e2",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2d653bb63d598ae4b096dd678744bdcc34ee89e8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "818156caffbf55cb4d368f9c3cac64e458fb49c9",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in handle_auth_done()\n\nPerform an explicit bounds check on payload_len to avoid a possible\nout-of-bounds access in the callout.\n\n[ idryomov: changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:34.605Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96"
},
{
"url": "https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e"
},
{
"url": "https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3"
},
{
"url": "https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2"
},
{
"url": "https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8"
},
{
"url": "https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9"
}
],
"title": "libceph: prevent potential out-of-bounds reads in handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22984",
"datePublished": "2026-01-23T15:24:06.245Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:34.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68190 (GCVE-0-2025-68190)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws
remains NULL while ectx.ws_size is set, leading to a potential NULL
pointer dereference in atom_get_src_int() when accessing WS entries.
Return -ENOMEM on allocation failure to avoid the NULL dereference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 35f3fb86bb0158a298d6834e7e110dcaf07f490c
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 997e28d3d00a1d30649629515e4402612921205b (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < cc9a8e238e42c1f43b98c097995137d644b69245 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/atom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35f3fb86bb0158a298d6834e7e110dcaf07f490c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "997e28d3d00a1d30649629515e4402612921205b",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "cc9a8e238e42c1f43b98c097995137d644b69245",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/atom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()\n\nkcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws\nremains NULL while ectx.ws_size is set, leading to a potential NULL\npointer dereference in atom_get_src_int() when accessing WS entries.\n\nReturn -ENOMEM on allocation failure to avoid the NULL dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:18.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35f3fb86bb0158a298d6834e7e110dcaf07f490c"
},
{
"url": "https://git.kernel.org/stable/c/997e28d3d00a1d30649629515e4402612921205b"
},
{
"url": "https://git.kernel.org/stable/c/cc9a8e238e42c1f43b98c097995137d644b69245"
}
],
"title": "drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68190",
"datePublished": "2025-12-16T13:43:12.297Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:18.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23130 (GCVE-0-2025-23130)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-11-02 13:30
VLAI?
EPSS
Title
f2fs: fix to avoid panic once fallocation fails for pinfile
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid panic once fallocation fails for pinfile
syzbot reports a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2746!
CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
Call Trace:
<TASK>
__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940
vfs_fallocate+0x569/0x6e0 fs/open.c:327
do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0x80/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Concurrent pinfile allocation may run out of free section, result in
panic in get_new_segment(), let's expand pin_sem lock coverage to
include f2fs_gc(), so that we can make sure to reclaim enough free
space for following allocation.
In addition, do below changes to enhance error path handling:
- call f2fs_bug_on() only in non-pinfile allocation path in
get_new_segment().
- call reset_curseg_fields() to reset all fields of curseg in
new_curseg()
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f5a53edcf01eae21dc3ef1845515229e8459e5cc , < 2dda0930fb79b847b4bfceb737577d0f6bc24d7d
(git)
Affected: f5a53edcf01eae21dc3ef1845515229e8459e5cc , < 9392862608d081a8346a3b841f862d732fce954b (git) Affected: f5a53edcf01eae21dc3ef1845515229e8459e5cc , < 48ea8b200414ac69ea96f4c231f5c7ef1fbeffef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c",
"fs/f2fs/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2dda0930fb79b847b4bfceb737577d0f6bc24d7d",
"status": "affected",
"version": "f5a53edcf01eae21dc3ef1845515229e8459e5cc",
"versionType": "git"
},
{
"lessThan": "9392862608d081a8346a3b841f862d732fce954b",
"status": "affected",
"version": "f5a53edcf01eae21dc3ef1845515229e8459e5cc",
"versionType": "git"
},
{
"lessThan": "48ea8b200414ac69ea96f4c231f5c7ef1fbeffef",
"status": "affected",
"version": "f5a53edcf01eae21dc3ef1845515229e8459e5cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c",
"fs/f2fs/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid panic once fallocation fails for pinfile\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2746!\nCPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0\nRIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]\nRIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876\nCall Trace:\n \u003cTASK\u003e\n __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210\n f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]\n f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238\n f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830\n f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940\n vfs_fallocate+0x569/0x6e0 fs/open.c:327\n do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x80/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nConcurrent pinfile allocation may run out of free section, result in\npanic in get_new_segment(), let\u0027s expand pin_sem lock coverage to\ninclude f2fs_gc(), so that we can make sure to reclaim enough free\nspace for following allocation.\n\nIn addition, do below changes to enhance error path handling:\n- call f2fs_bug_on() only in non-pinfile allocation path in\nget_new_segment().\n- call reset_curseg_fields() to reset all fields of curseg in\nnew_curseg()"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-02T13:30:29.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dda0930fb79b847b4bfceb737577d0f6bc24d7d"
},
{
"url": "https://git.kernel.org/stable/c/9392862608d081a8346a3b841f862d732fce954b"
},
{
"url": "https://git.kernel.org/stable/c/48ea8b200414ac69ea96f4c231f5c7ef1fbeffef"
}
],
"title": "f2fs: fix to avoid panic once fallocation fails for pinfile",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23130",
"datePublished": "2025-04-16T14:13:12.333Z",
"dateReserved": "2025-01-11T14:28:41.510Z",
"dateUpdated": "2025-11-02T13:30:29.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39836 (GCVE-0-2025-39836)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:08 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
efi: stmm: Fix incorrect buffer allocation method
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: stmm: Fix incorrect buffer allocation method
The communication buffer allocated by setup_mm_hdr() is later on passed
to tee_shm_register_kernel_buf(). The latter expects those buffers to be
contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause
various corruptions or BUGs, specifically since commit 9aec2fb0fd5e
("slab: allocate frozen pages"), though it was broken before as well.
Fix this by using alloc_pages_exact() instead of kmalloc().
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c44b6be62e8dd4ee0a308c36a70620613e6fc55f , < 77ff27ff0e4529a003c8a1c2492c111968c378d3
(git)
Affected: c44b6be62e8dd4ee0a308c36a70620613e6fc55f , < 630c0e6064daf84f17aad1a7d9ca76b562e3fe47 (git) Affected: c44b6be62e8dd4ee0a308c36a70620613e6fc55f , < c5e81e672699e0c5557b2b755cc8f7a69aa92bff (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:18:58.242475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:57.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/stmm/tee_stmm_efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77ff27ff0e4529a003c8a1c2492c111968c378d3",
"status": "affected",
"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f",
"versionType": "git"
},
{
"lessThan": "630c0e6064daf84f17aad1a7d9ca76b562e3fe47",
"status": "affected",
"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f",
"versionType": "git"
},
{
"lessThan": "c5e81e672699e0c5557b2b755cc8f7a69aa92bff",
"status": "affected",
"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/stmm/tee_stmm_efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: stmm: Fix incorrect buffer allocation method\n\nThe communication buffer allocated by setup_mm_hdr() is later on passed\nto tee_shm_register_kernel_buf(). The latter expects those buffers to be\ncontiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause\nvarious corruptions or BUGs, specifically since commit 9aec2fb0fd5e\n(\"slab: allocate frozen pages\"), though it was broken before as well.\n\nFix this by using alloc_pages_exact() instead of kmalloc()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:40.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77ff27ff0e4529a003c8a1c2492c111968c378d3"
},
{
"url": "https://git.kernel.org/stable/c/630c0e6064daf84f17aad1a7d9ca76b562e3fe47"
},
{
"url": "https://git.kernel.org/stable/c/c5e81e672699e0c5557b2b755cc8f7a69aa92bff"
}
],
"title": "efi: stmm: Fix incorrect buffer allocation method",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39836",
"datePublished": "2025-09-16T13:08:52.326Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2026-01-14T18:22:57.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68234 (GCVE-0-2025-68234)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:04 – Updated: 2025-12-16 14:04
VLAI?
EPSS
Title
io_uring/cmd_net: fix wrong argument types for skb_queue_splice()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/cmd_net: fix wrong argument types for skb_queue_splice()
If timestamp retriving needs to be retried and the local list of
SKB's already has entries, then it's spliced back into the socket
queue. However, the arguments for the splice helper are transposed,
causing exactly the wrong direction of splicing into the on-stack
list. Fix that up.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/cmd_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c85d2cfc5e24e6866b56c7253fd4e1c7db35986c",
"status": "affected",
"version": "9e4ed359b8efad0e8ad4510d8ad22bf0b060526a",
"versionType": "git"
},
{
"lessThan": "46447367a52965e9d35f112f5b26fc8ff8ec443d",
"status": "affected",
"version": "9e4ed359b8efad0e8ad4510d8ad22bf0b060526a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/cmd_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/cmd_net: fix wrong argument types for skb_queue_splice()\n\nIf timestamp retriving needs to be retried and the local list of\nSKB\u0027s already has entries, then it\u0027s spliced back into the socket\nqueue. However, the arguments for the splice helper are transposed,\ncausing exactly the wrong direction of splicing into the on-stack\nlist. Fix that up."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:04:14.300Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c85d2cfc5e24e6866b56c7253fd4e1c7db35986c"
},
{
"url": "https://git.kernel.org/stable/c/46447367a52965e9d35f112f5b26fc8ff8ec443d"
}
],
"title": "io_uring/cmd_net: fix wrong argument types for skb_queue_splice()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68234",
"datePublished": "2025-12-16T14:04:14.300Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:04:14.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68733 (GCVE-0-2025-68733)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
smack: fix bug: unprivileged task can create labels
Summary
In the Linux kernel, the following vulnerability has been resolved:
smack: fix bug: unprivileged task can create labels
If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.
This change ensures that the "relabel-self" list
is checked before importing the label.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
38416e53936ecf896948fdeffc36b76979117952 , < c80173233014a360c13fa5cc79d36bfe6e53a8ed
(git)
Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 6b1e45e13546c9ea0b1d99097993ac0aafae90b1 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 4a7a7621619a366712fb9cefcb6e69f956c247ce (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < f8fd5491100f920847a3338d5fba22db19c72773 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < ac9fce2efabad37c338aac86fbe100f77a080e59 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 64aa81250171b6bb6803e97ea7a5d73bfa061f6e (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 60e8d49989410a7ade60f5dadfcd979c117d05c0 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80173233014a360c13fa5cc79d36bfe6e53a8ed",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "6b1e45e13546c9ea0b1d99097993ac0aafae90b1",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "4a7a7621619a366712fb9cefcb6e69f956c247ce",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "f8fd5491100f920847a3338d5fba22db19c72773",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "ac9fce2efabad37c338aac86fbe100f77a080e59",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "64aa81250171b6bb6803e97ea7a5d73bfa061f6e",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "60e8d49989410a7ade60f5dadfcd979c117d05c0",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: fix bug: unprivileged task can create labels\n\nIf an unprivileged task is allowed to relabel itself\n(/smack/relabel-self is not empty),\nit can freely create new labels by writing their\nnames into own /proc/PID/attr/smack/current\n\nThis occurs because do_setattr() imports\nthe provided label in advance,\nbefore checking \"relabel-self\" list.\n\nThis change ensures that the \"relabel-self\" list\nis checked before importing the label."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:29.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80173233014a360c13fa5cc79d36bfe6e53a8ed"
},
{
"url": "https://git.kernel.org/stable/c/6b1e45e13546c9ea0b1d99097993ac0aafae90b1"
},
{
"url": "https://git.kernel.org/stable/c/4a7a7621619a366712fb9cefcb6e69f956c247ce"
},
{
"url": "https://git.kernel.org/stable/c/f8fd5491100f920847a3338d5fba22db19c72773"
},
{
"url": "https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59"
},
{
"url": "https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e"
},
{
"url": "https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0"
},
{
"url": "https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3"
}
],
"title": "smack: fix bug: unprivileged task can create labels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68733",
"datePublished": "2025-12-24T10:33:15.347Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:29.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68348 (GCVE-0-2025-68348)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
block: fix memory leak in __blkdev_issue_zero_pages
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix memory leak in __blkdev_issue_zero_pages
Move the fatal signal check before bio_alloc() to prevent a memory
leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending.
Previously, the bio was allocated before checking for a fatal signal.
If a signal was pending, the code would break out of the loop without
freeing or chaining the just-allocated bio, causing a memory leak.
This matches the pattern already used in __blkdev_issue_write_zeroes()
where the signal check precedes the allocation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bf86bcdb40123ee99669ee91b67e023669433a1a , < 453e4b0c84d0db1454ff0adf655d91179e6fca3a
(git)
Affected: bf86bcdb40123ee99669ee91b67e023669433a1a , < 7957635c679e8a01147163a3a4a1f16e1210fa03 (git) Affected: bf86bcdb40123ee99669ee91b67e023669433a1a , < 7193407bc4457212fa38ec3aff9c640e63a8dbef (git) Affected: bf86bcdb40123ee99669ee91b67e023669433a1a , < f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "453e4b0c84d0db1454ff0adf655d91179e6fca3a",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
},
{
"lessThan": "7957635c679e8a01147163a3a4a1f16e1210fa03",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
},
{
"lessThan": "7193407bc4457212fa38ec3aff9c640e63a8dbef",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
},
{
"lessThan": "f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix memory leak in __blkdev_issue_zero_pages\n\nMove the fatal signal check before bio_alloc() to prevent a memory\nleak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending.\n\nPreviously, the bio was allocated before checking for a fatal signal.\nIf a signal was pending, the code would break out of the loop without\nfreeing or chaining the just-allocated bio, causing a memory leak.\n\nThis matches the pattern already used in __blkdev_issue_write_zeroes()\nwhere the signal check precedes the allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:42.492Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/453e4b0c84d0db1454ff0adf655d91179e6fca3a"
},
{
"url": "https://git.kernel.org/stable/c/7957635c679e8a01147163a3a4a1f16e1210fa03"
},
{
"url": "https://git.kernel.org/stable/c/7193407bc4457212fa38ec3aff9c640e63a8dbef"
},
{
"url": "https://git.kernel.org/stable/c/f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf"
}
],
"title": "block: fix memory leak in __blkdev_issue_zero_pages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68348",
"datePublished": "2025-12-24T10:32:40.561Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:42.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71066 (GCVE-0-2025-71066)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae2659d2c670252759ee9c823c4e039c0e05a6f2 , < 062d5d544e564473450d72e6af83077c2b2ff7c3
(git)
Affected: e25bdbc7e951ae5728fee1f4c09485df113d013c , < c7f6e7cc14df72b997258216e99d897d2df0dbbd (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < a75d617a4ef08682f5cfaadc01d5141c87e019c9 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 9987cda315c08f63a02423fa2f9a1f6602c861a0 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 06bfb66a7c8b45e3fed01351a4b087410ae5ef39 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 45466141da3c98a0c5fa88be0bc14b4b6a4bd75c (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < ce052b9402e461a9aded599f5b47e76bc727f7de (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062d5d544e564473450d72e6af83077c2b2ff7c3",
"status": "affected",
"version": "ae2659d2c670252759ee9c823c4e039c0e05a6f2",
"versionType": "git"
},
{
"lessThan": "c7f6e7cc14df72b997258216e99d897d2df0dbbd",
"status": "affected",
"version": "e25bdbc7e951ae5728fee1f4c09485df113d013c",
"versionType": "git"
},
{
"lessThan": "a75d617a4ef08682f5cfaadc01d5141c87e019c9",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "9987cda315c08f63a02423fa2f9a1f6602c861a0",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "06bfb66a7c8b45e3fed01351a4b087410ae5ef39",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "45466141da3c98a0c5fa88be0bc14b4b6a4bd75c",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "ce052b9402e461a9aded599f5b47e76bc727f7de",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n //to race with .dequeue handler (`ets_qdisc_dequeue`)\n sch_tree_lock(sch);\n\n for (i = nbands; i \u003c oldbands; i++) {\n if (i \u003e= q-\u003enstrict \u0026\u0026 q-\u003eclasses[i].qdisc-\u003eq.qlen)\n list_del_init(\u0026q-\u003eclasses[i].alist);\n qdisc_purge_queue(q-\u003eclasses[i].qdisc);\n }\n\n WRITE_ONCE(q-\u003enbands, nbands);\n for (i = nstrict; i \u003c q-\u003enstrict; i++) {\n if (q-\u003eclasses[i].qdisc-\u003eq.qlen) {\n\t\t // (2) the class is added to the q-\u003eactive\n list_add_tail(\u0026q-\u003eclasses[i].alist, \u0026q-\u003eactive);\n q-\u003eclasses[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q-\u003enstrict, nstrict);\n memcpy(q-\u003eprio2band, priomap, sizeof(priomap));\n\n for (i = 0; i \u003c q-\u003enbands; i++)\n WRITE_ONCE(q-\u003eclasses[i].quantum, quanta[i]);\n\n for (i = oldbands; i \u003c q-\u003enbands; i++) {\n q-\u003eclasses[i].qdisc = queues[i];\n if (q-\u003eclasses[i].qdisc != \u0026noop_qdisc)\n qdisc_hash_add(q-\u003eclasses[i].qdisc, true);\n }\n\n // (3) the qdisc is unlocked, now dequeue can be called in parallel\n // to the rest of .change handler\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q-\u003enbands; i \u003c oldbands; i++) {\n\t // (4) we\u0027re reducing the refcount for our class\u0027s qdisc and\n\t // freeing it\n qdisc_put(q-\u003eclasses[i].qdisc);\n\t // (5) If we call .dequeue between (4) and (5), we will have\n\t // a strong UAF and we can control RIP\n q-\u003eclasses[i].qdisc = NULL;\n WRITE_ONCE(q-\u003eclasses[i].quantum, 0);\n q-\u003eclasses[i].deficit = 0;\n gnet_stats_basic_sync_init(\u0026q-\u003eclasses[i].bstats);\n memset(\u0026q-\u003eclasses[i].qstats, 0, sizeof(q-\u003eclasses[i].qstats));\n }\n return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2\u003e/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2\u003e/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n \u003e/dev/null 2\u003e\u00261 \u0026\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:16.660Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3"
},
{
"url": "https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd"
},
{
"url": "https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9"
},
{
"url": "https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0"
},
{
"url": "https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39"
},
{
"url": "https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"
},
{
"url": "https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de"
}
],
"title": "net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71066",
"datePublished": "2026-01-13T15:31:21.931Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-02-09T08:34:16.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39829 (GCVE-0-2025-39829)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
trace/fgraph: Fix the warning caused by missing unregister notifier
Summary
In the Linux kernel, the following vulnerability has been resolved:
trace/fgraph: Fix the warning caused by missing unregister notifier
This warning was triggered during testing on v6.16:
notifier callback ftrace_suspend_notifier_call already registered
WARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0
...
Call Trace:
<TASK>
blocking_notifier_chain_register+0x34/0x60
register_ftrace_graph+0x330/0x410
ftrace_profile_write+0x1e9/0x340
vfs_write+0xf8/0x420
? filp_flush+0x8a/0xa0
? filp_close+0x1f/0x30
? do_dup2+0xaf/0x160
ksys_write+0x65/0xe0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
When writing to the function_profile_enabled interface, the notifier was
not unregistered after start_graph_tracing failed, causing a warning the
next time function_profile_enabled was written.
Fixed by adding unregister_pm_notifier in the exception path.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a2b8dda3f8705880ec7408135645602d5590f51 , < 2a2deb9f8df70480050351ac27041f19bb9e718b
(git)
Affected: 4a2b8dda3f8705880ec7408135645602d5590f51 , < 000aa47a51233fd38a629b029478e0278e1e9fbe (git) Affected: 4a2b8dda3f8705880ec7408135645602d5590f51 , < edede7a6dcd7435395cf757d053974aaab6ab1c2 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:17:20.629374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:56.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/fgraph.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a2deb9f8df70480050351ac27041f19bb9e718b",
"status": "affected",
"version": "4a2b8dda3f8705880ec7408135645602d5590f51",
"versionType": "git"
},
{
"lessThan": "000aa47a51233fd38a629b029478e0278e1e9fbe",
"status": "affected",
"version": "4a2b8dda3f8705880ec7408135645602d5590f51",
"versionType": "git"
},
{
"lessThan": "edede7a6dcd7435395cf757d053974aaab6ab1c2",
"status": "affected",
"version": "4a2b8dda3f8705880ec7408135645602d5590f51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/fgraph.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace/fgraph: Fix the warning caused by missing unregister notifier\n\nThis warning was triggered during testing on v6.16:\n\nnotifier callback ftrace_suspend_notifier_call already registered\nWARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0\n...\nCall Trace:\n \u003cTASK\u003e\n blocking_notifier_chain_register+0x34/0x60\n register_ftrace_graph+0x330/0x410\n ftrace_profile_write+0x1e9/0x340\n vfs_write+0xf8/0x420\n ? filp_flush+0x8a/0xa0\n ? filp_close+0x1f/0x30\n ? do_dup2+0xaf/0x160\n ksys_write+0x65/0xe0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen writing to the function_profile_enabled interface, the notifier was\nnot unregistered after start_graph_tracing failed, causing a warning the\nnext time function_profile_enabled was written.\n\nFixed by adding unregister_pm_notifier in the exception path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:31.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a2deb9f8df70480050351ac27041f19bb9e718b"
},
{
"url": "https://git.kernel.org/stable/c/000aa47a51233fd38a629b029478e0278e1e9fbe"
},
{
"url": "https://git.kernel.org/stable/c/edede7a6dcd7435395cf757d053974aaab6ab1c2"
}
],
"title": "trace/fgraph: Fix the warning caused by missing unregister notifier",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39829",
"datePublished": "2025-09-16T13:00:27.154Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2026-01-14T18:22:56.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39988 (GCVE-0-2025-39988)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the etas_es58x driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, es58x_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN(FD)
frame.
This can result in a buffer overflow. For example, using the es581.4
variant, the frame will be dispatched to es581_4_tx_can_msg(), go
through the last check at the beginning of this function:
if (can_is_canfd_skb(skb))
return -EMSGSIZE;
and reach this line:
memcpy(tx_can_msg->data, cf->data, cf->len);
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU or
CANFD_MTU (depending on the device capabilities). By fixing the root
cause, this prevents the buffer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8537257874e949a59c834cecfd5a063e11b64b0b , < 72de0facc50afdb101fb7197d880407f1abfc77f
(git)
Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < c4e582e686c4d683c87f2b4a316385b3d81d370f (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < cbc1de71766f326a44bb798aeae4a7ef4a081cc9 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < b26cccd87dcddc47b450a40f3b1ac3fe346efcff (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < e587af2c89ecc6382c518febea52fa9ba81e47c0 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 38c0abad45b190a30d8284a37264d2127a6ec303 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72de0facc50afdb101fb7197d880407f1abfc77f",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "c4e582e686c4d683c87f2b4a316385b3d81d370f",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "cbc1de71766f326a44bb798aeae4a7ef4a081cc9",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b26cccd87dcddc47b450a40f3b1ac3fe346efcff",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "e587af2c89ecc6382c518febea52fa9ba81e47c0",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "38c0abad45b190a30d8284a37264d2127a6ec303",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the etas_es58x driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, es58x_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN(FD)\nframe.\n\nThis can result in a buffer overflow. For example, using the es581.4\nvariant, the frame will be dispatched to es581_4_tx_can_msg(), go\nthrough the last check at the beginning of this function:\n\n\tif (can_is_canfd_skb(skb))\n\t\treturn -EMSGSIZE;\n\nand reach this line:\n\n\tmemcpy(tx_can_msg-\u003edata, cf-\u003edata, cf-\u003elen);\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU or\nCANFD_MTU (depending on the device capabilities). By fixing the root\ncause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:06.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72de0facc50afdb101fb7197d880407f1abfc77f"
},
{
"url": "https://git.kernel.org/stable/c/c4e582e686c4d683c87f2b4a316385b3d81d370f"
},
{
"url": "https://git.kernel.org/stable/c/cbc1de71766f326a44bb798aeae4a7ef4a081cc9"
},
{
"url": "https://git.kernel.org/stable/c/b26cccd87dcddc47b450a40f3b1ac3fe346efcff"
},
{
"url": "https://git.kernel.org/stable/c/e587af2c89ecc6382c518febea52fa9ba81e47c0"
},
{
"url": "https://git.kernel.org/stable/c/38c0abad45b190a30d8284a37264d2127a6ec303"
}
],
"title": "can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39988",
"datePublished": "2025-10-15T07:56:06.601Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:06.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40085 (GCVE-0-2025-40085)
Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5 , < 736159f7b296d7a95f7208eb4799639b1f8b16a0
(git)
Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 576312eb436326b44b7010f4d9ae2b698df075ea (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < bba7208765d26e5e36b87f21dacc2780b064f41f (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 8503ac1a62075a085402e42a386b5c627c821a51 (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 28412b489b088fb88dff488305fd4e56bd47f6e4 (git) Affected: 9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c (git) Affected: 52076a41c128146c9df4a157e972cb17019313b1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "736159f7b296d7a95f7208eb4799639b1f8b16a0",
"status": "affected",
"version": "28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5",
"versionType": "git"
},
{
"lessThan": "8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "576312eb436326b44b7010f4d9ae2b698df075ea",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "bba7208765d26e5e36b87f21dacc2780b064f41f",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "8503ac1a62075a085402e42a386b5c627c821a51",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "28412b489b088fb88dff488305fd4e56bd47f6e4",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"status": "affected",
"version": "9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c",
"versionType": "git"
},
{
"status": "affected",
"version": "52076a41c128146c9df4a157e972cb17019313b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer deference in try_to_register_card\n\nIn try_to_register_card(), the return value of usb_ifnum_to_if() is\npassed directly to usb_interface_claimed() without a NULL check, which\nwill lead to a NULL pointer dereference when creating an invalid\nUSB audio device. Fix this by adding a check to ensure the interface\npointer is valid before passing it to usb_interface_claimed()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:42.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/736159f7b296d7a95f7208eb4799639b1f8b16a0"
},
{
"url": "https://git.kernel.org/stable/c/8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb"
},
{
"url": "https://git.kernel.org/stable/c/576312eb436326b44b7010f4d9ae2b698df075ea"
},
{
"url": "https://git.kernel.org/stable/c/bba7208765d26e5e36b87f21dacc2780b064f41f"
},
{
"url": "https://git.kernel.org/stable/c/8503ac1a62075a085402e42a386b5c627c821a51"
},
{
"url": "https://git.kernel.org/stable/c/28412b489b088fb88dff488305fd4e56bd47f6e4"
}
],
"title": "ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40085",
"datePublished": "2025-10-29T13:37:04.707Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:42.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40226 (GCVE-0-2025-40226)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
firmware: arm_scmi: Account for failed debug initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Account for failed debug initialization
When the SCMI debug subsystem fails to initialize, the related debug root
will be missing, and the underlying descriptor will be NULL.
Handle this fault condition in the SCMI debug helpers that maintain
metrics counters.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b38812942556819263256cb77fbdc9eae7aa5b1b , < d719ce9f286c439795cd2beee4c91f12b84bc5a0
(git)
Affected: 0b3d48c4726e1b20dffd2ff81a9d94d5d930220b , < e088efcd97cb7c7297d166bb52c3b87a29f6a0b1 (git) Affected: 0b3d48c4726e1b20dffd2ff81a9d94d5d930220b , < 554c9d5c6c695aedaecfb4365c187102709397b0 (git) Affected: 0b3d48c4726e1b20dffd2ff81a9d94d5d930220b , < 2290ab43b9d8eafb8046387f10a8dfa2b030ba46 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_scmi/common.h",
"drivers/firmware/arm_scmi/driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d719ce9f286c439795cd2beee4c91f12b84bc5a0",
"status": "affected",
"version": "b38812942556819263256cb77fbdc9eae7aa5b1b",
"versionType": "git"
},
{
"lessThan": "e088efcd97cb7c7297d166bb52c3b87a29f6a0b1",
"status": "affected",
"version": "0b3d48c4726e1b20dffd2ff81a9d94d5d930220b",
"versionType": "git"
},
{
"lessThan": "554c9d5c6c695aedaecfb4365c187102709397b0",
"status": "affected",
"version": "0b3d48c4726e1b20dffd2ff81a9d94d5d930220b",
"versionType": "git"
},
{
"lessThan": "2290ab43b9d8eafb8046387f10a8dfa2b030ba46",
"status": "affected",
"version": "0b3d48c4726e1b20dffd2ff81a9d94d5d930220b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_scmi/common.h",
"drivers/firmware/arm_scmi/driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Account for failed debug initialization\n\nWhen the SCMI debug subsystem fails to initialize, the related debug root\nwill be missing, and the underlying descriptor will be NULL.\n\nHandle this fault condition in the SCMI debug helpers that maintain\nmetrics counters."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:17.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d719ce9f286c439795cd2beee4c91f12b84bc5a0"
},
{
"url": "https://git.kernel.org/stable/c/e088efcd97cb7c7297d166bb52c3b87a29f6a0b1"
},
{
"url": "https://git.kernel.org/stable/c/554c9d5c6c695aedaecfb4365c187102709397b0"
},
{
"url": "https://git.kernel.org/stable/c/2290ab43b9d8eafb8046387f10a8dfa2b030ba46"
}
],
"title": "firmware: arm_scmi: Account for failed debug initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40226",
"datePublished": "2025-12-04T15:31:17.994Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:17.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68324 (GCVE-0-2025-68324)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
The delayed work item 'imm_tq' is initialized in imm_attach() and
scheduled via imm_queuecommand() for processing SCSI commands. When the
IMM parallel port SCSI host adapter is detached through imm_detach(),
the imm_struct device instance is deallocated.
However, the delayed work might still be pending or executing
when imm_detach() is called, leading to use-after-free bugs
when the work function imm_interrupt() accesses the already
freed imm_struct memory.
The race condition can occur as follows:
CPU 0(detach thread) | CPU 1
| imm_queuecommand()
| imm_queuecommand_lck()
imm_detach() | schedule_delayed_work()
kfree(dev) //FREE | imm_interrupt()
| dev = container_of(...) //USE
dev-> //USE
Add disable_delayed_work_sync() in imm_detach() to guarantee proper
cancellation of the delayed work item before imm_struct is deallocated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 31ab2aad7a7b7501e904a09bf361e44671f66092
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 48dd41fa2d6c6a0c50e714deeba06ffe7f91961b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9e434426cc23ad5e2aad649327b59aea00294b13 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ab2aad7a7b7501e904a09bf361e44671f66092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48dd41fa2d6c6a0c50e714deeba06ffe7f91961b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e434426cc23ad5e2aad649327b59aea00294b13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: imm: Fix use-after-free bug caused by unfinished delayed work\n\nThe delayed work item \u0027imm_tq\u0027 is initialized in imm_attach() and\nscheduled via imm_queuecommand() for processing SCSI commands. When the\nIMM parallel port SCSI host adapter is detached through imm_detach(),\nthe imm_struct device instance is deallocated.\n\nHowever, the delayed work might still be pending or executing\nwhen imm_detach() is called, leading to use-after-free bugs\nwhen the work function imm_interrupt() accesses the already\nfreed imm_struct memory.\n\nThe race condition can occur as follows:\n\nCPU 0(detach thread) | CPU 1\n | imm_queuecommand()\n | imm_queuecommand_lck()\nimm_detach() | schedule_delayed_work()\n kfree(dev) //FREE | imm_interrupt()\n | dev = container_of(...) //USE\n dev-\u003e //USE\n\nAdd disable_delayed_work_sync() in imm_detach() to guarantee proper\ncancellation of the delayed work item before imm_struct is deallocated."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:25.781Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ab2aad7a7b7501e904a09bf361e44671f66092"
},
{
"url": "https://git.kernel.org/stable/c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b"
},
{
"url": "https://git.kernel.org/stable/c/9e434426cc23ad5e2aad649327b59aea00294b13"
},
{
"url": "https://git.kernel.org/stable/c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c"
}
],
"title": "scsi: imm: Fix use-after-free bug caused by unfinished delayed work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68324",
"datePublished": "2025-12-18T15:02:49.230Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-02-09T08:31:25.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40006 (GCVE-0-2025-40006)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
EPSS
Title
mm/hugetlb: fix folio is still mapped when deleted
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix folio is still mapped when deleted
Migration may be raced with fallocating hole. remove_inode_single_folio
will unmap the folio if the folio is still mapped. However, it's called
without folio lock. If the folio is migrated and the mapped pte has been
converted to migration entry, folio_mapped() returns false, and won't
unmap it. Due to extra refcount held by remove_inode_single_folio,
migration fails, restores migration entry to normal pte, and the folio is
mapped again. As a result, we triggered BUG in filemap_unaccount_folio.
The log is as follows:
BUG: Bad page cache in process hugetlb pfn:156c00
page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00
head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0
aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file"
flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f4(hugetlb)
page dumped because: still mapped when deleted
CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x70
filemap_unaccount_folio+0xc4/0x1c0
__filemap_remove_folio+0x38/0x1c0
filemap_remove_folio+0x41/0xd0
remove_inode_hugepages+0x142/0x250
hugetlbfs_fallocate+0x471/0x5a0
vfs_fallocate+0x149/0x380
Hold folio lock before checking if the folio is mapped to avold race with
migration.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4aae8d1c051ea00b456da6811bc36d1f69de5445 , < bc1c9ce8aeff45318332035dbef9713fb9e982d7
(git)
Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 91f548e920fbf8be3f285bfa3fa045ae017e836d (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 3e851448078f5b01f6264915df3cfef75e323a12 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < c9c2a51f91aea70e89b496cac360cd795a2b3c26 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 910d7749346c4b0acdc6e4adfdc4a9984281a206 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 21ee79ce938127f88fe07e409c1817f477dbe7ea (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc1c9ce8aeff45318332035dbef9713fb9e982d7",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "91f548e920fbf8be3f285bfa3fa045ae017e836d",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "3e851448078f5b01f6264915df3cfef75e323a12",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "c9c2a51f91aea70e89b496cac360cd795a2b3c26",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "910d7749346c4b0acdc6e4adfdc4a9984281a206",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "21ee79ce938127f88fe07e409c1817f477dbe7ea",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n\nMigration may be raced with fallocating hole. remove_inode_single_folio\nwill unmap the folio if the folio is still mapped. However, it\u0027s called\nwithout folio lock. If the folio is migrated and the mapped pte has been\nconverted to migration entry, folio_mapped() returns false, and won\u0027t\nunmap it. Due to extra refcount held by remove_inode_single_folio,\nmigration fails, restores migration entry to normal pte, and the folio is\nmapped again. As a result, we triggered BUG in filemap_unaccount_folio.\n\nThe log is as follows:\n BUG: Bad page cache in process hugetlb pfn:156c00\n page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00\n head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0\n aops:hugetlbfs_aops ino:dcc dentry name(?):\"my_hugepage_file\"\n flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f4(hugetlb)\n page dumped because: still mapped when deleted\n CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x70\n filemap_unaccount_folio+0xc4/0x1c0\n __filemap_remove_folio+0x38/0x1c0\n filemap_remove_folio+0x41/0xd0\n remove_inode_hugepages+0x142/0x250\n hugetlbfs_fallocate+0x471/0x5a0\n vfs_fallocate+0x149/0x380\n\nHold folio lock before checking if the folio is mapped to avold race with\nmigration."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:53.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc1c9ce8aeff45318332035dbef9713fb9e982d7"
},
{
"url": "https://git.kernel.org/stable/c/91f548e920fbf8be3f285bfa3fa045ae017e836d"
},
{
"url": "https://git.kernel.org/stable/c/3e851448078f5b01f6264915df3cfef75e323a12"
},
{
"url": "https://git.kernel.org/stable/c/c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39"
},
{
"url": "https://git.kernel.org/stable/c/c9c2a51f91aea70e89b496cac360cd795a2b3c26"
},
{
"url": "https://git.kernel.org/stable/c/910d7749346c4b0acdc6e4adfdc4a9984281a206"
},
{
"url": "https://git.kernel.org/stable/c/21ee79ce938127f88fe07e409c1817f477dbe7ea"
},
{
"url": "https://git.kernel.org/stable/c/7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7"
}
],
"title": "mm/hugetlb: fix folio is still mapped when deleted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40006",
"datePublished": "2025-10-20T15:26:53.097Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:53.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40060 (GCVE-0-2025-40060)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
coresight: trbe: Return NULL pointer for allocation failures
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: trbe: Return NULL pointer for allocation failures
When the TRBE driver fails to allocate a buffer, it currently returns
the error code "-ENOMEM". However, the caller etm_setup_aux() only
checks for a NULL pointer, so it misses the error. As a result, the
driver continues and eventually causes a kernel panic.
Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on
allocation failures. This allows that the callers can properly handle
the failure.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3fbf7f011f2426dac8c982f1d2ef469a7959a524 , < cef047e0a55cb07906fcaae99170f19a9c0bb6c2
(git)
Affected: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 , < fe53a726d5edf864e80b490780cc135fc1adece9 (git) Affected: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 , < 9768536f82600a05ce901e31ccfabd92c027ff71 (git) Affected: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 , < 296da78494633e1ab5e2e74173a9c8683b04aa6b (git) Affected: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 , < f505a165f1c7cd37b4cb6952042a5984693a4067 (git) Affected: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 , < 8a55c161f7f9c1aa1c70611b39830d51c83ef36d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cef047e0a55cb07906fcaae99170f19a9c0bb6c2",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "fe53a726d5edf864e80b490780cc135fc1adece9",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "9768536f82600a05ce901e31ccfabd92c027ff71",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "296da78494633e1ab5e2e74173a9c8683b04aa6b",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "f505a165f1c7cd37b4cb6952042a5984693a4067",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "8a55c161f7f9c1aa1c70611b39830d51c83ef36d",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: trbe: Return NULL pointer for allocation failures\n\nWhen the TRBE driver fails to allocate a buffer, it currently returns\nthe error code \"-ENOMEM\". However, the caller etm_setup_aux() only\nchecks for a NULL pointer, so it misses the error. As a result, the\ndriver continues and eventually causes a kernel panic.\n\nFix this by returning a NULL pointer from arm_trbe_alloc_buffer() on\nallocation failures. This allows that the callers can properly handle\nthe failure."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:09.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cef047e0a55cb07906fcaae99170f19a9c0bb6c2"
},
{
"url": "https://git.kernel.org/stable/c/fe53a726d5edf864e80b490780cc135fc1adece9"
},
{
"url": "https://git.kernel.org/stable/c/9768536f82600a05ce901e31ccfabd92c027ff71"
},
{
"url": "https://git.kernel.org/stable/c/296da78494633e1ab5e2e74173a9c8683b04aa6b"
},
{
"url": "https://git.kernel.org/stable/c/f505a165f1c7cd37b4cb6952042a5984693a4067"
},
{
"url": "https://git.kernel.org/stable/c/8a55c161f7f9c1aa1c70611b39830d51c83ef36d"
}
],
"title": "coresight: trbe: Return NULL pointer for allocation failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40060",
"datePublished": "2025-10-28T11:48:32.775Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:09.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68738 (GCVE-0-2025-68738)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()
If a link does not have an assigned channel yet, mt7996_vif_link returns
NULL. We still need to store the updated queue settings in that case, and
apply them later.
Move the location of the queue params to within struct mt7996_vif_link.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c0df2f0caa8dde0d50f36649ee28a54c5079281b , < 96841352aaba7723c20afb3a5356746810ef8198
(git)
Affected: c0df2f0caa8dde0d50f36649ee28a54c5079281b , < b8f34c1c5c4f5130c20e3253c95ba1d844d402b9 (git) Affected: c0df2f0caa8dde0d50f36649ee28a54c5079281b , < 79277f8ad15ec5f255ed0e1427c7a8a3e94e7f52 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7996/main.c",
"drivers/net/wireless/mediatek/mt76/mt7996/mcu.c",
"drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96841352aaba7723c20afb3a5356746810ef8198",
"status": "affected",
"version": "c0df2f0caa8dde0d50f36649ee28a54c5079281b",
"versionType": "git"
},
{
"lessThan": "b8f34c1c5c4f5130c20e3253c95ba1d844d402b9",
"status": "affected",
"version": "c0df2f0caa8dde0d50f36649ee28a54c5079281b",
"versionType": "git"
},
{
"lessThan": "79277f8ad15ec5f255ed0e1427c7a8a3e94e7f52",
"status": "affected",
"version": "c0df2f0caa8dde0d50f36649ee28a54c5079281b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7996/main.c",
"drivers/net/wireless/mediatek/mt76/mt7996/mcu.c",
"drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()\n\nIf a link does not have an assigned channel yet, mt7996_vif_link returns\nNULL. We still need to store the updated queue settings in that case, and\napply them later.\nMove the location of the queue params to within struct mt7996_vif_link."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:34.335Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96841352aaba7723c20afb3a5356746810ef8198"
},
{
"url": "https://git.kernel.org/stable/c/b8f34c1c5c4f5130c20e3253c95ba1d844d402b9"
},
{
"url": "https://git.kernel.org/stable/c/79277f8ad15ec5f255ed0e1427c7a8a3e94e7f52"
}
],
"title": "wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68738",
"datePublished": "2025-12-24T12:09:36.449Z",
"dateReserved": "2025-12-24T10:30:51.029Z",
"dateUpdated": "2026-02-09T08:32:34.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71125 (GCVE-0-2025-71125)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
tracing: Do not register unsupported perf events
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Do not register unsupported perf events
Synthetic events currently do not have a function to register perf events.
This leads to calling the tracepoint register functions with a NULL
function pointer which triggers:
------------[ cut here ]------------
WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272
Modules linked in: kvm_intel kvm irqbypass
CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:tracepoint_add_func+0x357/0x370
Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f
RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8
RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780
R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a
R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78
FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0
Call Trace:
<TASK>
tracepoint_probe_register+0x5d/0x90
synth_event_reg+0x3c/0x60
perf_trace_event_init+0x204/0x340
perf_trace_init+0x85/0xd0
perf_tp_event_init+0x2e/0x50
perf_try_init_event+0x6f/0x230
? perf_event_alloc+0x4bb/0xdc0
perf_event_alloc+0x65a/0xdc0
__se_sys_perf_event_open+0x290/0x9f0
do_syscall_64+0x93/0x7b0
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? trace_hardirqs_off+0x53/0xc0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Instead, have the code return -ENODEV, which doesn't warn and has perf
error out with:
# perf record -e synthetic:futex_wait
Error:
The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).
"dmesg | grep -i perf" may provide additional information.
Ideally perf should support synthetic events, but for now just fix the
warning. The support can come later.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4b147936fa509650beaf638b331573c23ba4d609 , < 6819bc6285c0ff835f67cfae7efebc03541782f6
(git)
Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < f7305697b60d79bc69c0a6e280fc931b4e8862dd (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 65b1971147ec12f0b1cee0811c859a3d7d9b04ce (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 3437c775bf209c674ad66304213b6b3c3b1b3f69 (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 6df47e5bb9b62d72f186f826ab643ea1856877c7 (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < ef7f38df890f5dcd2ae62f8dbde191d72f3bebae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6819bc6285c0ff835f67cfae7efebc03541782f6",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "f7305697b60d79bc69c0a6e280fc931b4e8862dd",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "65b1971147ec12f0b1cee0811c859a3d7d9b04ce",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "3437c775bf209c674ad66304213b6b3c3b1b3f69",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "6df47e5bb9b62d72f186f826ab643ea1856877c7",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "ef7f38df890f5dcd2ae62f8dbde191d72f3bebae",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not register unsupported perf events\n\nSynthetic events currently do not have a function to register perf events.\nThis leads to calling the tracepoint register functions with a NULL\nfunction pointer which triggers:\n\n ------------[ cut here ]------------\n WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:tracepoint_add_func+0x357/0x370\n Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc \u003c0f\u003e 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f\n RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246\n RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000\n RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8\n RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780\n R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a\n R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78\n FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n tracepoint_probe_register+0x5d/0x90\n synth_event_reg+0x3c/0x60\n perf_trace_event_init+0x204/0x340\n perf_trace_init+0x85/0xd0\n perf_tp_event_init+0x2e/0x50\n perf_try_init_event+0x6f/0x230\n ? perf_event_alloc+0x4bb/0xdc0\n perf_event_alloc+0x65a/0xdc0\n __se_sys_perf_event_open+0x290/0x9f0\n do_syscall_64+0x93/0x7b0\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ? trace_hardirqs_off+0x53/0xc0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInstead, have the code return -ENODEV, which doesn\u0027t warn and has perf\nerror out with:\n\n # perf record -e synthetic:futex_wait\nError:\nThe sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).\n\"dmesg | grep -i perf\" may provide additional information.\n\nIdeally perf should support synthetic events, but for now just fix the\nwarning. The support can come later."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:20.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6"
},
{
"url": "https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc"
},
{
"url": "https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd"
},
{
"url": "https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce"
},
{
"url": "https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69"
},
{
"url": "https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7"
},
{
"url": "https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae"
}
],
"title": "tracing: Do not register unsupported perf events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71125",
"datePublished": "2026-01-14T15:06:10.662Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:20.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39838 (GCVE-0-2025-39838)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
cifs: prevent NULL pointer dereference in UTF16 conversion
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent NULL pointer dereference in UTF16 conversion
There can be a NULL pointer dereference bug here. NULL is passed to
__cifs_sfu_make_node without checks, which passes it unchecked to
cifs_strndup_to_utf16, which in turn passes it to
cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.
This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and
returns NULL early to prevent dereferencing NULL pointer.
Found by Linux Verification Center (linuxtesting.org) with SVACE
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
41d3f256c6a5e41eb32b87168399c0facd512dc0 , < 1f797f062b5cf13a1c2bcc23285361baaa7c9260
(git)
Affected: 41d3f256c6a5e41eb32b87168399c0facd512dc0 , < 3c26a8d30ed6b53a52a023ec537dc50a6d34a67a (git) Affected: 41d3f256c6a5e41eb32b87168399c0facd512dc0 , < 70bccd9855dae56942f2b18a08ba137bb54093a0 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:52.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f797f062b5cf13a1c2bcc23285361baaa7c9260",
"status": "affected",
"version": "41d3f256c6a5e41eb32b87168399c0facd512dc0",
"versionType": "git"
},
{
"lessThan": "3c26a8d30ed6b53a52a023ec537dc50a6d34a67a",
"status": "affected",
"version": "41d3f256c6a5e41eb32b87168399c0facd512dc0",
"versionType": "git"
},
{
"lessThan": "70bccd9855dae56942f2b18a08ba137bb54093a0",
"status": "affected",
"version": "41d3f256c6a5e41eb32b87168399c0facd512dc0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL pointer dereference in UTF16 conversion\n\nThere can be a NULL pointer dereference bug here. NULL is passed to\n__cifs_sfu_make_node without checks, which passes it unchecked to\ncifs_strndup_to_utf16, which in turn passes it to\ncifs_local_to_utf16_bytes where \u0027*from\u0027 is dereferenced, causing a crash.\n\nThis patch adds a check for NULL \u0027src\u0027 in cifs_strndup_to_utf16 and\nreturns NULL early to prevent dereferencing NULL pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:37.346Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f797f062b5cf13a1c2bcc23285361baaa7c9260"
},
{
"url": "https://git.kernel.org/stable/c/3c26a8d30ed6b53a52a023ec537dc50a6d34a67a"
},
{
"url": "https://git.kernel.org/stable/c/70bccd9855dae56942f2b18a08ba137bb54093a0"
}
],
"title": "cifs: prevent NULL pointer dereference in UTF16 conversion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39838",
"datePublished": "2025-09-19T15:26:13.506Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2026-01-02T15:32:37.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68326 (GCVE-0-2025-68326)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:13
VLAI?
EPSS
Title
drm/xe/guc: Fix stack_depot usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc: Fix stack_depot usage
Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is
enabled to fix the following call stack:
[] BUG: kernel NULL pointer dereference, address: 0000000000000000
[] Workqueue: drm_sched_run_job_work [gpu_sched]
[] RIP: 0010:stack_depot_save_flags+0x172/0x870
[] Call Trace:
[] <TASK>
[] fast_req_track+0x58/0xb0 [xe]
(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1966838d1c82149cbf4a652322d26a6e5aae9c4e",
"status": "affected",
"version": "16b7e65d299d56442879405ac85800877fa51355",
"versionType": "git"
},
{
"lessThan": "0e234632e39bd21dd28ffc9ba3ae8eec4deb949c",
"status": "affected",
"version": "16b7e65d299d56442879405ac85800877fa51355",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Fix stack_depot usage\n\nAdd missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is\nenabled to fix the following call stack:\n\n\t[] BUG: kernel NULL pointer dereference, address: 0000000000000000\n\t[] Workqueue: drm_sched_run_job_work [gpu_sched]\n\t[] RIP: 0010:stack_depot_save_flags+0x172/0x870\n\t[] Call Trace:\n\t[] \u003cTASK\u003e\n\t[] fast_req_track+0x58/0xb0 [xe]\n\n(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:13:56.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1966838d1c82149cbf4a652322d26a6e5aae9c4e"
},
{
"url": "https://git.kernel.org/stable/c/0e234632e39bd21dd28ffc9ba3ae8eec4deb949c"
}
],
"title": "drm/xe/guc: Fix stack_depot usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68326",
"datePublished": "2025-12-22T16:12:15.664Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:13:56.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68230 (GCVE-0-2025-68230)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/amdgpu: fix gpu page fault after hibernation on PF passthrough
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix gpu page fault after hibernation on PF passthrough
On PF passthrough environment, after hibernate and then resume, coralgemm
will cause gpu page fault.
Mode1 reset happens during hibernate, but partition mode is not restored
on resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right
after resume. When CP access the MQD BO, wrong stride size is used,
this will cause out of bound access on the MQD BO, resulting page fault.
The fix is to ensure gfx_v9_4_3_switch_compute_partition() is called
when resume from a hibernation.
KFD resume is called separately during a reset recovery or resume from
suspend sequence. Hence it's not required to be called as part of
partition switch.
(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
955220b04d42c41050158fec0f53957f320b96f9 , < a45d6359eefb41e08d374a3260b10bff5626823b
(git)
Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < eef72d856f978955e633c270abb1f7ec7b61c6d2 (git) Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < eb6e7f520d6efa4d4ebf1671455abe4a681f7a05 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a45d6359eefb41e08d374a3260b10bff5626823b",
"status": "affected",
"version": "955220b04d42c41050158fec0f53957f320b96f9",
"versionType": "git"
},
{
"lessThan": "eef72d856f978955e633c270abb1f7ec7b61c6d2",
"status": "affected",
"version": "955220b04d42c41050158fec0f53957f320b96f9",
"versionType": "git"
},
{
"lessThan": "eb6e7f520d6efa4d4ebf1671455abe4a681f7a05",
"status": "affected",
"version": "955220b04d42c41050158fec0f53957f320b96f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix gpu page fault after hibernation on PF passthrough\n\nOn PF passthrough environment, after hibernate and then resume, coralgemm\nwill cause gpu page fault.\n\nMode1 reset happens during hibernate, but partition mode is not restored\non resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right\nafter resume. When CP access the MQD BO, wrong stride size is used,\nthis will cause out of bound access on the MQD BO, resulting page fault.\n\nThe fix is to ensure gfx_v9_4_3_switch_compute_partition() is called\nwhen resume from a hibernation.\nKFD resume is called separately during a reset recovery or resume from\nsuspend sequence. Hence it\u0027s not required to be called as part of\npartition switch.\n\n(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:28.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a45d6359eefb41e08d374a3260b10bff5626823b"
},
{
"url": "https://git.kernel.org/stable/c/eef72d856f978955e633c270abb1f7ec7b61c6d2"
},
{
"url": "https://git.kernel.org/stable/c/eb6e7f520d6efa4d4ebf1671455abe4a681f7a05"
}
],
"title": "drm/amdgpu: fix gpu page fault after hibernation on PF passthrough",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68230",
"datePublished": "2025-12-16T13:57:22.787Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-01-02T15:34:28.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49267 (GCVE-0-2022-49267)
Vulnerability from cvelistv5 – Published: 2025-02-26 01:56 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
mmc: core: use sysfs_emit() instead of sprintf()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: core: use sysfs_emit() instead of sprintf()
sprintf() (still used in the MMC core for the sysfs output) is vulnerable
to the buffer overflow. Use the new-fangled sysfs_emit() instead.
Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f55ac683b2722714016f16daae9cab3f7f7b9f9
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 659ca56b5415c7a1d05e185c36fad80ba165d063 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c4ab65738ab3e21fe519ee46b2051222bc8e32ef (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/core/bus.c",
"drivers/mmc/core/bus.h",
"drivers/mmc/core/mmc.c",
"drivers/mmc/core/sd.c",
"drivers/mmc/core/sdio.c",
"drivers/mmc/core/sdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f55ac683b2722714016f16daae9cab3f7f7b9f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "659ca56b5415c7a1d05e185c36fad80ba165d063",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c4ab65738ab3e21fe519ee46b2051222bc8e32ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/core/bus.c",
"drivers/mmc/core/bus.h",
"drivers/mmc/core/mmc.c",
"drivers/mmc/core/sd.c",
"drivers/mmc/core/sdio.c",
"drivers/mmc/core/sdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: use sysfs_emit() instead of sprintf()\n\nsprintf() (still used in the MMC core for the sysfs output) is vulnerable\nto the buffer overflow. Use the new-fangled sysfs_emit() instead.\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:38.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f55ac683b2722714016f16daae9cab3f7f7b9f9"
},
{
"url": "https://git.kernel.org/stable/c/659ca56b5415c7a1d05e185c36fad80ba165d063"
},
{
"url": "https://git.kernel.org/stable/c/c4ab65738ab3e21fe519ee46b2051222bc8e32ef"
},
{
"url": "https://git.kernel.org/stable/c/f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11"
}
],
"title": "mmc: core: use sysfs_emit() instead of sprintf()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49267",
"datePublished": "2025-02-26T01:56:16.211Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2026-01-19T12:17:38.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40349 (GCVE-0-2025-40349)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfs: validate record offset in hfsplus_bmap_alloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: validate record offset in hfsplus_bmap_alloc
hfsplus_bmap_alloc can trigger a crash if a
record offset or length is larger than node_size
[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
[ 15.265949]
[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 15.266167] Call Trace:
[ 15.266168] <TASK>
[ 15.266169] dump_stack_lvl+0x53/0x70
[ 15.266173] print_report+0xd0/0x660
[ 15.266181] kasan_report+0xce/0x100
[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
[ 15.266217] hfsplus_brec_insert+0x870/0xb00
[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
[ 15.266237] hfsplus_get_block+0x12b/0x8c0
[ 15.266238] __block_write_begin_int+0x36b/0x12c0
[ 15.266251] block_write_begin+0x77/0x110
[ 15.266252] cont_write_begin+0x428/0x720
[ 15.266259] hfsplus_write_begin+0x51/0x100
[ 15.266262] cont_write_begin+0x272/0x720
[ 15.266270] hfsplus_write_begin+0x51/0x100
[ 15.266274] generic_perform_write+0x321/0x750
[ 15.266285] generic_file_write_iter+0xc3/0x310
[ 15.266289] __kernel_write_iter+0x2fd/0x800
[ 15.266296] dump_user_range+0x2ea/0x910
[ 15.266301] elf_core_dump+0x2a94/0x2ed0
[ 15.266320] vfs_coredump+0x1d85/0x45e0
[ 15.266349] get_signal+0x12e3/0x1990
[ 15.266357] arch_do_signal_or_restart+0x89/0x580
[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
[ 15.266364] asm_exc_page_fault+0x26/0x30
[ 15.266366] RIP: 0033:0x41bd35
[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
[ 15.266376] </TASK>
When calling hfsplus_bmap_alloc to allocate a free node, this function
first retrieves the bitmap from header node and map node using node->page
together with the offset and length from hfs_brec_lenoff
```
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap_local_page(*pagep);
```
However, if the retrieved offset or length is invalid(i.e. exceeds
node_size), the code may end up accessing pages outside the allocated
range for this node.
This patch adds proper validation of both offset and length before use,
preventing out-of-bounds page access. Move is_bnode_offset_valid and
check_and_correct_requested_length to hfsplus_fs.h, as they may be
required by other functions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f7d9f600c7c3ff5dab36181a388af55f2c95604c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 40dfe7a4215a1f20842561ffaf5a6f83a987e75b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 418e48cab99c52c1760636a4dbe464bf6db2018b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0058d20d76182861dbdd8fd6e2dd8d18d6d3becf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f40a2b3969daf10dca4dea6f6dd0e813f79b227 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17ed51cfce6c62cffb97059ef392ad2e0245806e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 068a46df3e6acc68fb9db0a6313ab379a11ecd6f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c",
"fs/hfsplus/btree.c",
"fs/hfsplus/hfsplus_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7d9f600c7c3ff5dab36181a388af55f2c95604c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40dfe7a4215a1f20842561ffaf5a6f83a987e75b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "418e48cab99c52c1760636a4dbe464bf6db2018b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0058d20d76182861dbdd8fd6e2dd8d18d6d3becf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f40a2b3969daf10dca4dea6f6dd0e813f79b227",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17ed51cfce6c62cffb97059ef392ad2e0245806e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "068a46df3e6acc68fb9db0a6313ab379a11ecd6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c",
"fs/hfsplus/btree.c",
"fs/hfsplus/hfsplus_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: validate record offset in hfsplus_bmap_alloc\n\nhfsplus_bmap_alloc can trigger a crash if a\nrecord offset or length is larger than node_size\n\n[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183\n[ 15.265949]\n[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)\n[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 15.266167] Call Trace:\n[ 15.266168] \u003cTASK\u003e\n[ 15.266169] dump_stack_lvl+0x53/0x70\n[ 15.266173] print_report+0xd0/0x660\n[ 15.266181] kasan_report+0xce/0x100\n[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0\n[ 15.266217] hfsplus_brec_insert+0x870/0xb00\n[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570\n[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910\n[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200\n[ 15.266233] hfsplus_file_extend+0x5a7/0x1000\n[ 15.266237] hfsplus_get_block+0x12b/0x8c0\n[ 15.266238] __block_write_begin_int+0x36b/0x12c0\n[ 15.266251] block_write_begin+0x77/0x110\n[ 15.266252] cont_write_begin+0x428/0x720\n[ 15.266259] hfsplus_write_begin+0x51/0x100\n[ 15.266262] cont_write_begin+0x272/0x720\n[ 15.266270] hfsplus_write_begin+0x51/0x100\n[ 15.266274] generic_perform_write+0x321/0x750\n[ 15.266285] generic_file_write_iter+0xc3/0x310\n[ 15.266289] __kernel_write_iter+0x2fd/0x800\n[ 15.266296] dump_user_range+0x2ea/0x910\n[ 15.266301] elf_core_dump+0x2a94/0x2ed0\n[ 15.266320] vfs_coredump+0x1d85/0x45e0\n[ 15.266349] get_signal+0x12e3/0x1990\n[ 15.266357] arch_do_signal_or_restart+0x89/0x580\n[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110\n[ 15.266364] asm_exc_page_fault+0x26/0x30\n[ 15.266366] RIP: 0033:0x41bd35\n[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 \u003cf3\u003e 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f\n[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283\n[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000\n[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100\n[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000\n[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000\n[ 15.266376] \u003c/TASK\u003e\n\nWhen calling hfsplus_bmap_alloc to allocate a free node, this function\nfirst retrieves the bitmap from header node and map node using node-\u003epage\ntogether with the offset and length from hfs_brec_lenoff\n\n```\nlen = hfs_brec_lenoff(node, 2, \u0026off16);\noff = off16;\n\noff += node-\u003epage_offset;\npagep = node-\u003epage + (off \u003e\u003e PAGE_SHIFT);\ndata = kmap_local_page(*pagep);\n```\n\nHowever, if the retrieved offset or length is invalid(i.e. exceeds\nnode_size), the code may end up accessing pages outside the allocated\nrange for this node.\n\nThis patch adds proper validation of both offset and length before use,\npreventing out-of-bounds page access. Move is_bnode_offset_valid and\ncheck_and_correct_requested_length to hfsplus_fs.h, as they may be\nrequired by other functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:44.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7d9f600c7c3ff5dab36181a388af55f2c95604c"
},
{
"url": "https://git.kernel.org/stable/c/40dfe7a4215a1f20842561ffaf5a6f83a987e75b"
},
{
"url": "https://git.kernel.org/stable/c/418e48cab99c52c1760636a4dbe464bf6db2018b"
},
{
"url": "https://git.kernel.org/stable/c/0058d20d76182861dbdd8fd6e2dd8d18d6d3becf"
},
{
"url": "https://git.kernel.org/stable/c/4f40a2b3969daf10dca4dea6f6dd0e813f79b227"
},
{
"url": "https://git.kernel.org/stable/c/17ed51cfce6c62cffb97059ef392ad2e0245806e"
},
{
"url": "https://git.kernel.org/stable/c/068a46df3e6acc68fb9db0a6313ab379a11ecd6f"
},
{
"url": "https://git.kernel.org/stable/c/738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20"
}
],
"title": "hfs: validate record offset in hfsplus_bmap_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40349",
"datePublished": "2025-12-16T13:30:23.092Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:44.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22105 (GCVE-0-2025-22105)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
bonding: check xdp prog when set bond mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: check xdp prog when set bond mode
Following operations can trigger a warning[1]:
ip netns add ns1
ip netns exec ns1 ip link add bond0 type bond mode balance-rr
ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
ip netns exec ns1 ip link set bond0 type bond mode broadcast
ip netns del ns1
When delete the namespace, dev_xdp_uninstall() is called to remove xdp
program on bond dev, and bond_xdp_set() will check the bond mode. If bond
mode is changed after attaching xdp program, the warning may occur.
Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
with xdp program attached is not good. Add check for xdp program when set
bond mode.
[1]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
Modules linked in:
CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __warn+0x83/0x130
? unregister_netdevice_many_notify+0x8d9/0x930
? report_bug+0x18e/0x1a0
? handle_bug+0x54/0x90
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? unregister_netdevice_many_notify+0x8d9/0x930
? bond_net_exit_batch_rtnl+0x5c/0x90
cleanup_net+0x237/0x3d0
process_one_work+0x163/0x390
worker_thread+0x293/0x3b0
? __pfx_worker_thread+0x10/0x10
kthread+0xec/0x1e0
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 5106da73b01668a1aa5d0f352b95d2b832b5caa7
(git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 6f3af8055ee7ab69d1451f056fcd890df99c167e (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 094ee6017ea09c11d6af187935a949df32803ce0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/bonding/bond_options.c",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5106da73b01668a1aa5d0f352b95d2b832b5caa7",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "6f3af8055ee7ab69d1451f056fcd890df99c167e",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "094ee6017ea09c11d6af187935a949df32803ce0",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/bonding/bond_options.c",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: check xdp prog when set bond mode\n\nFollowing operations can trigger a warning[1]:\n\n ip netns add ns1\n ip netns exec ns1 ip link add bond0 type bond mode balance-rr\n ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp\n ip netns exec ns1 ip link set bond0 type bond mode broadcast\n ip netns del ns1\n\nWhen delete the namespace, dev_xdp_uninstall() is called to remove xdp\nprogram on bond dev, and bond_xdp_set() will check the bond mode. If bond\nmode is changed after attaching xdp program, the warning may occur.\n\nSome bond modes (broadcast, etc.) do not support native xdp. Set bond mode\nwith xdp program attached is not good. Add check for xdp program when set\nbond mode.\n\n [1]\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930\n Modules linked in:\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n Workqueue: netns cleanup_net\n RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930\n Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...\n RSP: 0018:ffffc90000063d80 EFLAGS: 00000282\n RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff\n RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48\n RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb\n R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8\n R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000\n FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n ? __warn+0x83/0x130\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x54/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? bond_net_exit_batch_rtnl+0x5c/0x90\n cleanup_net+0x237/0x3d0\n process_one_work+0x163/0x390\n worker_thread+0x293/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xec/0x1e0\n ? __pfx_kthread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:18.474Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5106da73b01668a1aa5d0f352b95d2b832b5caa7"
},
{
"url": "https://git.kernel.org/stable/c/6f3af8055ee7ab69d1451f056fcd890df99c167e"
},
{
"url": "https://git.kernel.org/stable/c/0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb"
},
{
"url": "https://git.kernel.org/stable/c/094ee6017ea09c11d6af187935a949df32803ce0"
}
],
"title": "bonding: check xdp prog when set bond mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22105",
"datePublished": "2025-04-16T14:12:53.830Z",
"dateReserved": "2024-12-29T08:45:45.819Z",
"dateUpdated": "2025-12-06T21:38:18.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40067 (GCVE-0-2025-40067)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist
Index allocation requires at least one bit in the $BITMAP attribute to
track usage of index entries. If the bitmap is empty while index blocks
are already present, this reflects on-disk corruption.
syzbot triggered this condition using a malformed NTFS image. During a
rename() operation involving a long filename (which spans multiple
index entries), the empty bitmap allowed the name to be added without
valid tracking. Subsequent deletion of the original entry failed with
-ENOENT, due to unexpected index state.
Reject such cases by verifying that the bitmap is not empty when index
blocks exist.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b35a50d639ca5259466ef5fea85529bb4fb17d5b , < 978aac54e93ea35aab20b32ae393d3d33964e7ae
(git)
Affected: 3ed2cc6a6e93fbeb8c0cafce1e7fb1f64a331dcc , < be66551da203862c689c12e1d35ce87217c017c1 (git) Affected: d99208b91933fd2a58ed9ed321af07dacd06ddc3 , < 039ddf353cc33f6546a87ec1ac3210637d714bec (git) Affected: d99208b91933fd2a58ed9ed321af07dacd06ddc3 , < 0dc7117da8f92dd5fe077d712a756eccbe377d40 (git) Affected: 358d4f821c03add421a4c49290538a705852ccf1 (git) Affected: a285395020780adac1ffbc844069c3d700bf007a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/index.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "978aac54e93ea35aab20b32ae393d3d33964e7ae",
"status": "affected",
"version": "b35a50d639ca5259466ef5fea85529bb4fb17d5b",
"versionType": "git"
},
{
"lessThan": "be66551da203862c689c12e1d35ce87217c017c1",
"status": "affected",
"version": "3ed2cc6a6e93fbeb8c0cafce1e7fb1f64a331dcc",
"versionType": "git"
},
{
"lessThan": "039ddf353cc33f6546a87ec1ac3210637d714bec",
"status": "affected",
"version": "d99208b91933fd2a58ed9ed321af07dacd06ddc3",
"versionType": "git"
},
{
"lessThan": "0dc7117da8f92dd5fe077d712a756eccbe377d40",
"status": "affected",
"version": "d99208b91933fd2a58ed9ed321af07dacd06ddc3",
"versionType": "git"
},
{
"status": "affected",
"version": "358d4f821c03add421a4c49290538a705852ccf1",
"versionType": "git"
},
{
"status": "affected",
"version": "a285395020780adac1ffbc844069c3d700bf007a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/index.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist\n\nIndex allocation requires at least one bit in the $BITMAP attribute to\ntrack usage of index entries. If the bitmap is empty while index blocks\nare already present, this reflects on-disk corruption.\n\nsyzbot triggered this condition using a malformed NTFS image. During a\nrename() operation involving a long filename (which spans multiple\nindex entries), the empty bitmap allowed the name to be added without\nvalid tracking. Subsequent deletion of the original entry failed with\n-ENOENT, due to unexpected index state.\n\nReject such cases by verifying that the bitmap is not empty when index\nblocks exist."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:18.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/978aac54e93ea35aab20b32ae393d3d33964e7ae"
},
{
"url": "https://git.kernel.org/stable/c/be66551da203862c689c12e1d35ce87217c017c1"
},
{
"url": "https://git.kernel.org/stable/c/039ddf353cc33f6546a87ec1ac3210637d714bec"
},
{
"url": "https://git.kernel.org/stable/c/0dc7117da8f92dd5fe077d712a756eccbe377d40"
}
],
"title": "fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40067",
"datePublished": "2025-10-28T11:48:37.034Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:18.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39852 (GCVE-0-2025-39852)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
exits the function. This ends up causing a memory-leak:
unreferenced object 0xffff0000281a8200 (size 2496):
comm "softirq", pid 0, jiffies 4295174684
hex dump (first 32 bytes):
7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................
0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............
backtrace (crc 5ebdbe15):
kmemleak_alloc+0x44/0xe0
kmem_cache_alloc_noprof+0x248/0x470
sk_prot_alloc+0x48/0x120
sk_clone_lock+0x38/0x3b0
inet_csk_clone_lock+0x34/0x150
tcp_create_openreq_child+0x3c/0x4a8
tcp_v6_syn_recv_sock+0x1c0/0x620
tcp_check_req+0x588/0x790
tcp_v6_rcv+0x5d0/0xc18
ip6_protocol_deliver_rcu+0x2d8/0x4c0
ip6_input_finish+0x74/0x148
ip6_input+0x50/0x118
ip6_sublist_rcv+0x2fc/0x3b0
ipv6_list_rcv+0x114/0x170
__netif_receive_skb_list_core+0x16c/0x200
netif_receive_skb_list_internal+0x1f0/0x2d0
This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when
exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need
to be called. They make sure the newsk will end up being correctly
free'd.
tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit
label that takes care of things. So, this patch here makes sure
tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar
error-handling and thus fixes the leak for TCP-AO.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
06b22ef29591f625ef877ae00d82192938e29e60 , < 46d33c878fc0b3d7570366b2c9912395b3f4e701
(git)
Affected: 06b22ef29591f625ef877ae00d82192938e29e60 , < 3d2b356d994a8801acb397cafd28b13672c37ab5 (git) Affected: 06b22ef29591f625ef877ae00d82192938e29e60 , < fa390321aba0a54d0f7ae95ee4ecde1358bb9234 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:21:28.643713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:12.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46d33c878fc0b3d7570366b2c9912395b3f4e701",
"status": "affected",
"version": "06b22ef29591f625ef877ae00d82192938e29e60",
"versionType": "git"
},
{
"lessThan": "3d2b356d994a8801acb397cafd28b13672c37ab5",
"status": "affected",
"version": "06b22ef29591f625ef877ae00d82192938e29e60",
"versionType": "git"
},
{
"lessThan": "fa390321aba0a54d0f7ae95ee4ecde1358bb9234",
"status": "affected",
"version": "06b22ef29591f625ef877ae00d82192938e29e60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6\n\nWhen tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just\nexits the function. This ends up causing a memory-leak:\n\nunreferenced object 0xffff0000281a8200 (size 2496):\n comm \"softirq\", pid 0, jiffies 4295174684\n hex dump (first 32 bytes):\n 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................\n 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............\n backtrace (crc 5ebdbe15):\n kmemleak_alloc+0x44/0xe0\n kmem_cache_alloc_noprof+0x248/0x470\n sk_prot_alloc+0x48/0x120\n sk_clone_lock+0x38/0x3b0\n inet_csk_clone_lock+0x34/0x150\n tcp_create_openreq_child+0x3c/0x4a8\n tcp_v6_syn_recv_sock+0x1c0/0x620\n tcp_check_req+0x588/0x790\n tcp_v6_rcv+0x5d0/0xc18\n ip6_protocol_deliver_rcu+0x2d8/0x4c0\n ip6_input_finish+0x74/0x148\n ip6_input+0x50/0x118\n ip6_sublist_rcv+0x2fc/0x3b0\n ipv6_list_rcv+0x114/0x170\n __netif_receive_skb_list_core+0x16c/0x200\n netif_receive_skb_list_internal+0x1f0/0x2d0\n\nThis is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when\nexiting upon error, inet_csk_prepare_forced_close() and tcp_done() need\nto be called. They make sure the newsk will end up being correctly\nfree\u0027d.\n\ntcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit\nlabel that takes care of things. So, this patch here makes sure\ntcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar\nerror-handling and thus fixes the leak for TCP-AO."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:04.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46d33c878fc0b3d7570366b2c9912395b3f4e701"
},
{
"url": "https://git.kernel.org/stable/c/3d2b356d994a8801acb397cafd28b13672c37ab5"
},
{
"url": "https://git.kernel.org/stable/c/fa390321aba0a54d0f7ae95ee4ecde1358bb9234"
}
],
"title": "net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39852",
"datePublished": "2025-09-19T15:26:24.312Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2026-01-14T19:23:12.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40294 (GCVE-0-2025-40294)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
In the parse_adv_monitor_pattern() function, the value of
the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
The size of the 'value' array in the mgmt_adv_pattern structure is 31.
If the value of 'pattern[i].length' is set in the user space
and exceeds 31, the 'patterns[i].value' array can be accessed
out of bound when copied.
Increasing the size of the 'value' array in
the 'mgmt_adv_pattern' structure will break the userspace.
Considering this, and to avoid OOB access revert the limits for 'offset'
and 'length' back to the value of HCI_MAX_AD_LENGTH.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
99f30e12e588f9982a6eb1916e53510bff25b3b8 , < 96616530f524a0a76248cd44201de0a9e8526190
(git)
Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 5f7350ff2b179764a4f40ba4161b60b8aaef857b (git) Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 4b7d4aa5399b5a64caee639275615c63c008540d (git) Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 3a50d59b3781bc3a4e96533612509546a4c309a7 (git) Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 8d59fba49362c65332395789fd82771f1028d87e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/mgmt.h",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96616530f524a0a76248cd44201de0a9e8526190",
"status": "affected",
"version": "99f30e12e588f9982a6eb1916e53510bff25b3b8",
"versionType": "git"
},
{
"lessThan": "5f7350ff2b179764a4f40ba4161b60b8aaef857b",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
},
{
"lessThan": "4b7d4aa5399b5a64caee639275615c63c008540d",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
},
{
"lessThan": "3a50d59b3781bc3a4e96533612509546a4c309a7",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
},
{
"lessThan": "8d59fba49362c65332395789fd82771f1028d87e",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/mgmt.h",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe \u0027length\u0027 variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the \u0027value\u0027 array in the mgmt_adv_pattern structure is 31.\nIf the value of \u0027pattern[i].length\u0027 is set in the user space\nand exceeds 31, the \u0027patterns[i].value\u0027 array can be accessed\nout of bound when copied.\n\nIncreasing the size of the \u0027value\u0027 array in\nthe \u0027mgmt_adv_pattern\u0027 structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for \u0027offset\u0027\nand \u0027length\u0027 back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:17.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190"
},
{
"url": "https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b"
},
{
"url": "https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d"
},
{
"url": "https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7"
},
{
"url": "https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e"
}
],
"title": "Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40294",
"datePublished": "2025-12-08T00:46:17.899Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:17.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71113 (GCVE-0-2025-71113)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.
The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.
A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:
67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:
https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe869cdb89c95d060c77eea20204d6c91f233b53 , < e125c8e346e4eb7b3e854c862fcb4392bc13ddba
(git)
Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 543bf004e4eafbb302b1e6c78570d425d2ca13a0 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < f81244fd6b14fecfa93b66b6bb1d59f96554e550 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 84238876e3b3b262cf62d5f4d1338e983fb27010 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 5a4b65523608974a81edbe386f8a667a3e10c726 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 51a5ab36084f3251ef87eda3e6a6236f6488925e (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 6f6e309328d53a10c0fe1f77dec2db73373179b6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_hash.c",
"crypto/algif_rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e125c8e346e4eb7b3e854c862fcb4392bc13ddba",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "543bf004e4eafbb302b1e6c78570d425d2ca13a0",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "f81244fd6b14fecfa93b66b6bb1d59f96554e550",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "84238876e3b3b262cf62d5f4d1338e983fb27010",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "5a4b65523608974a81edbe386f8a667a3e10c726",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "51a5ab36084f3251ef87eda3e6a6236f6488925e",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "6f6e309328d53a10c0fe1f77dec2db73373179b6",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_hash.c",
"crypto/algif_rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - zero initialize memory allocated via sock_kmalloc\n\nSeveral crypto user API contexts and requests allocated with\nsock_kmalloc() were left uninitialized, relying on callers to\nset fields explicitly. This resulted in the use of uninitialized\ndata in certain error paths or when new fields are added in the\nfuture.\n\nThe ACVP patches also contain two user-space interface files:\nalgif_kpp.c and algif_akcipher.c. These too rely on proper\ninitialization of their context structures.\n\nA particular issue has been observed with the newly added\n\u0027inflight\u0027 variable introduced in af_alg_ctx by commit:\n\n 67b164a871af (\"crypto: af_alg - Disallow multiple in-flight AIO requests\")\n\nBecause the context is not memset to zero after allocation,\nthe inflight variable has contained garbage values. As a result,\naf_alg_alloc_areq() has incorrectly returned -EBUSY randomly when\nthe garbage value was interpreted as true:\n\n https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nThe check directly tests ctx-\u003einflight without explicitly\ncomparing against true/false. Since inflight is only ever set to\ntrue or false later, an uninitialized value has triggered\n-EBUSY failures. Zero-initializing memory allocated with\nsock_kmalloc() ensures inflight and other fields start in a known\nstate, removing random issues caused by uninitialized data."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:07.779Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba"
},
{
"url": "https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0"
},
{
"url": "https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550"
},
{
"url": "https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010"
},
{
"url": "https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726"
},
{
"url": "https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e"
},
{
"url": "https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6"
}
],
"title": "crypto: af_alg - zero initialize memory allocated via sock_kmalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71113",
"datePublished": "2026-01-14T15:05:59.992Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:07.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37860 (GCVE-0-2025-37860)
Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2025-11-02 13:30
VLAI?
EPSS
Title
sfc: fix NULL dereferences in ef100_process_design_param()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix NULL dereferences in ef100_process_design_param()
Since cited commit, ef100_probe_main() and hence also
ef100_check_design_params() run before efx->net_dev is created;
consequently, we cannot netif_set_tso_max_size() or _segs() at this
point.
Move those netif calls to ef100_probe_netdev(), and also replace
netif_err within the design params code with pci_err.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98ff4c7c8ac7f5339aac6114105395fea19f992e , < f21623b8446735b5e2ac5f8ee69b8743177d7b19
(git)
Affected: 98ff4c7c8ac7f5339aac6114105395fea19f992e , < e56391011381d6d029da377a65ac314cb3d5def2 (git) Affected: 98ff4c7c8ac7f5339aac6114105395fea19f992e , < 8241ecec1cdc6699ae197d52d58e76bddd995fa5 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-37860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T16:14:46.502915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:14:52.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef100_netdev.c",
"drivers/net/ethernet/sfc/ef100_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f21623b8446735b5e2ac5f8ee69b8743177d7b19",
"status": "affected",
"version": "98ff4c7c8ac7f5339aac6114105395fea19f992e",
"versionType": "git"
},
{
"lessThan": "e56391011381d6d029da377a65ac314cb3d5def2",
"status": "affected",
"version": "98ff4c7c8ac7f5339aac6114105395fea19f992e",
"versionType": "git"
},
{
"lessThan": "8241ecec1cdc6699ae197d52d58e76bddd995fa5",
"status": "affected",
"version": "98ff4c7c8ac7f5339aac6114105395fea19f992e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef100_netdev.c",
"drivers/net/ethernet/sfc/ef100_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix NULL dereferences in ef100_process_design_param()\n\nSince cited commit, ef100_probe_main() and hence also\n ef100_check_design_params() run before efx-\u003enet_dev is created;\n consequently, we cannot netif_set_tso_max_size() or _segs() at this\n point.\nMove those netif calls to ef100_probe_netdev(), and also replace\n netif_err within the design params code with pci_err."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-02T13:30:36.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f21623b8446735b5e2ac5f8ee69b8743177d7b19"
},
{
"url": "https://git.kernel.org/stable/c/e56391011381d6d029da377a65ac314cb3d5def2"
},
{
"url": "https://git.kernel.org/stable/c/8241ecec1cdc6699ae197d52d58e76bddd995fa5"
}
],
"title": "sfc: fix NULL dereferences in ef100_process_design_param()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37860",
"datePublished": "2025-04-18T07:01:28.132Z",
"dateReserved": "2025-04-16T04:51:23.957Z",
"dateUpdated": "2025-11-02T13:30:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40154 (GCVE-0-2025-40154)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver only shows an error message but leaves as is.
This may lead to unepxected results like OOB access.
This patch corrects the input mapping to the certain default value if
an invalid value is passed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
063422ca2a9de238401c3848c1b3641c07b6316c , < 2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01
(git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < dea9c8c9028c9374761224a7f9d824e845a2aa2e (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < f58fca15f3bf8b982e799c31e4afa8923788aa40 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 29a41bf6422688f0c5a09b18222e1a64b2629fa4 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 5c03ea2ef4ebba75c69c90929d8590eb3d3797a9 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 48880f3cdf2b6d8dcd91219c5b5c8a7526411322 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5640.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "dea9c8c9028c9374761224a7f9d824e845a2aa2e",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "f58fca15f3bf8b982e799c31e4afa8923788aa40",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "29a41bf6422688f0c5a09b18222e1a64b2629fa4",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "5c03ea2ef4ebba75c69c90929d8590eb3d3797a9",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "48880f3cdf2b6d8dcd91219c5b5c8a7526411322",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5640.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver only shows an error message but leaves as is.\nThis may lead to unepxected results like OOB access.\n\nThis patch corrects the input mapping to the certain default value if\nan invalid value is passed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:04.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01"
},
{
"url": "https://git.kernel.org/stable/c/a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d"
},
{
"url": "https://git.kernel.org/stable/c/dea9c8c9028c9374761224a7f9d824e845a2aa2e"
},
{
"url": "https://git.kernel.org/stable/c/f58fca15f3bf8b982e799c31e4afa8923788aa40"
},
{
"url": "https://git.kernel.org/stable/c/29a41bf6422688f0c5a09b18222e1a64b2629fa4"
},
{
"url": "https://git.kernel.org/stable/c/5c03ea2ef4ebba75c69c90929d8590eb3d3797a9"
},
{
"url": "https://git.kernel.org/stable/c/48880f3cdf2b6d8dcd91219c5b5c8a7526411322"
},
{
"url": "https://git.kernel.org/stable/c/fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0"
}
],
"title": "ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40154",
"datePublished": "2025-11-12T10:23:28.470Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:04.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71069 (GCVE-0-2025-71069)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
f2fs: invalidate dentry cache on failed whiteout creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: invalidate dentry cache on failed whiteout creation
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 7f2bae0c881aa1e0a6318756df692cc13df2cc83
(git)
Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 3d95ed8cf980fdfa67a3ab9491357521ae576168 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < c89845fae250efdd59c1d4ec60e9e1c652cee4b6 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 0dde30753c1e8648665dbe069d814e540ce2fd37 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < d33f89b34aa313f50f9a512d58dd288999f246b0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f2bae0c881aa1e0a6318756df692cc13df2cc83",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d95ed8cf980fdfa67a3ab9491357521ae576168",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "c89845fae250efdd59c1d4ec60e9e1c652cee4b6",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "0dde30753c1e8648665dbe069d814e540ce2fd37",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "d33f89b34aa313f50f9a512d58dd288999f246b0",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: invalidate dentry cache on failed whiteout creation\n\nF2FS can mount filesystems with corrupted directory depth values that\nget runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT\noperations are performed on such directories, f2fs_rename performs\ndirectory modifications (updating target entry and deleting source\nentry) before attempting to add the whiteout entry via f2fs_add_link.\n\nIf f2fs_add_link fails due to the corrupted directory structure, the\nfunction returns an error to VFS, but the partial directory\nmodifications have already been committed to disk. VFS assumes the\nentire rename operation failed and does not update the dentry cache,\nleaving stale mappings.\n\nIn the error path, VFS does not call d_move() to update the dentry\ncache. This results in new_dentry still pointing to the old inode\n(new_inode) which has already had its i_nlink decremented to zero.\nThe stale cache causes subsequent operations to incorrectly reference\nthe freed inode.\n\nThis causes subsequent operations to use cached dentry information that\nno longer matches the on-disk state. When a second rename targets the\nsame entry, VFS attempts to decrement i_nlink on the stale inode, which\nmay already have i_nlink=0, triggering a WARNING in drop_nlink().\n\nExample sequence:\n1. First rename (RENAME_WHITEOUT): file2 \u2192 file1\n - f2fs updates file1 entry on disk (points to inode 8)\n - f2fs deletes file2 entry on disk\n - f2fs_add_link(whiteout) fails (corrupted directory)\n - Returns error to VFS\n - VFS does not call d_move() due to error\n - VFS cache still has: file1 \u2192 inode 7 (stale!)\n - inode 7 has i_nlink=0 (already decremented)\n\n2. Second rename: file3 \u2192 file1\n - VFS uses stale cache: file1 \u2192 inode 7\n - Tries to drop_nlink on inode 7 (i_nlink already 0)\n - WARNING in drop_nlink()\n\nFix this by explicitly invalidating old_dentry and new_dentry when\nf2fs_add_link fails during whiteout creation. This forces VFS to\nrefresh from disk on subsequent operations, ensuring cache consistency\neven when the rename partially succeeds.\n\nReproducer:\n1. Mount F2FS image with corrupted i_current_depth\n2. renameat2(file2, file1, RENAME_WHITEOUT)\n3. renameat2(file3, file1, 0)\n4. System triggers WARNING in drop_nlink()"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:19.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83"
},
{
"url": "https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168"
},
{
"url": "https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb"
},
{
"url": "https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5"
},
{
"url": "https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6"
},
{
"url": "https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37"
},
{
"url": "https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0"
}
],
"title": "f2fs: invalidate dentry cache on failed whiteout creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71069",
"datePublished": "2026-01-13T15:31:23.948Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:19.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39985 (GCVE-0-2025-39985)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the mcba_usb driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, mcba_usb_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on these lines:
usb_msg.dlc = cf->len;
memcpy(usb_msg.data, cf->data, usb_msg.dlc);
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
51f3baad7de943780ce0c17bd7975df567dd6e14 , < 0fa9303c4b9493727e0d3a6ac3729300e3013930
(git)
Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 37aed407496bf6de8910e588edb04d2435fa7011 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 6eec67bfb25637f9b51e584cf59ddace59925bc8 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 3664ae91b26d1fd7e4cee9cde17301361f4c89d5 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 6b9fb82df8868dbe9ffea5874b8d35f951faedbb (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < b638c3fb0f163e69785ceddb3b434a9437878bec (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fa9303c4b9493727e0d3a6ac3729300e3013930",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "37aed407496bf6de8910e588edb04d2435fa7011",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "6eec67bfb25637f9b51e584cf59ddace59925bc8",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "3664ae91b26d1fd7e4cee9cde17301361f4c89d5",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "6b9fb82df8868dbe9ffea5874b8d35f951faedbb",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "b638c3fb0f163e69785ceddb3b434a9437878bec",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the mcba_usb driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, mcba_usb_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf-\u003elen\nas-is with no further checks on these lines:\n\n\tusb_msg.dlc = cf-\u003elen;\n\n\tmemcpy(usb_msg.data, cf-\u003edata, usb_msg.dlc);\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:04.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fa9303c4b9493727e0d3a6ac3729300e3013930"
},
{
"url": "https://git.kernel.org/stable/c/37aed407496bf6de8910e588edb04d2435fa7011"
},
{
"url": "https://git.kernel.org/stable/c/6eec67bfb25637f9b51e584cf59ddace59925bc8"
},
{
"url": "https://git.kernel.org/stable/c/ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1"
},
{
"url": "https://git.kernel.org/stable/c/3664ae91b26d1fd7e4cee9cde17301361f4c89d5"
},
{
"url": "https://git.kernel.org/stable/c/6b9fb82df8868dbe9ffea5874b8d35f951faedbb"
},
{
"url": "https://git.kernel.org/stable/c/b638c3fb0f163e69785ceddb3b434a9437878bec"
},
{
"url": "https://git.kernel.org/stable/c/17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6"
}
],
"title": "can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39985",
"datePublished": "2025-10-15T07:56:04.439Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:04.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39841 (GCVE-0-2025-39841)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
scsi: lpfc: Fix buffer free/clear order in deferred receive path
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix buffer free/clear order in deferred receive path
Fix a use-after-free window by correcting the buffer release sequence in
the deferred receive path. The code freed the RQ buffer first and only
then cleared the context pointer under the lock. Concurrent paths (e.g.,
ABTS and the repost path) also inspect and release the same pointer under
the lock, so the old order could lead to double-free/UAF.
Note that the repost path already uses the correct pattern: detach the
pointer under the lock, then free it after dropping the lock. The
deferred path should do the same.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
472e146d1cf3410a898b49834500fa9e33ac41a2 , < ab34084f42ee06a9028d67c78feafb911d33d111
(git)
Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < baa39f6ad79d372a6ce0aa639fbb2f1578479f57 (git) Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < 95b63d15fce5c54a73bbf195e1aacb5a75b128e2 (git) Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < 55658c7501467ca9ef3bd4453dd920010db8bc13 (git) Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < d96cc9a1b57725930c60b607423759d563b4d900 (git) Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < 367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11 (git) Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < 897f64b01c1249ac730329b83f4f40bab71e86c7 (git) Affected: 472e146d1cf3410a898b49834500fa9e33ac41a2 , < 9dba9a45c348e8460da97c450cddf70b2056deb3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:56.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_nvmet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab34084f42ee06a9028d67c78feafb911d33d111",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "baa39f6ad79d372a6ce0aa639fbb2f1578479f57",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "95b63d15fce5c54a73bbf195e1aacb5a75b128e2",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "55658c7501467ca9ef3bd4453dd920010db8bc13",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "d96cc9a1b57725930c60b607423759d563b4d900",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "897f64b01c1249ac730329b83f4f40bab71e86c7",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "9dba9a45c348e8460da97c450cddf70b2056deb3",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_nvmet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:48.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111"
},
{
"url": "https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57"
},
{
"url": "https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2"
},
{
"url": "https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13"
},
{
"url": "https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900"
},
{
"url": "https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11"
},
{
"url": "https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7"
},
{
"url": "https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3"
}
],
"title": "scsi: lpfc: Fix buffer free/clear order in deferred receive path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39841",
"datePublished": "2025-09-19T15:26:16.349Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:56.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39972 (GCVE-0-2025-39972)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: fix idx validation in i40e_validate_queue_map
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in i40e_validate_queue_map
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_validate_queue_map().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < b6cb93a7ff208f324c7ec581d72995f80e115e0e
(git)
Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 34dfac0c904829967d500c51f216916ce1452957 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 4d5e804a9e19b639b18fd13664dbad3c03c79e61 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < cc4191e8ef40d2249c1b9a8617d22ec8a976b574 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < d4e3eaaa3cb3af77836d806c89cd6ebf533a7320 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6cb93a7ff208f324c7ec581d72995f80e115e0e",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "34dfac0c904829967d500c51f216916ce1452957",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "4d5e804a9e19b639b18fd13664dbad3c03c79e61",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "cc4191e8ef40d2249c1b9a8617d22ec8a976b574",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "d4e3eaaa3cb3af77836d806c89cd6ebf533a7320",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "aa68d3c3ac8d1dcec40d52ae27e39f6d32207009",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in i40e_validate_queue_map\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_validate_queue_map()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6cb93a7ff208f324c7ec581d72995f80e115e0e"
},
{
"url": "https://git.kernel.org/stable/c/6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c"
},
{
"url": "https://git.kernel.org/stable/c/34dfac0c904829967d500c51f216916ce1452957"
},
{
"url": "https://git.kernel.org/stable/c/4d5e804a9e19b639b18fd13664dbad3c03c79e61"
},
{
"url": "https://git.kernel.org/stable/c/50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd"
},
{
"url": "https://git.kernel.org/stable/c/cc4191e8ef40d2249c1b9a8617d22ec8a976b574"
},
{
"url": "https://git.kernel.org/stable/c/d4e3eaaa3cb3af77836d806c89cd6ebf533a7320"
},
{
"url": "https://git.kernel.org/stable/c/aa68d3c3ac8d1dcec40d52ae27e39f6d32207009"
}
],
"title": "i40e: fix idx validation in i40e_validate_queue_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39972",
"datePublished": "2025-10-15T07:55:54.929Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39916 (GCVE-0-2025-39916)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()
When creating a new scheme of DAMON_RECLAIM, the calculation of
'min_age_region' uses 'aggr_interval' as the divisor, which may lead to
division-by-zero errors. Fix it by directly returning -EINVAL when such a
case occurs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 , < 64dc351e58271c1e9005e42f5216b4f3d7a39b66
(git)
Affected: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 , < 9fe0415156fbde773b31f920201cb70b1f0e40fe (git) Affected: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 , < 5d6eeb3c683c777ed4538eb3a650bb7da17a7cff (git) Affected: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 , < 40cb9b38b645126fdd1d6aa3d6811a8ad50ddfa1 (git) Affected: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 , < e6b543ca9806d7bced863f43020e016ee996c057 (git) Affected: fd3e613a912bbb344ee18579cc2ad3329aacba41 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:38.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64dc351e58271c1e9005e42f5216b4f3d7a39b66",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "9fe0415156fbde773b31f920201cb70b1f0e40fe",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "5d6eeb3c683c777ed4538eb3a650bb7da17a7cff",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "40cb9b38b645126fdd1d6aa3d6811a8ad50ddfa1",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "e6b543ca9806d7bced863f43020e016ee996c057",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"status": "affected",
"version": "fd3e613a912bbb344ee18579cc2ad3329aacba41",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()\n\nWhen creating a new scheme of DAMON_RECLAIM, the calculation of\n\u0027min_age_region\u0027 uses \u0027aggr_interval\u0027 as the divisor, which may lead to\ndivision-by-zero errors. Fix it by directly returning -EINVAL when such a\ncase occurs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:38.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64dc351e58271c1e9005e42f5216b4f3d7a39b66"
},
{
"url": "https://git.kernel.org/stable/c/9fe0415156fbde773b31f920201cb70b1f0e40fe"
},
{
"url": "https://git.kernel.org/stable/c/5d6eeb3c683c777ed4538eb3a650bb7da17a7cff"
},
{
"url": "https://git.kernel.org/stable/c/40cb9b38b645126fdd1d6aa3d6811a8ad50ddfa1"
},
{
"url": "https://git.kernel.org/stable/c/e6b543ca9806d7bced863f43020e016ee996c057"
}
],
"title": "mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39916",
"datePublished": "2025-10-01T07:44:38.690Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:38.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40285 (GCVE-0-2025-40285)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
smb/server: fix possible refcount leak in smb2_sess_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/server: fix possible refcount leak in smb2_sess_setup()
Reference count of ksmbd_session will leak when session need reconnect.
Fix this by adding the missing ksmbd_user_session_put().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
37a0e2b362b3150317fb6e2139de67b1e29ae5ff , < 6fc935f798d44a8eb8a5e6659198399fbf57b981
(git)
Affected: 450a844c045ff0895d41b05a1cbe8febd1acfcfd , < e671f9bb97805771380c98de944e2ceab6949188 (git) Affected: a39e31e22a535d47b14656a7d6a893c7f6cf758c , < dcc51dfe6ff26b52cac106865a172ac982d78401 (git) Affected: b95629435b84b9ecc0c765995204a4d8a913ed52 , < d37b2c81c83d6c0d5ca582f4fe73c672983f9e0d (git) Affected: b95629435b84b9ecc0c765995204a4d8a913ed52 , < 379510a815cb2e64eb0a379cb62295d6ade65df0 (git) Affected: 2107ab40629aeabbec369cf34b8cf0f288c3eb1b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6fc935f798d44a8eb8a5e6659198399fbf57b981",
"status": "affected",
"version": "37a0e2b362b3150317fb6e2139de67b1e29ae5ff",
"versionType": "git"
},
{
"lessThan": "e671f9bb97805771380c98de944e2ceab6949188",
"status": "affected",
"version": "450a844c045ff0895d41b05a1cbe8febd1acfcfd",
"versionType": "git"
},
{
"lessThan": "dcc51dfe6ff26b52cac106865a172ac982d78401",
"status": "affected",
"version": "a39e31e22a535d47b14656a7d6a893c7f6cf758c",
"versionType": "git"
},
{
"lessThan": "d37b2c81c83d6c0d5ca582f4fe73c672983f9e0d",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"lessThan": "379510a815cb2e64eb0a379cb62295d6ade65df0",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"status": "affected",
"version": "2107ab40629aeabbec369cf34b8cf0f288c3eb1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.12.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.176",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix possible refcount leak in smb2_sess_setup()\n\nReference count of ksmbd_session will leak when session need reconnect.\nFix this by adding the missing ksmbd_user_session_put()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:43.096Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6fc935f798d44a8eb8a5e6659198399fbf57b981"
},
{
"url": "https://git.kernel.org/stable/c/e671f9bb97805771380c98de944e2ceab6949188"
},
{
"url": "https://git.kernel.org/stable/c/dcc51dfe6ff26b52cac106865a172ac982d78401"
},
{
"url": "https://git.kernel.org/stable/c/d37b2c81c83d6c0d5ca582f4fe73c672983f9e0d"
},
{
"url": "https://git.kernel.org/stable/c/379510a815cb2e64eb0a379cb62295d6ade65df0"
}
],
"title": "smb/server: fix possible refcount leak in smb2_sess_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40285",
"datePublished": "2025-12-06T21:51:09.590Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2026-01-26T16:17:43.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68374 (GCVE-0-2025-68374)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
md: fix rcu protection in md_wakeup_thread
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix rcu protection in md_wakeup_thread
We attempted to use RCU to protect the pointer 'thread', but directly
passed the value when calling md_wakeup_thread(). This means that the
RCU pointer has been acquired before rcu_read_lock(), which renders
rcu_read_lock() ineffective and could lead to a use-after-free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4469315439827290923fce4f3f672599cabeb366 , < 21989cb5034c835b212385a2afadf279d8069da0
(git)
Affected: 4469315439827290923fce4f3f672599cabeb366 , < a4bd1caf591faeae44cb10b6517e7dacb5139bda (git) Affected: 4469315439827290923fce4f3f672599cabeb366 , < f98b191f78124405294481dea85f8a22a3eb0a59 (git) Affected: 4469315439827290923fce4f3f672599cabeb366 , < 0dc76205549b4c25705e54345f211b9f66e018a0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21989cb5034c835b212385a2afadf279d8069da0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "a4bd1caf591faeae44cb10b6517e7dacb5139bda",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "f98b191f78124405294481dea85f8a22a3eb0a59",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "0dc76205549b4c25705e54345f211b9f66e018a0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix rcu protection in md_wakeup_thread\n\nWe attempted to use RCU to protect the pointer \u0027thread\u0027, but directly\npassed the value when calling md_wakeup_thread(). This means that the\nRCU pointer has been acquired before rcu_read_lock(), which renders\nrcu_read_lock() ineffective and could lead to a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:12.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0"
},
{
"url": "https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda"
},
{
"url": "https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59"
},
{
"url": "https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0"
}
],
"title": "md: fix rcu protection in md_wakeup_thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68374",
"datePublished": "2025-12-24T10:33:04.046Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:12.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40303 (GCVE-0-2025-40303)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
btrfs: ensure no dirty metadata is written back for an fs with errors
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: ensure no dirty metadata is written back for an fs with errors
[BUG]
During development of a minor feature (make sure all btrfs_bio::end_io()
is called in task context), I noticed a crash in generic/388, where
metadata writes triggered new works after btrfs_stop_all_workers().
It turns out that it can even happen without any code modification, just
using RAID5 for metadata and the same workload from generic/388 is going
to trigger the use-after-free.
[CAUSE]
If btrfs hits an error, the fs is marked as error, no new
transaction is allowed thus metadata is in a frozen state.
But there are some metadata modifications before that error, and they are
still in the btree inode page cache.
Since there will be no real transaction commit, all those dirty folios
are just kept as is in the page cache, and they can not be invalidated
by invalidate_inode_pages2() call inside close_ctree(), because they are
dirty.
And finally after btrfs_stop_all_workers(), we call iput() on btree
inode, which triggers writeback of those dirty metadata.
And if the fs is using RAID56 metadata, this will trigger RMW and queue
new works into rmw_workers, which is already stopped, causing warning
from queue_work() and use-after-free.
[FIX]
Add a special handling for write_one_eb(), that if the fs is already in
an error state, immediately mark the bbio as failure, instead of really
submitting them.
Then during close_ctree(), iput() will just discard all those dirty
tree blocks without really writing them back, thus no more new jobs for
already stopped-and-freed workqueues.
The extra discard in write_one_eb() also acts as an extra safenet.
E.g. the transaction abort is triggered by some extent/free space
tree corruptions, and since extent/free space tree is already corrupted
some tree blocks may be allocated where they shouldn't be (overwriting
existing tree blocks). In that case writing them back will further
corrupting the fs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < 066ee13f05fbd82ada01883e51f0695172f98dff
(git)
Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < e2b3859067bf012d53c49b3f885fef40624a2c83 (git) Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < 54a5b5a15588e3b0b294df31474d08a2678d4291 (git) Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < 2618849f31e7cf51fadd4a5242458501a6d5b315 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "066ee13f05fbd82ada01883e51f0695172f98dff",
"status": "affected",
"version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
"versionType": "git"
},
{
"lessThan": "e2b3859067bf012d53c49b3f885fef40624a2c83",
"status": "affected",
"version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
"versionType": "git"
},
{
"lessThan": "54a5b5a15588e3b0b294df31474d08a2678d4291",
"status": "affected",
"version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
"versionType": "git"
},
{
"lessThan": "2618849f31e7cf51fadd4a5242458501a6d5b315",
"status": "affected",
"version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure no dirty metadata is written back for an fs with errors\n\n[BUG]\nDuring development of a minor feature (make sure all btrfs_bio::end_io()\nis called in task context), I noticed a crash in generic/388, where\nmetadata writes triggered new works after btrfs_stop_all_workers().\n\nIt turns out that it can even happen without any code modification, just\nusing RAID5 for metadata and the same workload from generic/388 is going\nto trigger the use-after-free.\n\n[CAUSE]\nIf btrfs hits an error, the fs is marked as error, no new\ntransaction is allowed thus metadata is in a frozen state.\n\nBut there are some metadata modifications before that error, and they are\nstill in the btree inode page cache.\n\nSince there will be no real transaction commit, all those dirty folios\nare just kept as is in the page cache, and they can not be invalidated\nby invalidate_inode_pages2() call inside close_ctree(), because they are\ndirty.\n\nAnd finally after btrfs_stop_all_workers(), we call iput() on btree\ninode, which triggers writeback of those dirty metadata.\n\nAnd if the fs is using RAID56 metadata, this will trigger RMW and queue\nnew works into rmw_workers, which is already stopped, causing warning\nfrom queue_work() and use-after-free.\n\n[FIX]\nAdd a special handling for write_one_eb(), that if the fs is already in\nan error state, immediately mark the bbio as failure, instead of really\nsubmitting them.\n\nThen during close_ctree(), iput() will just discard all those dirty\ntree blocks without really writing them back, thus no more new jobs for\nalready stopped-and-freed workqueues.\n\nThe extra discard in write_one_eb() also acts as an extra safenet.\nE.g. the transaction abort is triggered by some extent/free space\ntree corruptions, and since extent/free space tree is already corrupted\nsome tree blocks may be allocated where they shouldn\u0027t be (overwriting\nexisting tree blocks). In that case writing them back will further\ncorrupting the fs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:24.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/066ee13f05fbd82ada01883e51f0695172f98dff"
},
{
"url": "https://git.kernel.org/stable/c/e2b3859067bf012d53c49b3f885fef40624a2c83"
},
{
"url": "https://git.kernel.org/stable/c/54a5b5a15588e3b0b294df31474d08a2678d4291"
},
{
"url": "https://git.kernel.org/stable/c/2618849f31e7cf51fadd4a5242458501a6d5b315"
}
],
"title": "btrfs: ensure no dirty metadata is written back for an fs with errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40303",
"datePublished": "2025-12-08T00:46:27.820Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:24.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39948 (GCVE-0-2025-39948)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
ice: fix Rx page leak on multi-buffer frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix Rx page leak on multi-buffer frames
The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each
buffer in the current frame. This function was introduced as part of
handling multi-buffer XDP support in the ice driver.
It works by iterating over the buffers from first_desc up to 1 plus the
total number of fragments in the frame, cached from before the XDP program
was executed.
If the hardware posts a descriptor with a size of 0, the logic used in
ice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added
as fragments in ice_add_xdp_frag. Since the buffer isn't counted as a
fragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't
call ice_put_rx_buf().
Because we don't call ice_put_rx_buf(), we don't attempt to re-use the
page or free it. This leaves a stale page in the ring, as we don't
increment next_to_alloc.
The ice_reuse_rx_page() assumes that the next_to_alloc has been incremented
properly, and that it always points to a buffer with a NULL page. Since
this function doesn't check, it will happily recycle a page over the top
of the next_to_alloc buffer, losing track of the old page.
Note that this leak only occurs for multi-buffer frames. The
ice_put_rx_mbuf() function always handles at least one buffer, so a
single-buffer frame will always get handled correctly. It is not clear
precisely why the hardware hands us descriptors with a size of 0 sometimes,
but it happens somewhat regularly with "jumbo frames" used by 9K MTU.
To fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on
all buffers between first_desc and next_to_clean. Borrow the logic of a
similar function in i40e used for this same purpose. Use the same logic
also in ice_get_pgcnts().
Instead of iterating over just the number of fragments, use a loop which
iterates until the current index reaches to the next_to_clean element just
past the current frame. Unlike i40e, the ice_put_rx_mbuf() function does
call ice_put_rx_buf() on the last buffer of the frame indicating the end of
packet.
For non-linear (multi-buffer) frames, we need to take care when adjusting
the pagecnt_bias. An XDP program might release fragments from the tail of
the frame, in which case that fragment page is already released. Only
update the pagecnt_bias for the first descriptor and fragments still
remaining post-XDP program. Take care to only access the shared info for
fragmented buffers, as this avoids a significant cache miss.
The xdp_xmit value only needs to be updated if an XDP program is run, and
only once per packet. Drop the xdp_xmit pointer argument from
ice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function
directly. This avoids needing to pass the argument and avoids an extra
bit-wise OR for each buffer in the frame.
Move the increment of the ntc local variable to ensure its updated *before*
all calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic
requires the index of the element just after the current frame.
Now that we use an index pointer in the ring to identify the packet, we no
longer need to track or cache the number of fragments in the rx_ring.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
311813ed013c016d4b0b0985a9ee41f778489077 , < 80555adb5c892f0e21d243ae96ed997ee520aea9
(git)
Affected: 743bbd93cf29f653fae0e1416a31f03231689911 , < fcb5718ebfe7fd64144e3399280440cce361a3ae (git) Affected: 743bbd93cf29f653fae0e1416a31f03231689911 , < 84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b (git) Affected: ac1728cf370bec2e74fe6a2adf05b4629980d2b3 (git) Affected: d445b59d30415bb56f4803f622d566bca06e0abc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_txrx.c",
"drivers/net/ethernet/intel/ice/ice_txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80555adb5c892f0e21d243ae96ed997ee520aea9",
"status": "affected",
"version": "311813ed013c016d4b0b0985a9ee41f778489077",
"versionType": "git"
},
{
"lessThan": "fcb5718ebfe7fd64144e3399280440cce361a3ae",
"status": "affected",
"version": "743bbd93cf29f653fae0e1416a31f03231689911",
"versionType": "git"
},
{
"lessThan": "84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b",
"status": "affected",
"version": "743bbd93cf29f653fae0e1416a31f03231689911",
"versionType": "git"
},
{
"status": "affected",
"version": "ac1728cf370bec2e74fe6a2adf05b4629980d2b3",
"versionType": "git"
},
{
"status": "affected",
"version": "d445b59d30415bb56f4803f622d566bca06e0abc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_txrx.c",
"drivers/net/ethernet/intel/ice/ice_txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.12.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Rx page leak on multi-buffer frames\n\nThe ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each\nbuffer in the current frame. This function was introduced as part of\nhandling multi-buffer XDP support in the ice driver.\n\nIt works by iterating over the buffers from first_desc up to 1 plus the\ntotal number of fragments in the frame, cached from before the XDP program\nwas executed.\n\nIf the hardware posts a descriptor with a size of 0, the logic used in\nice_put_rx_mbuf() breaks. Such descriptors get skipped and don\u0027t get added\nas fragments in ice_add_xdp_frag. Since the buffer isn\u0027t counted as a\nfragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don\u0027t\ncall ice_put_rx_buf().\n\nBecause we don\u0027t call ice_put_rx_buf(), we don\u0027t attempt to re-use the\npage or free it. This leaves a stale page in the ring, as we don\u0027t\nincrement next_to_alloc.\n\nThe ice_reuse_rx_page() assumes that the next_to_alloc has been incremented\nproperly, and that it always points to a buffer with a NULL page. Since\nthis function doesn\u0027t check, it will happily recycle a page over the top\nof the next_to_alloc buffer, losing track of the old page.\n\nNote that this leak only occurs for multi-buffer frames. The\nice_put_rx_mbuf() function always handles at least one buffer, so a\nsingle-buffer frame will always get handled correctly. It is not clear\nprecisely why the hardware hands us descriptors with a size of 0 sometimes,\nbut it happens somewhat regularly with \"jumbo frames\" used by 9K MTU.\n\nTo fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on\nall buffers between first_desc and next_to_clean. Borrow the logic of a\nsimilar function in i40e used for this same purpose. Use the same logic\nalso in ice_get_pgcnts().\n\nInstead of iterating over just the number of fragments, use a loop which\niterates until the current index reaches to the next_to_clean element just\npast the current frame. Unlike i40e, the ice_put_rx_mbuf() function does\ncall ice_put_rx_buf() on the last buffer of the frame indicating the end of\npacket.\n\nFor non-linear (multi-buffer) frames, we need to take care when adjusting\nthe pagecnt_bias. An XDP program might release fragments from the tail of\nthe frame, in which case that fragment page is already released. Only\nupdate the pagecnt_bias for the first descriptor and fragments still\nremaining post-XDP program. Take care to only access the shared info for\nfragmented buffers, as this avoids a significant cache miss.\n\nThe xdp_xmit value only needs to be updated if an XDP program is run, and\nonly once per packet. Drop the xdp_xmit pointer argument from\nice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function\ndirectly. This avoids needing to pass the argument and avoids an extra\nbit-wise OR for each buffer in the frame.\n\nMove the increment of the ntc local variable to ensure its updated *before*\nall calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic\nrequires the index of the element just after the current frame.\n\nNow that we use an index pointer in the ring to identify the packet, we no\nlonger need to track or cache the number of fragments in the rx_ring."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:09.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80555adb5c892f0e21d243ae96ed997ee520aea9"
},
{
"url": "https://git.kernel.org/stable/c/fcb5718ebfe7fd64144e3399280440cce361a3ae"
},
{
"url": "https://git.kernel.org/stable/c/84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b"
}
],
"title": "ice: fix Rx page leak on multi-buffer frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39948",
"datePublished": "2025-10-04T07:31:09.403Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:09.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40068 (GCVE-0-2025-40068)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
fs: ntfs3: Fix integer overflow in run_unpack()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: Fix integer overflow in run_unpack()
The MFT record relative to the file being opened contains its runlist,
an array containing information about the file's location on the physical
disk. Analysis of all Call Stack paths showed that the values of the
runlist array, from which LCNs are calculated, are not validated before
run_unpack function.
The run_unpack function decodes the compressed runlist data format
from MFT attributes (for example, $DATA), converting them into a runs_tree
structure, which describes the mapping of virtual clusters (VCN) to
logical clusters (LCN). The NTFS3 subsystem also has a shortcut for
deleting files from MFT records - in this case, the RUN_DEALLOCATE
command is sent to the run_unpack input, and the function logic
provides that all data transferred to the runlist about file or
directory is deleted without creating a runs_tree structure.
Substituting the runlist in the $DATA attribute of the MFT record for an
arbitrary file can lead either to access to arbitrary data on the disk
bypassing access checks to them (since the inode access check
occurs above) or to destruction of arbitrary data on the disk.
Add overflow check for addition operation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4342306f0f0d5ff4315a204d315c1b51b914fca5 , < f6b36cfd25cbadad63447c673743cf771090e756
(git)
Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 3ac37e100385b59ac821a62118494442238aaac4 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < a86c8b9d03f7101e1750233846fe989df6f0d631 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 9378cfe228c2c679564a4116bcb28c8e89dff989 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 5aa5799d162ad1b8e8b699d48b6218143c695a78 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 736fc7bf5f68f6b74a0925b7e072c571838657d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6b36cfd25cbadad63447c673743cf771090e756",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "3ac37e100385b59ac821a62118494442238aaac4",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "a86c8b9d03f7101e1750233846fe989df6f0d631",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "9378cfe228c2c679564a4116bcb28c8e89dff989",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "5aa5799d162ad1b8e8b699d48b6218143c695a78",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "736fc7bf5f68f6b74a0925b7e072c571838657d2",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: Fix integer overflow in run_unpack()\n\nThe MFT record relative to the file being opened contains its runlist,\nan array containing information about the file\u0027s location on the physical\ndisk. Analysis of all Call Stack paths showed that the values of the\nrunlist array, from which LCNs are calculated, are not validated before\nrun_unpack function.\n\nThe run_unpack function decodes the compressed runlist data format\nfrom MFT attributes (for example, $DATA), converting them into a runs_tree\nstructure, which describes the mapping of virtual clusters (VCN) to\nlogical clusters (LCN). The NTFS3 subsystem also has a shortcut for\ndeleting files from MFT records - in this case, the RUN_DEALLOCATE\ncommand is sent to the run_unpack input, and the function logic\nprovides that all data transferred to the runlist about file or\ndirectory is deleted without creating a runs_tree structure.\n\nSubstituting the runlist in the $DATA attribute of the MFT record for an\narbitrary file can lead either to access to arbitrary data on the disk\nbypassing access checks to them (since the inode access check\noccurs above) or to destruction of arbitrary data on the disk.\n\nAdd overflow check for addition operation.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:19.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6b36cfd25cbadad63447c673743cf771090e756"
},
{
"url": "https://git.kernel.org/stable/c/3ac37e100385b59ac821a62118494442238aaac4"
},
{
"url": "https://git.kernel.org/stable/c/a86c8b9d03f7101e1750233846fe989df6f0d631"
},
{
"url": "https://git.kernel.org/stable/c/9378cfe228c2c679564a4116bcb28c8e89dff989"
},
{
"url": "https://git.kernel.org/stable/c/5aa5799d162ad1b8e8b699d48b6218143c695a78"
},
{
"url": "https://git.kernel.org/stable/c/736fc7bf5f68f6b74a0925b7e072c571838657d2"
}
],
"title": "fs: ntfs3: Fix integer overflow in run_unpack()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40068",
"datePublished": "2025-10-28T11:48:37.636Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:19.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40166 (GCVE-0-2025-40166)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
drm/xe/guc: Check GuC running state before deregistering exec queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc: Check GuC running state before deregistering exec queue
In normal operation, a registered exec queue is disabled and
deregistered through the GuC, and freed only after the GuC confirms
completion. However, if the driver is forced to unbind while the exec
queue is still running, the user may call exec_destroy() after the GuC
has already been stopped and CT communication disabled.
In this case, the driver cannot receive a response from the GuC,
preventing proper cleanup of exec queue resources. Fix this by directly
releasing the resources when GuC is not running.
Here is the failure dmesg log:
"
[ 468.089581] ---[ end trace 0000000000000000 ]---
[ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535)
[ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535
[ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1
[ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1)
[ 468.092716] ------------[ cut here ]------------
[ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe]
"
v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled().
As CT may go down and come back during VF migration.
(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd08ebf6c3525a7ea2186e636df064ea47281987 , < 2c6e5904c5bdbac8e0eadee40f70c42bb83f6dc6
(git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < fa708415566bbe5361c935645107319f8edc8dc1 (git) Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 9f64b3cd051b825de0a2a9f145c8e003200cedd5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c6e5904c5bdbac8e0eadee40f70c42bb83f6dc6",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "fa708415566bbe5361c935645107319f8edc8dc1",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "9f64b3cd051b825de0a2a9f145c8e003200cedd5",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Check GuC running state before deregistering exec queue\n\nIn normal operation, a registered exec queue is disabled and\nderegistered through the GuC, and freed only after the GuC confirms\ncompletion. However, if the driver is forced to unbind while the exec\nqueue is still running, the user may call exec_destroy() after the GuC\nhas already been stopped and CT communication disabled.\n\nIn this case, the driver cannot receive a response from the GuC,\npreventing proper cleanup of exec queue resources. Fix this by directly\nreleasing the resources when GuC is not running.\n\nHere is the failure dmesg log:\n\"\n[ 468.089581] ---[ end trace 0000000000000000 ]---\n[ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535)\n[ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535\n[ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1\n[ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1)\n[ 468.092716] ------------[ cut here ]------------\n[ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe]\n\"\n\nv2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled().\n As CT may go down and come back during VF migration.\n\n(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:19.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c6e5904c5bdbac8e0eadee40f70c42bb83f6dc6"
},
{
"url": "https://git.kernel.org/stable/c/fa708415566bbe5361c935645107319f8edc8dc1"
},
{
"url": "https://git.kernel.org/stable/c/9f64b3cd051b825de0a2a9f145c8e003200cedd5"
}
],
"title": "drm/xe/guc: Check GuC running state before deregistering exec queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40166",
"datePublished": "2025-11-12T10:26:24.143Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:19.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62626 (GCVE-0-2025-62626)
Vulnerability from cvelistv5 – Published: 2025-11-21 18:52 – Updated: 2026-02-26 16:07
VLAI?
EPSS
Summary
Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values.
Severity ?
CWE
- CWE-333 - Improper Handling of Insufficient Entropy in TRNG
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| AMD | AMD Ryzen™ 9000HX Series Processors |
Unaffected:
FireRangeFL1PI 1.0.0.0e
|
|||||||
|
|||||||||
Date Public ?
2025-11-21 18:56
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-22T04:55:23.243637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:38.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 9000HX Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "FireRangeFL1PI 1.0.0.0e"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9005 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Turin C1 : 0x0B00215A Turin Dense / B0: 0x0B101054"
}
]
}
],
"datePublic": "2025-11-21T18:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values.\u003cbr\u003e"
}
],
"value": "Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-333",
"description": "CWE-333 Improper Handling of Insufficient Entropy in TRNG",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-23T16:49:35.748Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7055.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "AMD PSIRT Automation 1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2025-62626",
"datePublished": "2025-11-21T18:52:57.206Z",
"dateReserved": "2025-10-16T20:46:13.455Z",
"dateUpdated": "2026-02-26T16:07:38.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68379 (GCVE-0-2025-68379)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
A NULL pointer dereference can occur in rxe_srq_chk_attr() when
ibv_modify_srq() is invoked twice in succession under certain error
conditions. The first call may fail in rxe_queue_resize(), which leads
rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
triggers a crash (null deref) when accessing
srq->rq.queue->buf->index_mask.
Call Trace:
<TASK>
rxe_modify_srq+0x170/0x480 [rdma_rxe]
? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
? tryinc_node_nr_active+0xe6/0x150
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
? __pfx___raw_spin_lock_irqsave+0x10/0x10
? __pfx_do_vfs_ioctl+0x10/0x10
? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
__x64_sys_ioctl+0x138/0x1c0
do_syscall_64+0x82/0x250
? fdget_pos+0x58/0x4c0
? ksys_write+0xf3/0x1c0
? __pfx_ksys_write+0x10/0x10
? do_syscall_64+0xc8/0x250
? __pfx_vm_mmap_pgoff+0x10/0x10
? fget+0x173/0x230
? fput+0x2a/0x80
? ksys_mmap_pgoff+0x224/0x4c0
? do_syscall_64+0xc8/0x250
? do_user_addr_fault+0x37b/0xfe0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 58aca869babd48cb9c3d6ee9e1452c4b9f5266a6
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5dbeb421e137824aa9bd8358bdfc926a3965fc0d (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bc4c14a3863cc0e03698caec9a0cdabd779776ee (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 503a5e4690ae14c18570141bc0dcf7501a8419b0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58aca869babd48cb9c3d6ee9e1452c4b9f5266a6",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5dbeb421e137824aa9bd8358bdfc926a3965fc0d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bc4c14a3863cc0e03698caec9a0cdabd779776ee",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "503a5e4690ae14c18570141bc0dcf7501a8419b0",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure\n\nA NULL pointer dereference can occur in rxe_srq_chk_attr() when\nibv_modify_srq() is invoked twice in succession under certain error\nconditions. The first call may fail in rxe_queue_resize(), which leads\nrxe_srq_from_attr() to set srq-\u003erq.queue = NULL. The second call then\ntriggers a crash (null deref) when accessing\nsrq-\u003erq.queue-\u003ebuf-\u003eindex_mask.\n\nCall Trace:\n\u003cTASK\u003e\nrxe_modify_srq+0x170/0x480 [rdma_rxe]\n? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]\n? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]\n? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]\nib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]\n? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]\n? tryinc_node_nr_active+0xe6/0x150\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\nib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]\n? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]\n? __pfx___raw_spin_lock_irqsave+0x10/0x10\n? __pfx_do_vfs_ioctl+0x10/0x10\n? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0\n? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10\nib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]\n? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]\n__x64_sys_ioctl+0x138/0x1c0\ndo_syscall_64+0x82/0x250\n? fdget_pos+0x58/0x4c0\n? ksys_write+0xf3/0x1c0\n? __pfx_ksys_write+0x10/0x10\n? do_syscall_64+0xc8/0x250\n? __pfx_vm_mmap_pgoff+0x10/0x10\n? fget+0x173/0x230\n? fput+0x2a/0x80\n? ksys_mmap_pgoff+0x224/0x4c0\n? do_syscall_64+0xc8/0x250\n? do_user_addr_fault+0x37b/0xfe0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:17.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58aca869babd48cb9c3d6ee9e1452c4b9f5266a6"
},
{
"url": "https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7"
},
{
"url": "https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d"
},
{
"url": "https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee"
},
{
"url": "https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0"
}
],
"title": "RDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68379",
"datePublished": "2025-12-24T10:33:07.538Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-02-09T08:32:17.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39967 (GCVE-0-2025-39967)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
fbcon: fix integer overflow in fbcon_do_set_font
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: fix integer overflow in fbcon_do_set_font
Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.
The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
overflows during font data copying.
Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96e41fc29e8af5c5085fb8a79cab8d0d00bab86c , < 994bdc2d23c79087fbf7dcd9544454e8ebcef877
(git)
Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < 9c8ec14075c5317edd6b242f1be8167aa1e4e333 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < b8a6e85328aeb9881531dbe89bcd2637a06c3c95 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < a6eb9f423b3db000aaedf83367b8539f6b72dcfc (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < adac90bb1aaf45ca66f9db8ac100be16750ace78 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < 4a4bac869560f943edbe3c2b032062f6673b13d3 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe (git) Affected: ae021a904ac82d9fc81c25329d3c465c5a7d5686 (git) Affected: 451bffa366f2cc0e5314807cb847f31c0226efed (git) Affected: 2c455e9c5865861f5ce09c5f596909495ed7657c (git) Affected: 72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e (git) Affected: 34cf1aff169dc6dedad8d79da7bf1b4de2773dbc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994bdc2d23c79087fbf7dcd9544454e8ebcef877",
"status": "affected",
"version": "96e41fc29e8af5c5085fb8a79cab8d0d00bab86c",
"versionType": "git"
},
{
"lessThan": "9c8ec14075c5317edd6b242f1be8167aa1e4e333",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "b8a6e85328aeb9881531dbe89bcd2637a06c3c95",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "a6eb9f423b3db000aaedf83367b8539f6b72dcfc",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "adac90bb1aaf45ca66f9db8ac100be16750ace78",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "4a4bac869560f943edbe3c2b032062f6673b13d3",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"status": "affected",
"version": "ae021a904ac82d9fc81c25329d3c465c5a7d5686",
"versionType": "git"
},
{
"status": "affected",
"version": "451bffa366f2cc0e5314807cb847f31c0226efed",
"versionType": "git"
},
{
"status": "affected",
"version": "2c455e9c5865861f5ce09c5f596909495ed7657c",
"versionType": "git"
},
{
"status": "affected",
"version": "72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e",
"versionType": "git"
},
{
"status": "affected",
"version": "34cf1aff169dc6dedad8d79da7bf1b4de2773dbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:51.554Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877"
},
{
"url": "https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333"
},
{
"url": "https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95"
},
{
"url": "https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc"
},
{
"url": "https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78"
},
{
"url": "https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3"
},
{
"url": "https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"
},
{
"url": "https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"
}
],
"title": "fbcon: fix integer overflow in fbcon_do_set_font",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39967",
"datePublished": "2025-10-15T07:55:51.554Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:51.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39986 (GCVE-0-2025-39986)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, sun4ican_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on this line:
dlc = cf->len;
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs a
couple line below when doing:
for (i = 0; i < dlc; i++)
writel(cf->data[i], priv->base + (dreg + i * 4));
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0738eff14d817a02ab082c392c96a1613006f158 , < 063539db42203b29d5aa2adf0cae3d68c646a6b6
(git)
Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < 4f382cc887adca8478b9d3e6b81aa6698a95fff4 (git) Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < 60463a1c138900494cb3adae41142a11cd8feb3c (git) Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < a61ff7ac93270d20ca426c027d6d01c8ac8e904c (git) Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < 2e423e1990f3972cbea779883fef52c2f2acb858 (git) Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < de77841652e57afbc46e9e1dbf51ee364fc008e1 (git) Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < 7f7b21026a6febdb749f6f6f950427245aa86cce (git) Affected: 0738eff14d817a02ab082c392c96a1613006f158 , < 61da0bd4102c459823fbe6b8b43b01fb6ace4a22 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sun4i_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "063539db42203b29d5aa2adf0cae3d68c646a6b6",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "4f382cc887adca8478b9d3e6b81aa6698a95fff4",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "60463a1c138900494cb3adae41142a11cd8feb3c",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "a61ff7ac93270d20ca426c027d6d01c8ac8e904c",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "2e423e1990f3972cbea779883fef52c2f2acb858",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "de77841652e57afbc46e9e1dbf51ee364fc008e1",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "7f7b21026a6febdb749f6f6f950427245aa86cce",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "61da0bd4102c459823fbe6b8b43b01fb6ace4a22",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sun4i_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, sun4ican_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf-\u003elen\nas-is with no further checks on this line:\n\n\tdlc = cf-\u003elen;\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs a\ncouple line below when doing:\n\n\tfor (i = 0; i \u003c dlc; i++)\n\t\twritel(cf-\u003edata[i], priv-\u003ebase + (dreg + i * 4));\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:05.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/063539db42203b29d5aa2adf0cae3d68c646a6b6"
},
{
"url": "https://git.kernel.org/stable/c/4f382cc887adca8478b9d3e6b81aa6698a95fff4"
},
{
"url": "https://git.kernel.org/stable/c/60463a1c138900494cb3adae41142a11cd8feb3c"
},
{
"url": "https://git.kernel.org/stable/c/a61ff7ac93270d20ca426c027d6d01c8ac8e904c"
},
{
"url": "https://git.kernel.org/stable/c/2e423e1990f3972cbea779883fef52c2f2acb858"
},
{
"url": "https://git.kernel.org/stable/c/de77841652e57afbc46e9e1dbf51ee364fc008e1"
},
{
"url": "https://git.kernel.org/stable/c/7f7b21026a6febdb749f6f6f950427245aa86cce"
},
{
"url": "https://git.kernel.org/stable/c/61da0bd4102c459823fbe6b8b43b01fb6ace4a22"
}
],
"title": "can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39986",
"datePublished": "2025-10-15T07:56:05.143Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:05.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68229 (GCVE-0-2025-68229)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
...
Call Trace:
<TASK>
configfs_read_iter+0x12d/0x1d0 [configfs]
vfs_read+0x1b5/0x300
ksys_read+0x6f/0xf0
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2628b352c3d4905adf8129ea50900bd980b6ccef , < 63f511d3855f7f4b35dd63dbc58fc3d935a81268
(git)
Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 3d8c517f6eb27e47b1a198e05f8023038329b40b (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < f449a1edd7a13bb025aaf9342ea6f8bf92684bbf (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 1c9ba455b5073253ceaadae4859546e38e8261fe (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < a6ef60898ddaf1414592ce3e5b0d94276d631663 (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 72e8831079266749a7023618a0de2f289a9dced6 (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 13aff3b8a7184281b134698704d6c06863a8361b (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < e6965188f84a7883e6a0d3448e86b0cf29b24dfc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63f511d3855f7f4b35dd63dbc58fc3d935a81268",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "3d8c517f6eb27e47b1a198e05f8023038329b40b",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "f449a1edd7a13bb025aaf9342ea6f8bf92684bbf",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "1c9ba455b5073253ceaadae4859546e38e8261fe",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "a6ef60898ddaf1414592ce3e5b0d94276d631663",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "72e8831079266749a7023618a0de2f289a9dced6",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "13aff3b8a7184281b134698704d6c06863a8361b",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "e6965188f84a7883e6a0d3448e86b0cf29b24dfc",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()\n\nIf the allocation of tl_hba-\u003esh fails in tcm_loop_driver_probe() and we\nattempt to dereference it in tcm_loop_tpg_address_show() we will get a\nsegfault, see below for an example. So, check tl_hba-\u003esh before\ndereferencing it.\n\n Unable to allocate struct scsi_host\n BUG: kernel NULL pointer dereference, address: 0000000000000194\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1\n Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024\n RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]\n...\n Call Trace:\n \u003cTASK\u003e\n configfs_read_iter+0x12d/0x1d0 [configfs]\n vfs_read+0x1b5/0x300\n ksys_read+0x6f/0xf0\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:21.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63f511d3855f7f4b35dd63dbc58fc3d935a81268"
},
{
"url": "https://git.kernel.org/stable/c/3d8c517f6eb27e47b1a198e05f8023038329b40b"
},
{
"url": "https://git.kernel.org/stable/c/f449a1edd7a13bb025aaf9342ea6f8bf92684bbf"
},
{
"url": "https://git.kernel.org/stable/c/1c9ba455b5073253ceaadae4859546e38e8261fe"
},
{
"url": "https://git.kernel.org/stable/c/a6ef60898ddaf1414592ce3e5b0d94276d631663"
},
{
"url": "https://git.kernel.org/stable/c/72e8831079266749a7023618a0de2f289a9dced6"
},
{
"url": "https://git.kernel.org/stable/c/13aff3b8a7184281b134698704d6c06863a8361b"
},
{
"url": "https://git.kernel.org/stable/c/e6965188f84a7883e6a0d3448e86b0cf29b24dfc"
}
],
"title": "scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68229",
"datePublished": "2025-12-16T13:57:21.835Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T13:57:21.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40033 (GCVE-0-2025-40033)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()
pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL
check, which could lead to a null pointer dereference. Move the pru
assignment, ensuring we never dereference a NULL rproc pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
102853400321baea2527917e6e89be33508c3e18 , < 66821fdb723d55b25482a76b92d17d416efeae6b
(git)
Affected: 102853400321baea2527917e6e89be33508c3e18 , < c9b6d789591f2bd57b0cbd59592493e11e029ed4 (git) Affected: 102853400321baea2527917e6e89be33508c3e18 , < f0164d89950120281f2446be9687cffa1e43dbcc (git) Affected: 102853400321baea2527917e6e89be33508c3e18 , < d41e075b077142bb9ae5df40b9ddf9fd7821a811 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/pru_rproc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66821fdb723d55b25482a76b92d17d416efeae6b",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
},
{
"lessThan": "c9b6d789591f2bd57b0cbd59592493e11e029ed4",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
},
{
"lessThan": "f0164d89950120281f2446be9687cffa1e43dbcc",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
},
{
"lessThan": "d41e075b077142bb9ae5df40b9ddf9fd7821a811",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/pru_rproc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()\n\npru_rproc_set_ctable() accessed rproc-\u003epriv before the IS_ERR_OR_NULL\ncheck, which could lead to a null pointer dereference. Move the pru\nassignment, ensuring we never dereference a NULL rproc pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:36.566Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66821fdb723d55b25482a76b92d17d416efeae6b"
},
{
"url": "https://git.kernel.org/stable/c/c9b6d789591f2bd57b0cbd59592493e11e029ed4"
},
{
"url": "https://git.kernel.org/stable/c/f0164d89950120281f2446be9687cffa1e43dbcc"
},
{
"url": "https://git.kernel.org/stable/c/d41e075b077142bb9ae5df40b9ddf9fd7821a811"
}
],
"title": "remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40033",
"datePublished": "2025-10-28T11:48:15.624Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:36.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68235 (GCVE-0-2025-68235)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08
VLAI?
EPSS
Title
nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
Summary
In the Linux kernel, the following vulnerability has been resolved:
nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a
kmemleak warning.
Make sure this data is deallocated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2541626cfb794e57ba0575a6920826f591f7ced0 , < 7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0
(git)
Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 6492add9a3a163d5e0390428d2636adc3e61b883 (git) Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 2bba02a39bfb383bd1a95868d532c0917e38f9e7 (git) Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 949f1fd2225baefbea2995afa807dba5cbdb6bd3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/falcon/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
},
{
"lessThan": "6492add9a3a163d5e0390428d2636adc3e61b883",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
},
{
"lessThan": "2bba02a39bfb383bd1a95868d532c0917e38f9e7",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
},
{
"lessThan": "949f1fd2225baefbea2995afa807dba5cbdb6bd3",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/falcon/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot\n\nnvkm_falcon_fw::boot is allocated, but no one frees it. This causes a\nkmemleak warning.\n\nMake sure this data is deallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:29.396Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0"
},
{
"url": "https://git.kernel.org/stable/c/6492add9a3a163d5e0390428d2636adc3e61b883"
},
{
"url": "https://git.kernel.org/stable/c/2bba02a39bfb383bd1a95868d532c0917e38f9e7"
},
{
"url": "https://git.kernel.org/stable/c/949f1fd2225baefbea2995afa807dba5cbdb6bd3"
}
],
"title": "nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68235",
"datePublished": "2025-12-16T14:08:29.396Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:08:29.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68180 (GCVE-0-2025-68180)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
drm/amd/display: Fix NULL deref in debugfs odm_combine_segments
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix NULL deref in debugfs odm_combine_segments
When a connector is connected but inactive (e.g., disabled by desktop
environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading
odm_combine_segments causes kernel NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6
Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025
RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]
Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00>
RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286
RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8
RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0
R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08
R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001
FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
seq_read_iter+0x125/0x490
? __alloc_frozen_pages_noprof+0x18f/0x350
seq_read+0x12c/0x170
full_proxy_read+0x51/0x80
vfs_read+0xbc/0x390
? __handle_mm_fault+0xa46/0xef0
? do_syscall_64+0x71/0x900
ksys_read+0x73/0xf0
do_syscall_64+0x71/0x900
? count_memcg_events+0xc2/0x190
? handle_mm_fault+0x1d7/0x2d0
? do_user_addr_fault+0x21a/0x690
? exc_page_fault+0x7e/0x1a0
entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f44d4031687
Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00>
RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687
RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003
RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000
</TASK>
Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x>
snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn>
platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp>
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]
Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00>
RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286
RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8
RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0
R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08
R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001
FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0
PKRU: 55555554
Fix this by checking pipe_ctx->
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < d990c7f180aa7c6ffd2c1b3c77160e50672039ce
(git)
Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < c05fe5d47baac212a3a74b279239f495be101629 (git) Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < 6dd97ceb645c08aca9fc871a3006e47fe699f0ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d990c7f180aa7c6ffd2c1b3c77160e50672039ce",
"status": "affected",
"version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
"versionType": "git"
},
{
"lessThan": "c05fe5d47baac212a3a74b279239f495be101629",
"status": "affected",
"version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
"versionType": "git"
},
{
"lessThan": "6dd97ceb645c08aca9fc871a3006e47fe699f0ac",
"status": "affected",
"version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL deref in debugfs odm_combine_segments\n\nWhen a connector is connected but inactive (e.g., disabled by desktop\nenvironments), pipe_ctx-\u003estream_res.tg will be destroyed. Then, reading\nodm_combine_segments causes kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6\n Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 \u003c48\u003e 8b 07 48 8b 80 08 02 00\u003e\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n seq_read_iter+0x125/0x490\n ? __alloc_frozen_pages_noprof+0x18f/0x350\n seq_read+0x12c/0x170\n full_proxy_read+0x51/0x80\n vfs_read+0xbc/0x390\n ? __handle_mm_fault+0xa46/0xef0\n ? do_syscall_64+0x71/0x900\n ksys_read+0x73/0xf0\n do_syscall_64+0x71/0x900\n ? count_memcg_events+0xc2/0x190\n ? handle_mm_fault+0x1d7/0x2d0\n ? do_user_addr_fault+0x21a/0x690\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\n RIP: 0033:0x7f44d4031687\n Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00\u003e\n RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687\n RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003\n RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000\n \u003c/TASK\u003e\n Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x\u003e\n snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn\u003e\n platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp\u003e\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 \u003c48\u003e 8b 07 48 8b 80 08 02 00\u003e\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n\nFix this by checking pipe_ctx-\u003e\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:58.687Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d990c7f180aa7c6ffd2c1b3c77160e50672039ce"
},
{
"url": "https://git.kernel.org/stable/c/c05fe5d47baac212a3a74b279239f495be101629"
},
{
"url": "https://git.kernel.org/stable/c/6dd97ceb645c08aca9fc871a3006e47fe699f0ac"
}
],
"title": "drm/amd/display: Fix NULL deref in debugfs odm_combine_segments",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68180",
"datePublished": "2025-12-16T13:42:58.687Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2025-12-16T13:42:58.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71180 (GCVE-0-2025-71180)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:38 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
Summary
In the Linux kernel, the following vulnerability has been resolved:
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
CONFIG_PROVE_RAW_LOCK_NESTING warns:
=============================
[ BUG: Invalid wait context ]
6.18.0-rc1+git... #1
-----------------------------
some-user-space-process/1251 is trying to lock:
(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
other info that might help us debug this:
context-{2:2}
no locks held by some-user-space-process/....
stack backtrace:
CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
Call trace:
show_stack (C)
dump_stack_lvl
dump_stack
__lock_acquire
lock_acquire
_raw_spin_lock_irqsave
counter_push_event [counter]
interrupt_cnt_isr [interrupt_cnt]
__handle_irq_event_percpu
handle_irq_event
handle_simple_irq
handle_irq_desc
generic_handle_domain_irq
gpio_irq_handler
handle_irq_desc
generic_handle_domain_irq
gic_handle_irq
call_on_irq_stack
do_interrupt_handler
el0_interrupt
__el0_irq_handler_common
el0t_64_irq_handler
el0t_64_irq
... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
alternative to switching to raw_spinlock_t, because the latter would limit
all potential nested locks to raw_spinlock_t only.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a55ebd47f21f6f0472766fb52c973849e31d1466 , < ef668c9a2261ec9287faba6e6ef05a98b391aa2b
(git)
Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 51d2e5d6491447258cb39ff1deb93df15d3c23cb (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 49a66829dd3653695e60d7cae13521d131362fcd (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 425886b1f8304621b3f16632b274357067d5f13f (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 23f9485510c338476b9735d516c1d4aacb810d46 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/counter/interrupt-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef668c9a2261ec9287faba6e6ef05a98b391aa2b",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "51d2e5d6491447258cb39ff1deb93df15d3c23cb",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "49a66829dd3653695e60d7cae13521d131362fcd",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "425886b1f8304621b3f16632b274357067d5f13f",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "23f9485510c338476b9735d516c1d4aacb810d46",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/counter/interrupt-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: interrupt-cnt: Drop IRQF_NO_THREAD flag\n\nAn IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as\nCONFIG_PROVE_RAW_LOCK_NESTING warns:\n=============================\n[ BUG: Invalid wait context ]\n6.18.0-rc1+git... #1\n-----------------------------\nsome-user-space-process/1251 is trying to lock:\n(\u0026counter-\u003eevents_list_lock){....}-{3:3}, at: counter_push_event [counter]\nother info that might help us debug this:\ncontext-{2:2}\nno locks held by some-user-space-process/....\nstack backtrace:\nCPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT\nCall trace:\n show_stack (C)\n dump_stack_lvl\n dump_stack\n __lock_acquire\n lock_acquire\n _raw_spin_lock_irqsave\n counter_push_event [counter]\n interrupt_cnt_isr [interrupt_cnt]\n __handle_irq_event_percpu\n handle_irq_event\n handle_simple_irq\n handle_irq_desc\n generic_handle_domain_irq\n gpio_irq_handler\n handle_irq_desc\n generic_handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n el0_interrupt\n __el0_irq_handler_common\n el0t_64_irq_handler\n el0t_64_irq\n\n... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an\nalternative to switching to raw_spinlock_t, because the latter would limit\nall potential nested locks to raw_spinlock_t only."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:04.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b"
},
{
"url": "https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb"
},
{
"url": "https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c"
},
{
"url": "https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd"
},
{
"url": "https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f"
},
{
"url": "https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46"
}
],
"title": "counter: interrupt-cnt: Drop IRQF_NO_THREAD flag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71180",
"datePublished": "2026-01-31T11:38:52.481Z",
"dateReserved": "2026-01-31T11:36:51.183Z",
"dateUpdated": "2026-02-09T08:36:04.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68173 (GCVE-0-2025-68173)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
ftrace: Fix softlockup in ftrace_module_enable
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix softlockup in ftrace_module_enable
A soft lockup was observed when loading amdgpu module.
If a module has a lot of tracable functions, multiple calls
to kallsyms_lookup can spend too much time in RCU critical
section and with disabled preemption, causing kernel panic.
This is the same issue that was fixed in
commit d0b24b4e91fc ("ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY
kernels") and commit 42ea22e754ba ("ftrace: Add cond_resched() to
ftrace_graph_set_hash()").
Fix it the same way by adding cond_resched() in ftrace_module_enable.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c , < a1dd0abd741a8111260676da729825d6c1461a71
(git)
Affected: b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c , < e81e6d6d99b16dae11adbeda5c996317942a940c (git) Affected: b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c , < 40c8ee40e48a2c82c762539952ed8fc0571db5bf (git) Affected: b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c , < 7e3c96010ade29bb340a5bdce8675f50c7f59001 (git) Affected: b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c , < 4099b98203d6b33d990586542fa5beee408032a3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a1dd0abd741a8111260676da729825d6c1461a71",
"status": "affected",
"version": "b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c",
"versionType": "git"
},
{
"lessThan": "e81e6d6d99b16dae11adbeda5c996317942a940c",
"status": "affected",
"version": "b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c",
"versionType": "git"
},
{
"lessThan": "40c8ee40e48a2c82c762539952ed8fc0571db5bf",
"status": "affected",
"version": "b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c",
"versionType": "git"
},
{
"lessThan": "7e3c96010ade29bb340a5bdce8675f50c7f59001",
"status": "affected",
"version": "b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c",
"versionType": "git"
},
{
"lessThan": "4099b98203d6b33d990586542fa5beee408032a3",
"status": "affected",
"version": "b7ffffbb46f205e7727a18bcc7a46c3c2b534f7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix softlockup in ftrace_module_enable\n\nA soft lockup was observed when loading amdgpu module.\nIf a module has a lot of tracable functions, multiple calls\nto kallsyms_lookup can spend too much time in RCU critical\nsection and with disabled preemption, causing kernel panic.\nThis is the same issue that was fixed in\ncommit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY\nkernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to\nftrace_graph_set_hash()\").\n\nFix it the same way by adding cond_resched() in ftrace_module_enable."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:00.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a1dd0abd741a8111260676da729825d6c1461a71"
},
{
"url": "https://git.kernel.org/stable/c/e81e6d6d99b16dae11adbeda5c996317942a940c"
},
{
"url": "https://git.kernel.org/stable/c/40c8ee40e48a2c82c762539952ed8fc0571db5bf"
},
{
"url": "https://git.kernel.org/stable/c/7e3c96010ade29bb340a5bdce8675f50c7f59001"
},
{
"url": "https://git.kernel.org/stable/c/4099b98203d6b33d990586542fa5beee408032a3"
}
],
"title": "ftrace: Fix softlockup in ftrace_module_enable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68173",
"datePublished": "2025-12-16T13:42:53.106Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:00.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68214 (GCVE-0-2025-68214)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-02-12 08:19
VLAI?
EPSS
Title
timers: Fix NULL function pointer race in timer_shutdown_sync()
Summary
In the Linux kernel, the following vulnerability has been resolved:
timers: Fix NULL function pointer race in timer_shutdown_sync()
There is a race condition between timer_shutdown_sync() and timer
expiration that can lead to hitting a WARN_ON in expire_timers().
The issue occurs when timer_shutdown_sync() clears the timer function
to NULL while the timer is still running on another CPU. The race
scenario looks like this:
CPU0 CPU1
<SOFTIRQ>
lock_timer_base()
expire_timers()
base->running_timer = timer;
unlock_timer_base()
[call_timer_fn enter]
mod_timer()
...
timer_shutdown_sync()
lock_timer_base()
// For now, will not detach the timer but only clear its function to NULL
if (base->running_timer != timer)
ret = detach_if_pending(timer, base, true);
if (shutdown)
timer->function = NULL;
unlock_timer_base()
[call_timer_fn exit]
lock_timer_base()
base->running_timer = NULL;
unlock_timer_base()
...
// Now timer is pending while its function set to NULL.
// next timer trigger
<SOFTIRQ>
expire_timers()
WARN_ON_ONCE(!fn) // hit
...
lock_timer_base()
// Now timer will detach
if (base->running_timer != timer)
ret = detach_if_pending(timer, base, true);
if (shutdown)
timer->function = NULL;
unlock_timer_base()
The problem is that timer_shutdown_sync() clears the timer function
regardless of whether the timer is currently running. This can leave a
pending timer with a NULL function pointer, which triggers the
WARN_ON_ONCE(!fn) check in expire_timers().
Fix this by only clearing the timer function when actually detaching the
timer. If the timer is running, leave the function pointer intact, which is
safe because the timer will be properly detached when it finishes running.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
debbcf812d735003c96c5e5968a3cfa4e1fbd1af , < ba43ac025c4318241f8edf94f31d2eebab86991b
(git)
Affected: 334c33aa487be406a149c8b87c38c8399d2dba8d , < 1a975716cc8977f461e45e28e3e5977d46ad7a6a (git) Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < 6665fbd7730b26d770c232b20d1b907e6a67a914 (git) Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < 176725f4848376530a0f0da9023f956afcc33585 (git) Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < a01efa7a780c42ac5170a949bd95c9786ffcc60a (git) Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < 20739af07383e6eb1ec59dcd70b72ebfa9ac362c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba43ac025c4318241f8edf94f31d2eebab86991b",
"status": "affected",
"version": "debbcf812d735003c96c5e5968a3cfa4e1fbd1af",
"versionType": "git"
},
{
"lessThan": "1a975716cc8977f461e45e28e3e5977d46ad7a6a",
"status": "affected",
"version": "334c33aa487be406a149c8b87c38c8399d2dba8d",
"versionType": "git"
},
{
"lessThan": "6665fbd7730b26d770c232b20d1b907e6a67a914",
"status": "affected",
"version": "0cc04e80458a822300b93f82ed861a513edde194",
"versionType": "git"
},
{
"lessThan": "176725f4848376530a0f0da9023f956afcc33585",
"status": "affected",
"version": "0cc04e80458a822300b93f82ed861a513edde194",
"versionType": "git"
},
{
"lessThan": "a01efa7a780c42ac5170a949bd95c9786ffcc60a",
"status": "affected",
"version": "0cc04e80458a822300b93f82ed861a513edde194",
"versionType": "git"
},
{
"lessThan": "20739af07383e6eb1ec59dcd70b72ebfa9ac362c",
"status": "affected",
"version": "0cc04e80458a822300b93f82ed861a513edde194",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\n\nThere is a race condition between timer_shutdown_sync() and timer\nexpiration that can lead to hitting a WARN_ON in expire_timers().\n\nThe issue occurs when timer_shutdown_sync() clears the timer function\nto NULL while the timer is still running on another CPU. The race\nscenario looks like this:\n\nCPU0\t\t\t\t\tCPU1\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tbase-\u003erunning_timer = timer;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t[call_timer_fn enter]\n\t\t\t\t\tmod_timer()\n\t\t\t\t\t...\ntimer_shutdown_sync()\nlock_timer_base()\n// For now, will not detach the timer but only clear its function to NULL\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\t\t\t\t\t[call_timer_fn exit]\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\tbase-\u003erunning_timer = NULL;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t...\n\t\t\t\t\t// Now timer is pending while its function set to NULL.\n\t\t\t\t\t// next timer trigger\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tWARN_ON_ONCE(!fn) // hit\n\t\t\t\t\t...\nlock_timer_base()\n// Now timer will detach\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\nThe problem is that timer_shutdown_sync() clears the timer function\nregardless of whether the timer is currently running. This can leave a\npending timer with a NULL function pointer, which triggers the\nWARN_ON_ONCE(!fn) check in expire_timers().\n\nFix this by only clearing the timer function when actually detaching the\ntimer. If the timer is running, leave the function pointer intact, which is\nsafe because the timer will be properly detached when it finishes running."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T08:19:26.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b"
},
{
"url": "https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a"
},
{
"url": "https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914"
},
{
"url": "https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585"
},
{
"url": "https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a"
},
{
"url": "https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c"
}
],
"title": "timers: Fix NULL function pointer race in timer_shutdown_sync()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68214",
"datePublished": "2025-12-16T13:57:09.728Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2026-02-12T08:19:26.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68336 (GCVE-0-2025-68336)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
locking/spinlock/debug: Fix data-race in do_raw_write_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been
converted to WRITE_ONCE(), but not debug_write_lock_before() part.
Do it now.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1a365e822372ba24c9da0822bc583894f6f3d821 , < 8e5b2cf10844402054b52b489b525dc30cc16908
(git)
Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < c228cb699a07a5f2d596d186bc5c314c99bb8bbf (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 93bd23524d63deb80fb85beb2e43fafeb1043d0f (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 39d2ef113416f1a4205b03fb0aa2e428d1412c77 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < b163a5e8c703201c905d6ec7920ed79d167e8442 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 16b3590c0e1e615757dade098c8fbc0d4f040c76 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 396a9270a7b90886be501611b13aa636f2e8c703 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < c14ecb555c3ee80eeb030a4e46d00e679537f03a (git) Affected: 3106fb78d3579c8e9c9b3040f7f7841981919624 (git) Affected: c0911024ff927ba5c4786b507004cb615be1d776 (git) Affected: 09226e5c38639437565af01e6009a9286a351d04 (git) Affected: c7673f01604fa722b9d7c1e29e17cec1b8ae09c5 (git) Affected: c120c3dbeb76305235c8e557f84d9e2d7d0f5933 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e5b2cf10844402054b52b489b525dc30cc16908",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c228cb699a07a5f2d596d186bc5c314c99bb8bbf",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "93bd23524d63deb80fb85beb2e43fafeb1043d0f",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "39d2ef113416f1a4205b03fb0aa2e428d1412c77",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "b163a5e8c703201c905d6ec7920ed79d167e8442",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "16b3590c0e1e615757dade098c8fbc0d4f040c76",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "396a9270a7b90886be501611b13aa636f2e8c703",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c14ecb555c3ee80eeb030a4e46d00e679537f03a",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"status": "affected",
"version": "3106fb78d3579c8e9c9b3040f7f7841981919624",
"versionType": "git"
},
{
"status": "affected",
"version": "c0911024ff927ba5c4786b507004cb615be1d776",
"versionType": "git"
},
{
"status": "affected",
"version": "09226e5c38639437565af01e6009a9286a351d04",
"versionType": "git"
},
{
"status": "affected",
"version": "c7673f01604fa722b9d7c1e29e17cec1b8ae09c5",
"versionType": "git"
},
{
"status": "affected",
"version": "c120c3dbeb76305235c8e557f84d9e2d7d0f5933",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/spinlock/debug: Fix data-race in do_raw_write_lock\n\nKCSAN reports:\n\nBUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock\n\nwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:\n do_raw_write_lock+0x120/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:\n do_raw_write_lock+0x88/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nvalue changed: 0xffffffff -\u003e 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111\n\nCommit 1a365e822372 (\"locking/spinlock/debug: Fix various data races\") has\nadressed most of these races, but seems to be not consistent/not complete.\n\n\u003eFrom do_raw_write_lock() only debug_write_lock_after() part has been\nconverted to WRITE_ONCE(), but not debug_write_lock_before() part.\nDo it now."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:30.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e5b2cf10844402054b52b489b525dc30cc16908"
},
{
"url": "https://git.kernel.org/stable/c/c228cb699a07a5f2d596d186bc5c314c99bb8bbf"
},
{
"url": "https://git.kernel.org/stable/c/93bd23524d63deb80fb85beb2e43fafeb1043d0f"
},
{
"url": "https://git.kernel.org/stable/c/39d2ef113416f1a4205b03fb0aa2e428d1412c77"
},
{
"url": "https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442"
},
{
"url": "https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76"
},
{
"url": "https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703"
},
{
"url": "https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a"
}
],
"title": "locking/spinlock/debug: Fix data-race in do_raw_write_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68336",
"datePublished": "2025-12-22T16:14:13.425Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:30.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22107 (GCVE-0-2025-22107)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
There are actually 2 problems:
- deleting the last element doesn't require the memmove of elements
[i + 1, end) over it. Actually, element i+1 is out of bounds.
- The memmove itself should move size - i - 1 elements, because the last
element is out of bounds.
The out-of-bounds element still remains out of bounds after being
accessed, so the problem is only that we touch it, not that it becomes
in active use. But I suppose it can lead to issues if the out-of-bounds
element is part of an unmapped page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < b52153da1f42e2f4d6259257a7ba027331671a93
(git)
Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 4584486cfcca24b7b586da3377eb3cffd48669ec (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 031e00249e9e6bee72ba66701c8f83b45fc4b8a2 (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 59b97641de03c081f26b3a8876628c765b5faa25 (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/sja1105/sja1105_static_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b52153da1f42e2f4d6259257a7ba027331671a93",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "4584486cfcca24b7b586da3377eb3cffd48669ec",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "031e00249e9e6bee72ba66701c8f83b45fc4b8a2",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "59b97641de03c081f26b3a8876628c765b5faa25",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "5f2b28b79d2d1946ee36ad8b3dc0066f73c90481",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/sja1105/sja1105_static_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\n\nThere are actually 2 problems:\n- deleting the last element doesn\u0027t require the memmove of elements\n [i + 1, end) over it. Actually, element i+1 is out of bounds.\n- The memmove itself should move size - i - 1 elements, because the last\n element is out of bounds.\n\nThe out-of-bounds element still remains out of bounds after being\naccessed, so the problem is only that we touch it, not that it becomes\nin active use. But I suppose it can lead to issues if the out-of-bounds\nelement is part of an unmapped page."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:14.258Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b52153da1f42e2f4d6259257a7ba027331671a93"
},
{
"url": "https://git.kernel.org/stable/c/4584486cfcca24b7b586da3377eb3cffd48669ec"
},
{
"url": "https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2"
},
{
"url": "https://git.kernel.org/stable/c/59b97641de03c081f26b3a8876628c765b5faa25"
},
{
"url": "https://git.kernel.org/stable/c/5f2b28b79d2d1946ee36ad8b3dc0066f73c90481"
}
],
"title": "net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22107",
"datePublished": "2025-04-16T14:12:55.109Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-01-11T16:29:14.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71079 (GCVE-0-2025-71079)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
73a0d12114b4bc1a9def79a623264754b9df698e , < 2e0831e9fc46a06daa6d4d8d57a2738e343130c3
(git)
Affected: 8a9c61c3ef187d8891225f9b932390670a43a0d3 , < e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 8fc4632fb508432895430cd02b38086bdd649083 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < f3a8a7c1aa278f2378b2f3a10500c6674dffdfda (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 (git) Affected: 5ef16d2d172ee56714cff37cd005b98aba08ef5a (git) Affected: ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 (git) Affected: 47244ac0b65bd74cc70007d8e1bac68bd2baad19 (git) Affected: c45cea83e13699bdfd47842e04d09dd43af4c371 (git) Affected: 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e0831e9fc46a06daa6d4d8d57a2738e343130c3",
"status": "affected",
"version": "73a0d12114b4bc1a9def79a623264754b9df698e",
"versionType": "git"
},
{
"lessThan": "e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012",
"status": "affected",
"version": "8a9c61c3ef187d8891225f9b932390670a43a0d3",
"versionType": "git"
},
{
"lessThan": "ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "6b93c8ab6f6cda8818983a4ae3fcf84b023037b4",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "8fc4632fb508432895430cd02b38086bdd649083",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "f3a8a7c1aa278f2378b2f3a10500c6674dffdfda",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"status": "affected",
"version": "5ef16d2d172ee56714cff37cd005b98aba08ef5a",
"versionType": "git"
},
{
"status": "affected",
"version": "ff169909eac9e00bf1aa0af739ba6ddfb1b1d135",
"versionType": "git"
},
{
"status": "affected",
"version": "47244ac0b65bd74cc70007d8e1bac68bd2baad19",
"versionType": "git"
},
{
"status": "affected",
"version": "c45cea83e13699bdfd47842e04d09dd43af4c371",
"versionType": "git"
},
{
"status": "affected",
"version": "307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.162",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n rfkill_fop_write()\n mutex_lock(\u0026rfkill_global_mutex)\n rfkill_set_block()\n nfc_rfkill_set_block()\n nfc_dev_down()\n device_lock(\u0026dev-\u003edev) \u003c- waits for device_lock\n\nThread B (nfc_unregister_device):\n nfc_unregister_device()\n device_lock(\u0026dev-\u003edev)\n rfkill_unregister()\n mutex_lock(\u0026rfkill_global_mutex) \u003c- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock -\u003e\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:30.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3"
},
{
"url": "https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012"
},
{
"url": "https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5"
},
{
"url": "https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4"
},
{
"url": "https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083"
},
{
"url": "https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda"
},
{
"url": "https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5"
}
],
"title": "net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71079",
"datePublished": "2026-01-13T15:34:44.136Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:30.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40237 (GCVE-0-2025-40237)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-23 16:40
VLAI?
EPSS
Title
fs/notify: call exportfs_encode_fid with s_umount
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/notify: call exportfs_encode_fid with s_umount
Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while
the overlayfs is being unmounted, can lead to dereferencing NULL ptr.
This issue was found by syzkaller.
Race Condition Diagram:
Thread 1 Thread 2
-------- --------
generic_shutdown_super()
shrink_dcache_for_umount
sb->s_root = NULL
|
| vfs_read()
| inotify_fdinfo()
| * inode get from mark *
| show_mark_fhandle(m, inode)
| exportfs_encode_fid(inode, ..)
| ovl_encode_fh(inode, ..)
| ovl_check_encode_origin(inode)
| * deref i_sb->s_root *
|
|
v
fsnotify_sb_delete(sb)
Which then leads to:
[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)
<snip registers, unreliable trace>
[ 32.143353] Call Trace:
[ 32.143732] ovl_encode_fh+0xd5/0x170
[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300
[ 32.144425] show_mark_fhandle+0xbe/0x1f0
[ 32.145805] inotify_fdinfo+0x226/0x2d0
[ 32.146442] inotify_show_fdinfo+0x1c5/0x350
[ 32.147168] seq_show+0x530/0x6f0
[ 32.147449] seq_read_iter+0x503/0x12a0
[ 32.148419] seq_read+0x31f/0x410
[ 32.150714] vfs_read+0x1f0/0x9e0
[ 32.152297] ksys_read+0x125/0x240
IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set
to NULL in the unmount path.
Fix it by protecting calling exportfs_encode_fid() from
show_mark_fhandle() with s_umount lock.
This form of fix was suggested by Amir in [1].
[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a1a541fbfa7e97c1100144db34b57553d7164ce5 , < 950b604384fd75d62e860bec7135b2b62eb4d508
(git)
Affected: f0c0ac84de17c37e6e84da65fb920f91dada55ad , < bc1c6b803e14ea2b8f7e33b7164013f666ceb656 (git) Affected: 3c7c90274ae339e1ad443c9be1c67a20b80b9c76 , < 3f307a9f7a7a2822e38ac451b73e2244e7279496 (git) Affected: c45beebfde34aa71afbc48b2c54cdda623515037 , < d1894bc542becb0fda61e7e513b09523cab44030 (git) Affected: c45beebfde34aa71afbc48b2c54cdda623515037 , < a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fdinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "950b604384fd75d62e860bec7135b2b62eb4d508",
"status": "affected",
"version": "a1a541fbfa7e97c1100144db34b57553d7164ce5",
"versionType": "git"
},
{
"lessThan": "bc1c6b803e14ea2b8f7e33b7164013f666ceb656",
"status": "affected",
"version": "f0c0ac84de17c37e6e84da65fb920f91dada55ad",
"versionType": "git"
},
{
"lessThan": "3f307a9f7a7a2822e38ac451b73e2244e7279496",
"status": "affected",
"version": "3c7c90274ae339e1ad443c9be1c67a20b80b9c76",
"versionType": "git"
},
{
"lessThan": "d1894bc542becb0fda61e7e513b09523cab44030",
"status": "affected",
"version": "c45beebfde34aa71afbc48b2c54cdda623515037",
"versionType": "git"
},
{
"lessThan": "a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a",
"status": "affected",
"version": "c45beebfde34aa71afbc48b2c54cdda623515037",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fdinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.73",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.73",
"versionStartIncluding": "6.6.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/notify: call exportfs_encode_fid with s_umount\n\nCalling intotify_show_fdinfo() on fd watching an overlayfs inode, while\nthe overlayfs is being unmounted, can lead to dereferencing NULL ptr.\n\nThis issue was found by syzkaller.\n\nRace Condition Diagram:\n\nThread 1 Thread 2\n-------- --------\n\ngeneric_shutdown_super()\n shrink_dcache_for_umount\n sb-\u003es_root = NULL\n\n |\n | vfs_read()\n | inotify_fdinfo()\n | * inode get from mark *\n | show_mark_fhandle(m, inode)\n | exportfs_encode_fid(inode, ..)\n | ovl_encode_fh(inode, ..)\n | ovl_check_encode_origin(inode)\n | * deref i_sb-\u003es_root *\n |\n |\n v\n fsnotify_sb_delete(sb)\n\nWhich then leads to:\n\n[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)\n\n\u003csnip registers, unreliable trace\u003e\n\n[ 32.143353] Call Trace:\n[ 32.143732] ovl_encode_fh+0xd5/0x170\n[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300\n[ 32.144425] show_mark_fhandle+0xbe/0x1f0\n[ 32.145805] inotify_fdinfo+0x226/0x2d0\n[ 32.146442] inotify_show_fdinfo+0x1c5/0x350\n[ 32.147168] seq_show+0x530/0x6f0\n[ 32.147449] seq_read_iter+0x503/0x12a0\n[ 32.148419] seq_read+0x31f/0x410\n[ 32.150714] vfs_read+0x1f0/0x9e0\n[ 32.152297] ksys_read+0x125/0x240\n\nIOW ovl_check_encode_origin derefs inode-\u003ei_sb-\u003es_root, after it was set\nto NULL in the unmount path.\n\nFix it by protecting calling exportfs_encode_fid() from\nshow_mark_fhandle() with s_umount lock.\n\nThis form of fix was suggested by Amir in [1].\n\n[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T16:40:14.296Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/950b604384fd75d62e860bec7135b2b62eb4d508"
},
{
"url": "https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656"
},
{
"url": "https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496"
},
{
"url": "https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030"
},
{
"url": "https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a"
}
],
"title": "fs/notify: call exportfs_encode_fid with s_umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40237",
"datePublished": "2025-12-04T15:31:27.325Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-23T16:40:14.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39883 (GCVE-0-2025-39883)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
When I did memory failure tests, below panic occurs:
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
<TASK>
unpoison_memory+0x2f3/0x590
simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
debugfs_attr_write+0x42/0x60
full_proxy_write+0x5b/0x80
vfs_write+0xd5/0x540
ksys_write+0x64/0xe0
do_syscall_64+0xb9/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
</TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered. This can be reproduced by below steps:
1.Offline memory block:
echo offline > /sys/devices/system/memory/memory12/state
2.Get offlined memory pfn:
page-types -b n -rlN
3.Write pfn to unpoison-pfn
echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 8e01ea186a52c90694c08a9ff57bea1b0e78256a
(git)
Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < fb65803ccff37cf9123c50c1c02efd1ed73c4ed5 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 99f7048957f5ae3cee1c01189147e73a9a96de02 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < e4ec6def5643a1c9511115b3884eb879572294c6 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 7618fd443aa4cfa553a64cacf5721581653ee7b0 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < d613f53c83ec47089c4e25859d5e8e0359f6f8da (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:24.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e01ea186a52c90694c08a9ff57bea1b0e78256a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "fb65803ccff37cf9123c50c1c02efd1ed73c4ed5",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "99f7048957f5ae3cee1c01189147e73a9a96de02",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "e4ec6def5643a1c9511115b3884eb879572294c6",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "7618fd443aa4cfa553a64cacf5721581653ee7b0",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "d613f53c83ec47089c4e25859d5e8e0359f6f8da",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n \u003c/TASK\u003e\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered. This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline \u003e /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo \u003cpfn\u003e \u003e /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:26.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a"
},
{
"url": "https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5"
},
{
"url": "https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02"
},
{
"url": "https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6"
},
{
"url": "https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a"
},
{
"url": "https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0"
},
{
"url": "https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96"
},
{
"url": "https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da"
}
],
"title": "mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39883",
"datePublished": "2025-09-23T06:00:51.548Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:24.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39973 (GCVE-0-2025-39973)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: add validation for ring_len param
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: add validation for ring_len param
The `ring_len` parameter provided by the virtual function (VF)
is assigned directly to the hardware memory context (HMC) without
any validation.
To address this, introduce an upper boundary check for both Tx and Rx
queue lengths. The maximum number of descriptors supported by the
hardware is 8k-32.
Additionally, enforce alignment constraints: Tx rings must be a multiple
of 8, and Rx rings must be a multiple of 32.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 0543d40d6513cdf1c7882811086e59a6455dfe97
(git)
Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < d3b0d3f8d11fa957171fbb186e53998361a88d4e (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < c0c83f4cd074b75cecef107bfc349be7d516c9c4 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 05fe81fb9db20464fa532a3835dc8300d68a2f84 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < afec12adab55d10708179a64d95d650741e60fe0 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 55d225670def06b01af2e7a5e0446fbe946289e8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0543d40d6513cdf1c7882811086e59a6455dfe97",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "d3b0d3f8d11fa957171fbb186e53998361a88d4e",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "c0c83f4cd074b75cecef107bfc349be7d516c9c4",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "05fe81fb9db20464fa532a3835dc8300d68a2f84",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "afec12adab55d10708179a64d95d650741e60fe0",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "55d225670def06b01af2e7a5e0446fbe946289e8",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add validation for ring_len param\n\nThe `ring_len` parameter provided by the virtual function (VF)\nis assigned directly to the hardware memory context (HMC) without\nany validation.\n\nTo address this, introduce an upper boundary check for both Tx and Rx\nqueue lengths. The maximum number of descriptors supported by the\nhardware is 8k-32.\nAdditionally, enforce alignment constraints: Tx rings must be a multiple\nof 8, and Rx rings must be a multiple of 32."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:55.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0543d40d6513cdf1c7882811086e59a6455dfe97"
},
{
"url": "https://git.kernel.org/stable/c/7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9"
},
{
"url": "https://git.kernel.org/stable/c/45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985"
},
{
"url": "https://git.kernel.org/stable/c/d3b0d3f8d11fa957171fbb186e53998361a88d4e"
},
{
"url": "https://git.kernel.org/stable/c/c0c83f4cd074b75cecef107bfc349be7d516c9c4"
},
{
"url": "https://git.kernel.org/stable/c/05fe81fb9db20464fa532a3835dc8300d68a2f84"
},
{
"url": "https://git.kernel.org/stable/c/afec12adab55d10708179a64d95d650741e60fe0"
},
{
"url": "https://git.kernel.org/stable/c/55d225670def06b01af2e7a5e0446fbe946289e8"
}
],
"title": "i40e: add validation for ring_len param",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39973",
"datePublished": "2025-10-15T07:55:55.590Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:55.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38022 (GCVE-0-2025-38022)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:28 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
53e9a5a692f839780084ad81dbd461ec917f74f7 , < ba467b6870ea2a73590478d9612d6ea1dcdd68b7
(git)
Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 5629064f92f0de6d6b3572055cd35361c3ad953c (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 312dae3499106ec8cb7442ada12be080aa9fbc3b (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 17d3103325e891e10994e7aa28d12bea04dc2c60 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 10c7f1c647da3b77ef8827d974a97b6530b64df0 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 03df57ad4b0ff9c5a93ff981aba0b42578ad1571 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < d0706bfd3ee40923c001c6827b786a309e2a8713 (git) Affected: 9b54e31fd08f8d8db507d021c88e760d5f8e4640 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba467b6870ea2a73590478d9612d6ea1dcdd68b7",
"status": "affected",
"version": "53e9a5a692f839780084ad81dbd461ec917f74f7",
"versionType": "git"
},
{
"lessThan": "5629064f92f0de6d6b3572055cd35361c3ad953c",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "312dae3499106ec8cb7442ada12be080aa9fbc3b",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "17d3103325e891e10994e7aa28d12bea04dc2c60",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "10c7f1c647da3b77ef8827d974a97b6530b64df0",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "03df57ad4b0ff9c5a93ff981aba0b42578ad1571",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "d0706bfd3ee40923c001c6827b786a309e2a8713",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"status": "affected",
"version": "9b54e31fd08f8d8db507d021c88e760d5f8e4640",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:58.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba467b6870ea2a73590478d9612d6ea1dcdd68b7"
},
{
"url": "https://git.kernel.org/stable/c/5629064f92f0de6d6b3572055cd35361c3ad953c"
},
{
"url": "https://git.kernel.org/stable/c/312dae3499106ec8cb7442ada12be080aa9fbc3b"
},
{
"url": "https://git.kernel.org/stable/c/17d3103325e891e10994e7aa28d12bea04dc2c60"
},
{
"url": "https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0"
},
{
"url": "https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571"
},
{
"url": "https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713"
}
],
"title": "RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38022",
"datePublished": "2025-06-18T09:28:29.218Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2026-01-19T12:17:58.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39844 (GCVE-0-2025-39844)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
mm: move page table sync declarations to linux/pgtable.h
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: move page table sync declarations to linux/pgtable.h
During our internal testing, we started observing intermittent boot
failures when the machine uses 4-level paging and has a large amount of
persistent memory:
BUG: unable to handle page fault for address: ffffe70000000034
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] SMP NOPTI
RIP: 0010:__init_single_page+0x9/0x6d
Call Trace:
<TASK>
__init_zone_device_page+0x17/0x5d
memmap_init_zone_device+0x154/0x1bb
pagemap_range+0x2e0/0x40f
memremap_pages+0x10b/0x2f0
devm_memremap_pages+0x1e/0x60
dev_dax_probe+0xce/0x2ec [device_dax]
dax_bus_probe+0x6d/0xc9
[... snip ...]
</TASK>
It turns out that the kernel panics while initializing vmemmap (struct
page array) when the vmemmap region spans two PGD entries, because the new
PGD entry is only installed in init_mm.pgd, but not in the page tables of
other tasks.
And looking at __populate_section_memmap():
if (vmemmap_can_optimize(altmap, pgmap))
// does not sync top level page tables
r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);
else
// sync top level page tables in x86
r = vmemmap_populate(start, end, nid, altmap);
In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c
synchronizes the top level page table (See commit 9b861528a801 ("x86-64,
mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so
that all tasks in the system can see the new vmemmap area.
However, when vmemmap_can_optimize() returns true, the optimized path
skips synchronization of top-level page tables. This is because
vmemmap_populate_compound_pages() is implemented in core MM code, which
does not handle synchronization of the top-level page tables. Instead,
the core MM has historically relied on each architecture to perform this
synchronization manually.
We're not the first party to encounter a crash caused by not-sync'd top
level page tables: earlier this year, Gwan-gyeong Mun attempted to address
the issue [1] [2] after hitting a kernel panic when x86 code accessed the
vmemmap area before the corresponding top-level entries were synced. At
that time, the issue was believed to be triggered only when struct page
was enlarged for debugging purposes, and the patch did not get further
updates.
It turns out that current approach of relying on each arch to handle the
page table sync manually is fragile because 1) it's easy to forget to sync
the top level page table, and 2) it's also easy to overlook that the
kernel should not access the vmemmap and direct mapping areas before the
sync.
# The solution: Make page table sync more code robust and harder to miss
To address this, Dave Hansen suggested [3] [4] introducing
{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables
and allow each architecture to explicitly perform synchronization when
installing top-level entries. With this approach, we no longer need to
worry about missing the sync step, reducing the risk of future
regressions.
The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,
PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by
vmalloc and ioremap to synchronize page tables.
pgd_populate_kernel() looks like this:
static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,
p4d_t *p4d)
{
pgd_populate(&init_mm, pgd, p4d);
if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED)
arch_sync_kernel_mappings(addr, addr);
}
It is worth noting that vmalloc() and apply_to_range() carefully
synchronizes page tables by calling p*d_alloc_track() and
arch_sync_kernel_mappings(), and thus they are not affected by
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8d400913c231bd1da74067255816453f96cd35b0 , < 732e62212f49d549c91071b4da7942ee3058f7a2
(git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < eceb44e1f94bd641b2a4e8c09b64c797c4eabc15 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 6797a8b3f71b2cb558b8771a03450dc3e004e453 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 4f7537772011fad832f83d6848f8eab282545bef (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 469f9d22751472b81eaaf8a27fcdb5a70741c342 (git) Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:59.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/pgtable.h",
"include/linux/vmalloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "732e62212f49d549c91071b4da7942ee3058f7a2",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "eceb44e1f94bd641b2a4e8c09b64c797c4eabc15",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "6797a8b3f71b2cb558b8771a03450dc3e004e453",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "4f7537772011fad832f83d6848f8eab282545bef",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "469f9d22751472b81eaaf8a27fcdb5a70741c342",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/pgtable.h",
"include/linux/vmalloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: move page table sync declarations to linux/pgtable.h\n\nDuring our internal testing, we started observing intermittent boot\nfailures when the machine uses 4-level paging and has a large amount of\npersistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0 \n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \u003cTASK\u003e\n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \u003c/TASK\u003e\n\nIt turns out that the kernel panics while initializing vmemmap (struct\npage array) when the vmemmap region spans two PGD entries, because the new\nPGD entry is only installed in init_mm.pgd, but not in the page tables of\nother tasks.\n\nAnd looking at __populate_section_memmap():\n if (vmemmap_can_optimize(altmap, pgmap)) \n // does not sync top level page tables\n r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);\n else \n // sync top level page tables in x86\n r = vmemmap_populate(start, end, nid, altmap);\n\nIn the normal path, vmemmap_populate() in arch/x86/mm/init_64.c\nsynchronizes the top level page table (See commit 9b861528a801 (\"x86-64,\nmem: Update all PGDs for direct mapping and vmemmap mapping changes\")) so\nthat all tasks in the system can see the new vmemmap area.\n\nHowever, when vmemmap_can_optimize() returns true, the optimized path\nskips synchronization of top-level page tables. This is because\nvmemmap_populate_compound_pages() is implemented in core MM code, which\ndoes not handle synchronization of the top-level page tables. Instead,\nthe core MM has historically relied on each architecture to perform this\nsynchronization manually.\n\nWe\u0027re not the first party to encounter a crash caused by not-sync\u0027d top\nlevel page tables: earlier this year, Gwan-gyeong Mun attempted to address\nthe issue [1] [2] after hitting a kernel panic when x86 code accessed the\nvmemmap area before the corresponding top-level entries were synced. At\nthat time, the issue was believed to be triggered only when struct page\nwas enlarged for debugging purposes, and the patch did not get further\nupdates.\n\nIt turns out that current approach of relying on each arch to handle the\npage table sync manually is fragile because 1) it\u0027s easy to forget to sync\nthe top level page table, and 2) it\u0027s also easy to overlook that the\nkernel should not access the vmemmap and direct mapping areas before the\nsync.\n\n# The solution: Make page table sync more code robust and harder to miss\n\nTo address this, Dave Hansen suggested [3] [4] introducing\n{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables\nand allow each architecture to explicitly perform synchronization when\ninstalling top-level entries. With this approach, we no longer need to\nworry about missing the sync step, reducing the risk of future\nregressions.\n\nThe new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,\nPGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by\nvmalloc and ioremap to synchronize page tables.\n\npgd_populate_kernel() looks like this:\nstatic inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,\n p4d_t *p4d)\n{\n pgd_populate(\u0026init_mm, pgd, p4d);\n if (ARCH_PAGE_TABLE_SYNC_MASK \u0026 PGTBL_PGD_MODIFIED)\n arch_sync_kernel_mappings(addr, addr);\n}\n\nIt is worth noting that vmalloc() and apply_to_range() carefully\nsynchronizes page tables by calling p*d_alloc_track() and\narch_sync_kernel_mappings(), and thus they are not affected by\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:53.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/732e62212f49d549c91071b4da7942ee3058f7a2"
},
{
"url": "https://git.kernel.org/stable/c/eceb44e1f94bd641b2a4e8c09b64c797c4eabc15"
},
{
"url": "https://git.kernel.org/stable/c/6797a8b3f71b2cb558b8771a03450dc3e004e453"
},
{
"url": "https://git.kernel.org/stable/c/4f7537772011fad832f83d6848f8eab282545bef"
},
{
"url": "https://git.kernel.org/stable/c/469f9d22751472b81eaaf8a27fcdb5a70741c342"
},
{
"url": "https://git.kernel.org/stable/c/7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d"
}
],
"title": "mm: move page table sync declarations to linux/pgtable.h",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39844",
"datePublished": "2025-09-19T15:26:18.471Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:59.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40247 (GCVE-0-2025-40247)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/msm: Fix pgtable prealloc error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Fix pgtable prealloc error path
The following splat was reported:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000
[0000000000000010] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT
Tainted: [S]=CPU_OUT_OF_SPEC
Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT)
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : build_detached_freelist+0x28/0x224
lr : kmem_cache_free_bulk.part.0+0x38/0x244
sp : ffff000a508c7a20
x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350
x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000
x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000
x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8
x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640
x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30
x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940
x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000
x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8
x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00
Call trace:
build_detached_freelist+0x28/0x224 (P)
kmem_cache_free_bulk.part.0+0x38/0x244
kmem_cache_free_bulk+0x10/0x1c
msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0
msm_vma_job_free+0x30/0x240
msm_ioctl_vm_bind+0x1d0/0x9a0
drm_ioctl_kernel+0x84/0x104
drm_ioctl+0x358/0x4d4
__arm64_sys_ioctl+0x8c/0xe0
invoke_syscall+0x44/0x100
el0_svc_common.constprop.0+0x3c/0xe0
do_el0_svc+0x18/0x20
el0_svc+0x30/0x100
el0t_64_sync_handler+0x104/0x130
el0t_64_sync+0x170/0x174
Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6)
---[ end trace 0000000000000000 ]---
Since msm_vma_job_free() is called directly from the ioctl, this looks
like an error path cleanup issue. Which I think results from
prealloc_cleanup() called without a preceding successful
prealloc_allocate() call. So handle that case better.
Patchwork: https://patchwork.freedesktop.org/patch/678677/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b865da18b6cb878f33b5920693d03f23b9c4d1a3",
"status": "affected",
"version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
"versionType": "git"
},
{
"lessThan": "830d68f2cb8ab6fb798bb9555016709a9e012af0",
"status": "affected",
"version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix pgtable prealloc error path\n\nThe following splat was reported:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000\n [0000000000000010] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT)\n pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : build_detached_freelist+0x28/0x224\n lr : kmem_cache_free_bulk.part.0+0x38/0x244\n sp : ffff000a508c7a20\n x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350\n x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000\n x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000\n x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8\n x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640\n x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30\n x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940\n x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000\n x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8\n x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00\n Call trace:\n build_detached_freelist+0x28/0x224 (P)\n kmem_cache_free_bulk.part.0+0x38/0x244\n kmem_cache_free_bulk+0x10/0x1c\n msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0\n msm_vma_job_free+0x30/0x240\n msm_ioctl_vm_bind+0x1d0/0x9a0\n drm_ioctl_kernel+0x84/0x104\n drm_ioctl+0x358/0x4d4\n __arm64_sys_ioctl+0x8c/0xe0\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0x3c/0xe0\n do_el0_svc+0x18/0x20\n el0_svc+0x30/0x100\n el0t_64_sync_handler+0x104/0x130\n el0t_64_sync+0x170/0x174\n Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6)\n ---[ end trace 0000000000000000 ]---\n\nSince msm_vma_job_free() is called directly from the ioctl, this looks\nlike an error path cleanup issue. Which I think results from\nprealloc_cleanup() called without a preceding successful\nprealloc_allocate() call. So handle that case better.\n\nPatchwork: https://patchwork.freedesktop.org/patch/678677/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:48.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b865da18b6cb878f33b5920693d03f23b9c4d1a3"
},
{
"url": "https://git.kernel.org/stable/c/830d68f2cb8ab6fb798bb9555016709a9e012af0"
}
],
"title": "drm/msm: Fix pgtable prealloc error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40247",
"datePublished": "2025-12-04T16:08:10.696Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-20T08:51:48.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40346 (GCVE-0-2025-40346)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30
VLAI?
EPSS
Title
arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()
which causes the code to proceed with NULL clock pointers. The current
logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both
valid pointers and NULL, leading to potential NULL pointer dereference
in clk_get_rate().
Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:
"The error code within @ptr if it is an error pointer; 0 otherwise."
This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL
pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)
when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be
called when of_clk_get() returns NULL.
Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid
pointers, preventing potential NULL pointer dereference in clk_get_rate().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 64da320252e43456cc9ec3055ff567f168467b37
(git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 02fbea0864fd4a863671f5d418129258d7159f68 (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < a77f8434954cb1e9c42c3854e40855fdcf5ab235 (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 3373f263bb647fcc3b5237cfaef757633b9ee25e (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 45379303124487db3a81219af7565d41f498167f (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 3a01b2614e84361aa222f67bc628593987e5cdb2 (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 2eead19334516c8e9927c11b448fbe512b1f18a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/arch_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64da320252e43456cc9ec3055ff567f168467b37",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "02fbea0864fd4a863671f5d418129258d7159f68",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "a77f8434954cb1e9c42c3854e40855fdcf5ab235",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "3373f263bb647fcc3b5237cfaef757633b9ee25e",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "45379303124487db3a81219af7565d41f498167f",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "3a01b2614e84361aa222f67bc628593987e5cdb2",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "2eead19334516c8e9927c11b448fbe512b1f18a1",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/arch_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Fix incorrect error check in topology_parse_cpu_capacity()\n\nFix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()\nwhich causes the code to proceed with NULL clock pointers. The current\nlogic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both\nvalid pointers and NULL, leading to potential NULL pointer dereference\nin clk_get_rate().\n\nPer include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:\n\"The error code within @ptr if it is an error pointer; 0 otherwise.\"\n\nThis means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL\npointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)\nwhen cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be\ncalled when of_clk_get() returns NULL.\n\nReplace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid\npointers, preventing potential NULL pointer dereference in clk_get_rate()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:20.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64da320252e43456cc9ec3055ff567f168467b37"
},
{
"url": "https://git.kernel.org/stable/c/02fbea0864fd4a863671f5d418129258d7159f68"
},
{
"url": "https://git.kernel.org/stable/c/a77f8434954cb1e9c42c3854e40855fdcf5ab235"
},
{
"url": "https://git.kernel.org/stable/c/3373f263bb647fcc3b5237cfaef757633b9ee25e"
},
{
"url": "https://git.kernel.org/stable/c/45379303124487db3a81219af7565d41f498167f"
},
{
"url": "https://git.kernel.org/stable/c/3a01b2614e84361aa222f67bc628593987e5cdb2"
},
{
"url": "https://git.kernel.org/stable/c/2eead19334516c8e9927c11b448fbe512b1f18a1"
}
],
"title": "arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40346",
"datePublished": "2025-12-16T13:30:20.395Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:20.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40315 (GCVE-0-2025-40315)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
A race condition occurs when ffs_func_eps_enable() runs concurrently
with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
to a NULL pointer dereference when accessing epfile->ep in
ffs_func_eps_enable() after successful usb_ep_enable().
The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
ffs_data_close() functions, and its modification is protected by the
spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
is also protected by ffs->eps_lock.
Thus, add NULL pointer handling for ffs->epfiles in the
ffs_func_eps_enable() function to fix issues
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c9fc422c9a43e3d58d246334a71f3390401781dc , < b00d2572c16e8e59e979960d3383c2ae9cebd195
(git)
Affected: 0042178a69eb77a979e36a50dcce9794a3140ef8 , < 1c0dbd240be3f87cac321b14e17979b7e9cb6a8f (git) Affected: 72a8aee863af099d4434314c4536d6c9a61dcf3c , < 9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < c53e90563bc148e4e0ad09fe130ba2246d426ea6 (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < fc1141a530dfc91f0ee19b7f422a2d24829584bc (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < d62b808d5c68a931ad0849a00a5e3be3dd7e0019 (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < 30880e9df27332403dd638a82c27921134b3630b (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 (git) Affected: 32048f4be071f9a6966744243f1786f45bb22dc2 (git) Affected: cfe5f6fd335d882bcc829a1c8a7d462a455c626e (git) Affected: 3e078b18753669615301d946297bafd69294ad2c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b00d2572c16e8e59e979960d3383c2ae9cebd195",
"status": "affected",
"version": "c9fc422c9a43e3d58d246334a71f3390401781dc",
"versionType": "git"
},
{
"lessThan": "1c0dbd240be3f87cac321b14e17979b7e9cb6a8f",
"status": "affected",
"version": "0042178a69eb77a979e36a50dcce9794a3140ef8",
"versionType": "git"
},
{
"lessThan": "9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272",
"status": "affected",
"version": "72a8aee863af099d4434314c4536d6c9a61dcf3c",
"versionType": "git"
},
{
"lessThan": "c53e90563bc148e4e0ad09fe130ba2246d426ea6",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "fc1141a530dfc91f0ee19b7f422a2d24829584bc",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "d62b808d5c68a931ad0849a00a5e3be3dd7e0019",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "30880e9df27332403dd638a82c27921134b3630b",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"status": "affected",
"version": "32048f4be071f9a6966744243f1786f45bb22dc2",
"versionType": "git"
},
{
"status": "affected",
"version": "cfe5f6fd335d882bcc829a1c8a7d462a455c626e",
"versionType": "git"
},
{
"status": "affected",
"version": "3e078b18753669615301d946297bafd69294ad2c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.267",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.230",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix epfile null pointer access after ep enable.\n\nA race condition occurs when ffs_func_eps_enable() runs concurrently\nwith ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()\nsets ffs-\u003eepfiles to NULL before resetting ffs-\u003eeps_count to 0, leading\nto a NULL pointer dereference when accessing epfile-\u003eep in\nffs_func_eps_enable() after successful usb_ep_enable().\n\nThe ffs-\u003eepfiles pointer is set to NULL in both ffs_data_clear() and\nffs_data_close() functions, and its modification is protected by the\nspinlock ffs-\u003eeps_lock. And the whole ffs_func_eps_enable() function\nis also protected by ffs-\u003eeps_lock.\n\nThus, add NULL pointer handling for ffs-\u003eepfiles in the\nffs_func_eps_enable() function to fix issues"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:33.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195"
},
{
"url": "https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f"
},
{
"url": "https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272"
},
{
"url": "https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6"
},
{
"url": "https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc"
},
{
"url": "https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019"
},
{
"url": "https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b"
},
{
"url": "https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4"
}
],
"title": "usb: gadget: f_fs: Fix epfile null pointer access after ep enable.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40315",
"datePublished": "2025-12-08T00:46:41.896Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:33.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68325 (GCVE-0-2025-68325)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
de04ddd2980b48caa8d7e24a7db2742917a8b280 , < a3f4e3de41a3f115db35276c6b186ccbc913934a
(git)
Affected: 0dacfc5372e314d1219f03e64dde3ab495a5a25e , < 38abf6e931b169ea88d7529b49096f53a5dcf8fe (git) Affected: 710866fc0a64eafcb8bacd91bcb1329eb7e5035f , < fcb91be52eb6e92e00b533ebd7c77fecada537e1 (git) Affected: aa12ee1c1bd260943fd6ab556d8635811c332eeb , < d01f0e072dadb02fe10f436b940dd957aff0d7d4 (git) Affected: ff57186b2cc39766672c4c0332323933e5faaa88 , < 0b6216f9b3d1c33c76f74511026e5de5385ee520 (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 529c284cc2815c8350860e9a31722050fe7117cb (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 3ed6c458530a547ed0c9ea0b02b19bab620be88b (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 9fefc78f7f02d71810776fdeb119a05a946a27cc (git) Affected: 7689ab22de36f8db19095f6bdf11f28cfde92f5c (git) Affected: 62d591dde4defb1333d202410609c4ddeae060b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3f4e3de41a3f115db35276c6b186ccbc913934a",
"status": "affected",
"version": "de04ddd2980b48caa8d7e24a7db2742917a8b280",
"versionType": "git"
},
{
"lessThan": "38abf6e931b169ea88d7529b49096f53a5dcf8fe",
"status": "affected",
"version": "0dacfc5372e314d1219f03e64dde3ab495a5a25e",
"versionType": "git"
},
{
"lessThan": "fcb91be52eb6e92e00b533ebd7c77fecada537e1",
"status": "affected",
"version": "710866fc0a64eafcb8bacd91bcb1329eb7e5035f",
"versionType": "git"
},
{
"lessThan": "d01f0e072dadb02fe10f436b940dd957aff0d7d4",
"status": "affected",
"version": "aa12ee1c1bd260943fd6ab556d8635811c332eeb",
"versionType": "git"
},
{
"lessThan": "0b6216f9b3d1c33c76f74511026e5de5385ee520",
"status": "affected",
"version": "ff57186b2cc39766672c4c0332323933e5faaa88",
"versionType": "git"
},
{
"lessThan": "529c284cc2815c8350860e9a31722050fe7117cb",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "3ed6c458530a547ed0c9ea0b02b19bab620be88b",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "9fefc78f7f02d71810776fdeb119a05a946a27cc",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"status": "affected",
"version": "7689ab22de36f8db19095f6bdf11f28cfde92f5c",
"versionType": "git"
},
{
"status": "affected",
"version": "62d591dde4defb1333d202410609c4ddeae060b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:26.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a"
},
{
"url": "https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe"
},
{
"url": "https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1"
},
{
"url": "https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4"
},
{
"url": "https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"
},
{
"url": "https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"
},
{
"url": "https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"
},
{
"url": "https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"
}
],
"title": "net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68325",
"datePublished": "2025-12-18T15:02:50.214Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-02-09T08:31:26.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71085 (GCVE-0-2025-71085)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 86f365897068d09418488165a68b23cb5baa37f2
(git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 6b7522424529556c9cbc15e15e7bd4eeae310910 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 2bb759062efa188ea5d07242a43e5aa5464bbae1 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < c53aa6a5086f03f19564096ee084a202a8c738c0 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < bf3709738d8a8cc6fa275773170c5c29511a0b24 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 73744ad5696dce0e0f43872aba8de6a83d6ad570 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 58fc7342b529803d3c221101102fe913df7adb83 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f365897068d09418488165a68b23cb5baa37f2",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "6b7522424529556c9cbc15e15e7bd4eeae310910",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "58fc7342b529803d3c221101102fe913df7adb83",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = \u0026dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg-\u003ecmsg_len = cmsg_len;\n cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, \u0026msg, 0);"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:36.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2"
},
{
"url": "https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910"
},
{
"url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"
},
{
"url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"
},
{
"url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"
},
{
"url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"
},
{
"url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"
}
],
"title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71085",
"datePublished": "2026-01-13T15:34:48.324Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:36.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23202 (GCVE-0-2026-23202)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.
Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.
Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
88db8bb7ed1bb474618acdf05ebd4f0758d244e2 , < 9fa4262a80f751d14a6a39d2c03f57db68da2618
(git)
Affected: 83309dd551cfd60a5a1a98d9cab19f435b44d46d , < 762e2ce71c8f0238e9eaf05d14da803d9a24422f (git) Affected: c934e40246da2c5726d14e94719c514e30840df8 , < 712cde8d916889e282727cdf304a43683adf899e (git) Affected: 551060efb156c50fe33799038ba8145418cfdeef , < 6fd446178a610a48e80e5c5b487b0707cd01daac (git) Affected: 01bbf25c767219b14c3235bfa85906b8d2cb8fbc , < 3bc293d5b56502068481478842f57b3d96e432c7 (git) Affected: b4e002d8a7cee3b1d70efad0e222567f92a73000 , < bf4528ab28e2bf112c3a2cdef44fd13f007781cd (git) Affected: bb0c58be84f907285af45657c1d4847b960a12bf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fa4262a80f751d14a6a39d2c03f57db68da2618",
"status": "affected",
"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"versionType": "git"
},
{
"lessThan": "762e2ce71c8f0238e9eaf05d14da803d9a24422f",
"status": "affected",
"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"versionType": "git"
},
{
"lessThan": "712cde8d916889e282727cdf304a43683adf899e",
"status": "affected",
"version": "c934e40246da2c5726d14e94719c514e30840df8",
"versionType": "git"
},
{
"lessThan": "6fd446178a610a48e80e5c5b487b0707cd01daac",
"status": "affected",
"version": "551060efb156c50fe33799038ba8145418cfdeef",
"versionType": "git"
},
{
"lessThan": "3bc293d5b56502068481478842f57b3d96e432c7",
"status": "affected",
"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"versionType": "git"
},
{
"lessThan": "bf4528ab28e2bf112c3a2cdef44fd13f007781cd",
"status": "affected",
"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"versionType": "git"
},
{
"status": "affected",
"version": "bb0c58be84f907285af45657c1d4847b960a12bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.200",
"status": "affected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer\n\nThe curr_xfer field is read by the IRQ handler without holding the lock\nto check if a transfer is in progress. When clearing curr_xfer in the\ncombined sequence transfer loop, protect it with the spinlock to prevent\na race with the interrupt handler.\n\nProtect the curr_xfer clearing at the exit path of\ntegra_qspi_combined_seq_xfer() with the spinlock to prevent a race\nwith the interrupt handler that reads this field.\n\nWithout this protection, the IRQ handler could read a partially updated\ncurr_xfer value, leading to NULL pointer dereference or use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:26.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fa4262a80f751d14a6a39d2c03f57db68da2618"
},
{
"url": "https://git.kernel.org/stable/c/762e2ce71c8f0238e9eaf05d14da803d9a24422f"
},
{
"url": "https://git.kernel.org/stable/c/712cde8d916889e282727cdf304a43683adf899e"
},
{
"url": "https://git.kernel.org/stable/c/6fd446178a610a48e80e5c5b487b0707cd01daac"
},
{
"url": "https://git.kernel.org/stable/c/3bc293d5b56502068481478842f57b3d96e432c7"
},
{
"url": "https://git.kernel.org/stable/c/bf4528ab28e2bf112c3a2cdef44fd13f007781cd"
}
],
"title": "spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23202",
"datePublished": "2026-02-14T16:27:26.365Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:26.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39873 (GCVE-0-2025-39873)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
can_put_echo_skb() takes ownership of the SKB and it may be freed
during or after the call.
However, xilinx_can xcan_write_frame() keeps using SKB after the call.
Fix that by only calling can_put_echo_skb() after the code is done
touching the SKB.
The tx_lock is held for the entire xcan_write_frame() execution and
also on the can_get_echo_skb() side so the order of operations does not
matter.
An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb
memory") did not move the can_put_echo_skb() call far enough.
[mkl: add "commit" in front of sha1 in patch description]
[mkl: fix indention]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1598efe57b3e768056e4ca56cb9cf33111e68d1c , < e202ffd9e54538ef67ec301ebd6d9da4823466c9
(git)
Affected: 1598efe57b3e768056e4ca56cb9cf33111e68d1c , < 1139321161a3ba5e45e61e0738b37f42f20bc57a (git) Affected: 1598efe57b3e768056e4ca56cb9cf33111e68d1c , < 94b050726288a56a6b8ff55aa641f2fedbd3b44c (git) Affected: 1598efe57b3e768056e4ca56cb9cf33111e68d1c , < 725b33deebd6e4c96fe7893f384510a54258f28f (git) Affected: 1598efe57b3e768056e4ca56cb9cf33111e68d1c , < 668cc1e3bb21101d074e430de1b7ba8fd10189e7 (git) Affected: 1598efe57b3e768056e4ca56cb9cf33111e68d1c , < ef79f00be72bd81d2e1e6f060d83cf7e425deee4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:20.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e202ffd9e54538ef67ec301ebd6d9da4823466c9",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "1139321161a3ba5e45e61e0738b37f42f20bc57a",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "94b050726288a56a6b8ff55aa641f2fedbd3b44c",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "725b33deebd6e4c96fe7893f384510a54258f28f",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "668cc1e3bb21101d074e430de1b7ba8fd10189e7",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "ef79f00be72bd81d2e1e6f060d83cf7e425deee4",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB\n\ncan_put_echo_skb() takes ownership of the SKB and it may be freed\nduring or after the call.\n\nHowever, xilinx_can xcan_write_frame() keeps using SKB after the call.\n\nFix that by only calling can_put_echo_skb() after the code is done\ntouching the SKB.\n\nThe tx_lock is held for the entire xcan_write_frame() execution and\nalso on the can_get_echo_skb() side so the order of operations does not\nmatter.\n\nAn earlier fix commit 3d3c817c3a40 (\"can: xilinx_can: Fix usage of skb\nmemory\") did not move the can_put_echo_skb() call far enough.\n\n[mkl: add \"commit\" in front of sha1 in patch description]\n[mkl: fix indention]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:10.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e202ffd9e54538ef67ec301ebd6d9da4823466c9"
},
{
"url": "https://git.kernel.org/stable/c/1139321161a3ba5e45e61e0738b37f42f20bc57a"
},
{
"url": "https://git.kernel.org/stable/c/94b050726288a56a6b8ff55aa641f2fedbd3b44c"
},
{
"url": "https://git.kernel.org/stable/c/725b33deebd6e4c96fe7893f384510a54258f28f"
},
{
"url": "https://git.kernel.org/stable/c/668cc1e3bb21101d074e430de1b7ba8fd10189e7"
},
{
"url": "https://git.kernel.org/stable/c/ef79f00be72bd81d2e1e6f060d83cf7e425deee4"
}
],
"title": "can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39873",
"datePublished": "2025-09-23T06:00:46.157Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:20.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38556 (GCVE-0-2025-38556)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
HID: core: Harden s32ton() against conversion to 0 bits
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Harden s32ton() against conversion to 0 bits
Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity. Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.
Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dde5845a529ff753364a6d1aea61180946270bfa , < 6cdf6c708717c5c6897d0800a1793e83757c7491
(git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < eeeaba737919bdce9885e2a00ac2912f61a3684d (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 3c86548a20d7bc2861aa4de044991a327bebad1a (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 810189546cb6c8f36443ed091d91f1f5d2fc2ec7 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < d3b504146c111548ab60b6ef7aad00bfb1db05a2 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 8b4a94b1510f6a46ec48494b52ee8f67eb4fc836 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 865ad8469fa24de1559f247d9426ab01e5ce3a56 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cdf6c708717c5c6897d0800a1793e83757c7491",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "eeeaba737919bdce9885e2a00ac2912f61a3684d",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "3c86548a20d7bc2861aa4de044991a327bebad1a",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "810189546cb6c8f36443ed091d91f1f5d2fc2ec7",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "d3b504146c111548ab60b6ef7aad00bfb1db05a2",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "8b4a94b1510f6a46ec48494b52ee8f67eb4fc836",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "865ad8469fa24de1559f247d9426ab01e5ce3a56",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity. Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn\u0027t reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:03.142Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cdf6c708717c5c6897d0800a1793e83757c7491"
},
{
"url": "https://git.kernel.org/stable/c/eeeaba737919bdce9885e2a00ac2912f61a3684d"
},
{
"url": "https://git.kernel.org/stable/c/3c86548a20d7bc2861aa4de044991a327bebad1a"
},
{
"url": "https://git.kernel.org/stable/c/810189546cb6c8f36443ed091d91f1f5d2fc2ec7"
},
{
"url": "https://git.kernel.org/stable/c/d3b504146c111548ab60b6ef7aad00bfb1db05a2"
},
{
"url": "https://git.kernel.org/stable/c/8b4a94b1510f6a46ec48494b52ee8f67eb4fc836"
},
{
"url": "https://git.kernel.org/stable/c/865ad8469fa24de1559f247d9426ab01e5ce3a56"
},
{
"url": "https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd"
}
],
"title": "HID: core: Harden s32ton() against conversion to 0 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38556",
"datePublished": "2025-08-19T17:02:34.929Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2026-01-19T12:18:03.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40220 (GCVE-0-2025-40220)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50
VLAI?
EPSS
Title
fuse: fix livelock in synchronous file put from fuseblk workers
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix livelock in synchronous file put from fuseblk workers
I observed a hang when running generic/323 against a fuseblk server.
This test opens a file, initiates a lot of AIO writes to that file
descriptor, and closes the file descriptor before the writes complete.
Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for
responses from the fuseblk server:
# cat /proc/372265/task/372313/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]
[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]
[<0>] aio_read+0x130/0x1e0
[<0>] io_submit_one+0x542/0x860
[<0>] __x64_sys_io_submit+0x98/0x1a0
[<0>] do_syscall_64+0x37/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
But the /weird/ part is that the fuseblk server threads are waiting for
responses from itself:
# cat /proc/372210/task/372232/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_file_put+0x9a/0xd0 [fuse]
[<0>] fuse_release+0x36/0x50 [fuse]
[<0>] __fput+0xec/0x2b0
[<0>] task_work_run+0x55/0x90
[<0>] syscall_exit_to_user_mode+0xe9/0x100
[<0>] do_syscall_64+0x43/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
The fuseblk server is fuse2fs so there's nothing all that exciting in
the server itself. So why is the fuse server calling fuse_file_put?
The commit message for the fstest sheds some light on that:
"By closing the file descriptor before calling io_destroy, you pretty
much guarantee that the last put on the ioctx will be done in interrupt
context (during I/O completion).
Aha. AIO fgets a new struct file from the fd when it queues the ioctx.
The completion of the FUSE_WRITE command from userspace causes the fuse
server to call the AIO completion function. The completion puts the
struct file, queuing a delayed fput to the fuse server task. When the
fuse server task returns to userspace, it has to run the delayed fput,
which in the case of a fuseblk server, it does synchronously.
Sending the FUSE_RELEASE command sychronously from fuse server threads
is a bad idea because a client program can initiate enough simultaneous
AIOs such that all the fuse server threads end up in delayed_fput, and
now there aren't any threads left to handle the queued fuse commands.
Fix this by only using asynchronous fputs when closing files, and leave
a comment explaining why.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 548e1f2bac1d4df91a6138f26bb4ab00323fd948
(git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < cfd1aa3e2b71f3327cb373c45a897c9028c62b35 (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 83b375c6efef69b1066ad2d79601221e7892745a (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < bfd17b6138df0122a95989457d8e18ce0b86165e (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < b26923512dbe57ae4917bafd31396d22a9d1691a (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < f19a1390af448d9e193c08e28ea5f727bf3c3049 (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 (git) Affected: 9efe56738fecd591b5bf366a325440f9b457ebd6 (git) Affected: 5c46eb076e0a1b2c1769287cd6942e4594ade1b1 (git) Affected: 83e6726210d6c815ce044437106c738eda5ff6f6 (git) Affected: 23d154c71721fd0fa6199851078f32e6bd765664 (git) Affected: ca3edc920f5fd7d8ac040caaf109f925c24620a0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "548e1f2bac1d4df91a6138f26bb4ab00323fd948",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "cfd1aa3e2b71f3327cb373c45a897c9028c62b35",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "83b375c6efef69b1066ad2d79601221e7892745a",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "bfd17b6138df0122a95989457d8e18ce0b86165e",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "b26923512dbe57ae4917bafd31396d22a9d1691a",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "f19a1390af448d9e193c08e28ea5f727bf3c3049",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "26e5c67deb2e1f42a951f022fdf5b9f7eb747b01",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"status": "affected",
"version": "9efe56738fecd591b5bf366a325440f9b457ebd6",
"versionType": "git"
},
{
"status": "affected",
"version": "5c46eb076e0a1b2c1769287cd6942e4594ade1b1",
"versionType": "git"
},
{
"status": "affected",
"version": "83e6726210d6c815ce044437106c738eda5ff6f6",
"versionType": "git"
},
{
"status": "affected",
"version": "23d154c71721fd0fa6199851078f32e6bd765664",
"versionType": "git"
},
{
"status": "affected",
"version": "ca3edc920f5fd7d8ac040caaf109f925c24620a0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.37.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[\u003c0\u003e] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[\u003c0\u003e] aio_read+0x130/0x1e0\n[\u003c0\u003e] io_submit_one+0x542/0x860\n[\u003c0\u003e] __x64_sys_io_submit+0x98/0x1a0\n[\u003c0\u003e] do_syscall_64+0x37/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_file_put+0x9a/0xd0 [fuse]\n[\u003c0\u003e] fuse_release+0x36/0x50 [fuse]\n[\u003c0\u003e] __fput+0xec/0x2b0\n[\u003c0\u003e] task_work_run+0x55/0x90\n[\u003c0\u003e] syscall_exit_to_user_mode+0xe9/0x100\n[\u003c0\u003e] do_syscall_64+0x43/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there\u0027s nothing all that exciting in\nthe server itself. So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha. AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function. The completion puts the\nstruct file, queuing a delayed fput to the fuse server task. When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren\u0027t any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:44.108Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948"
},
{
"url": "https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35"
},
{
"url": "https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a"
},
{
"url": "https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e"
},
{
"url": "https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a"
},
{
"url": "https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049"
},
{
"url": "https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"
}
],
"title": "fuse: fix livelock in synchronous file put from fuseblk workers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40220",
"datePublished": "2025-12-04T14:50:44.108Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T14:50:44.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40176 (GCVE-0-2025-40176)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Async decryption calls tls_strp_msg_hold to create a clone of the
input skb to hold references to the memory it uses. If we fail to
allocate that clone, proceeding with async decryption can lead to
various issues (UAF on the skb, writing into userspace memory after
the recv() call has returned).
In this case, wait for all pending decryption requests.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 9f83fd0c179e0f458e824e417f9d5ad53443f685
(git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < c61d4368197d65c4809d9271f3b85325a600586a (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 39dec4ea3daf77f684308576baf483b55ca7f160 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 4fc109d0ab196bd943b7451276690fb6bb48c2e0 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < b8a6ff84abbcbbc445463de58704686011edc8e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "c61d4368197d65c4809d9271f3b85325a600586a",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "39dec4ea3daf77f684308576baf483b55ca7f160",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "4fc109d0ab196bd943b7451276690fb6bb48c2e0",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: wait for pending async decryptions if tls_strp_msg_hold fails\n\nAsync decryption calls tls_strp_msg_hold to create a clone of the\ninput skb to hold references to the memory it uses. If we fail to\nallocate that clone, proceeding with async decryption can lead to\nvarious issues (UAF on the skb, writing into userspace memory after\nthe recv() call has returned).\n\nIn this case, wait for all pending decryption requests."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:32.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f83fd0c179e0f458e824e417f9d5ad53443f685"
},
{
"url": "https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a"
},
{
"url": "https://git.kernel.org/stable/c/39dec4ea3daf77f684308576baf483b55ca7f160"
},
{
"url": "https://git.kernel.org/stable/c/4fc109d0ab196bd943b7451276690fb6bb48c2e0"
},
{
"url": "https://git.kernel.org/stable/c/b8a6ff84abbcbbc445463de58704686011edc8e1"
}
],
"title": "tls: wait for pending async decryptions if tls_strp_msg_hold fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40176",
"datePublished": "2025-11-12T10:53:50.443Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:32.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40171 (GCVE-0-2025-40171)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
It’s possible for more than one async command to be in flight from
__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.
In the current code, only one put work item is queued at a time, which
results in a leaked reference.
To fix this, move the work item to the nvmet_fc_ls_req_op struct, which
already tracks all resources related to the command.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e0bc09a52b6169ce90f7ac6e195791adb16cec4 , < 11269c08013f4ee8b8f5edc6c56700acb34092d0
(git)
Affected: 9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8 , < a28112cc55013cd8cbd5d36b5115a5b851151bd9 (git) Affected: eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30 , < 060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c (git) Affected: 710c69dbaccdac312e32931abcb8499c1525d397 , < 7331925c247b03b7767b8cd93cfe1b7aa2377850 (git) Affected: 710c69dbaccdac312e32931abcb8499c1525d397 , < 7a619f8c869117ffed08365b377f66b7e1d941b4 (git) Affected: 710c69dbaccdac312e32931abcb8499c1525d397 , < db5a5406fb7e5337a074385c7a3e53c77f2c1bd3 (git) Affected: 1d86f79287206deec36d63b89c741cf542b6cadd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11269c08013f4ee8b8f5edc6c56700acb34092d0",
"status": "affected",
"version": "5e0bc09a52b6169ce90f7ac6e195791adb16cec4",
"versionType": "git"
},
{
"lessThan": "a28112cc55013cd8cbd5d36b5115a5b851151bd9",
"status": "affected",
"version": "9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8",
"versionType": "git"
},
{
"lessThan": "060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c",
"status": "affected",
"version": "eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30",
"versionType": "git"
},
{
"lessThan": "7331925c247b03b7767b8cd93cfe1b7aa2377850",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"lessThan": "7a619f8c869117ffed08365b377f66b7e1d941b4",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"lessThan": "db5a5406fb7e5337a074385c7a3e53c77f2c1bd3",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"status": "affected",
"version": "1d86f79287206deec36d63b89c741cf542b6cadd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: move lsop put work to nvmet_fc_ls_req_op\n\nIt\u2019s possible for more than one async command to be in flight from\n__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.\n\nIn the current code, only one put work item is queued at a time, which\nresults in a leaked reference.\n\nTo fix this, move the work item to the nvmet_fc_ls_req_op struct, which\nalready tracks all resources related to the command."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:25.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11269c08013f4ee8b8f5edc6c56700acb34092d0"
},
{
"url": "https://git.kernel.org/stable/c/a28112cc55013cd8cbd5d36b5115a5b851151bd9"
},
{
"url": "https://git.kernel.org/stable/c/060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c"
},
{
"url": "https://git.kernel.org/stable/c/7331925c247b03b7767b8cd93cfe1b7aa2377850"
},
{
"url": "https://git.kernel.org/stable/c/7a619f8c869117ffed08365b377f66b7e1d941b4"
},
{
"url": "https://git.kernel.org/stable/c/db5a5406fb7e5337a074385c7a3e53c77f2c1bd3"
}
],
"title": "nvmet-fc: move lsop put work to nvmet_fc_ls_req_op",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40171",
"datePublished": "2025-11-12T10:46:52.289Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:25.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68729 (GCVE-0-2025-68729)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
wifi: ath12k: Fix MSDU buffer types handling in RX error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Fix MSDU buffer types handling in RX error path
Currently, packets received on the REO exception ring from
unassociated peers are of MSDU buffer type, while the driver expects
link descriptor type packets. These packets are not parsed further due
to a return check on packet type in ath12k_hal_desc_reo_parse_err(),
but the associated skb is not freed. This may lead to kernel
crashes and buffer leaks.
Hence to fix, update the RX error handler to explicitly drop
MSDU buffer type packets received on the REO exception ring.
This prevents further processing of invalid packets and ensures
stability in the RX error handling path.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 5ff5a9d71cdc49c3400f30583a784ad0a17d01ec
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < ab0554f51e5f2b9506e8a09e8accd02f00056729 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp_rx.c",
"drivers/net/wireless/ath/ath12k/hal_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ff5a9d71cdc49c3400f30583a784ad0a17d01ec",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "ab0554f51e5f2b9506e8a09e8accd02f00056729",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp_rx.c",
"drivers/net/wireless/ath/ath12k/hal_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix MSDU buffer types handling in RX error path\n\nCurrently, packets received on the REO exception ring from\nunassociated peers are of MSDU buffer type, while the driver expects\nlink descriptor type packets. These packets are not parsed further due\nto a return check on packet type in ath12k_hal_desc_reo_parse_err(),\nbut the associated skb is not freed. This may lead to kernel\ncrashes and buffer leaks.\n\nHence to fix, update the RX error handler to explicitly drop\nMSDU buffer type packets received on the REO exception ring.\nThis prevents further processing of invalid packets and ensures\nstability in the RX error handling path.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:25.474Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec"
},
{
"url": "https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729"
},
{
"url": "https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981"
}
],
"title": "wifi: ath12k: Fix MSDU buffer types handling in RX error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68729",
"datePublished": "2025-12-24T10:33:12.515Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:25.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40252 (GCVE-0-2025-40252)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
over 'cqe->len_list[]' using only a zero-length terminator as
the stopping condition. If the terminator was missing or
malformed, the loop could run past the end of the fixed-size array.
Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
a potential out-of-bounds access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55482edc25f0606851de42e73618f813f310d009 , < ecbb12caf399d7cf364b7553ed5aebeaa2f255bc
(git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < a778912b4a53587ea07d85526d152f85d109cbfe (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < f0923011c1261b33a2ac1de349256d39cb750dd0 (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < 917a9d02182ac8b4f25eb47dc02f3ec679608c24 (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < e441db07f208184e0466abf44b389a81d70c340e (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < 896f1a2493b59beb2b5ccdf990503dbb16cb2256 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecbb12caf399d7cf364b7553ed5aebeaa2f255bc",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "a778912b4a53587ea07d85526d152f85d109cbfe",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "f0923011c1261b33a2ac1de349256d39cb750dd0",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "917a9d02182ac8b4f25eb47dc02f3ec679608c24",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "e441db07f208184e0466abf44b389a81d70c340e",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "896f1a2493b59beb2b5ccdf990503dbb16cb2256",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\n\nThe loops in \u0027qede_tpa_cont()\u0027 and \u0027qede_tpa_end()\u0027, iterate\nover \u0027cqe-\u003elen_list[]\u0027 using only a zero-length terminator as\nthe stopping condition. If the terminator was missing or\nmalformed, the loop could run past the end of the fixed-size array.\n\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\na potential out-of-bounds access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:48.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc"
},
{
"url": "https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe"
},
{
"url": "https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0"
},
{
"url": "https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24"
},
{
"url": "https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e"
},
{
"url": "https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256"
}
],
"title": "net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40252",
"datePublished": "2025-12-04T16:08:14.393Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40107 (GCVE-0-2025-40107)
Vulnerability from cvelistv5 – Published: 2025-11-03 12:15 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
This issue is similar to the vulnerability in the `mcp251x` driver,
which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from
sleep before interface was brought up").
In the `hi311x` driver, when the device resumes from sleep, the driver
schedules `priv->restart_work`. However, if the network interface was
not previously enabled, the `priv->wq` (workqueue) is not allocated and
initialized, leading to a null pointer dereference.
To fix this, we move the allocation and initialization of the workqueue
from the `hi3110_open` function to the `hi3110_can_probe` function.
This ensures that the workqueue is properly initialized before it is
used during device resume. And added logic to destroy the workqueue
in the error handling paths of `hi3110_can_probe` and in the
`hi3110_can_remove` function to prevent resource leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
57e83fb9b7468c75cb65cde1d23043553c346c6d , < d1fc4c041459e2d4856c1b2501486ba4f0cbf96b
(git)
Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < e93af787187e585933570563c643337fa731584a (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < 1d2ef21f02baff0c109ad78b9e835fb4acb14533 (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < fd00cf38fd437c979f0e5905e3ebdfc3f55a4b96 (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < 6b696808472197b77b888f50bc789a3bae077743 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1fc4c041459e2d4856c1b2501486ba4f0cbf96b",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "e93af787187e585933570563c643337fa731584a",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "1d2ef21f02baff0c109ad78b9e835fb4acb14533",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "fd00cf38fd437c979f0e5905e3ebdfc3f55a4b96",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "6b696808472197b77b888f50bc789a3bae077743",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled\n\nThis issue is similar to the vulnerability in the `mcp251x` driver,\nwhich was fixed in commit 03c427147b2d (\"can: mcp251x: fix resume from\nsleep before interface was brought up\").\n\nIn the `hi311x` driver, when the device resumes from sleep, the driver\nschedules `priv-\u003erestart_work`. However, if the network interface was\nnot previously enabled, the `priv-\u003ewq` (workqueue) is not allocated and\ninitialized, leading to a null pointer dereference.\n\nTo fix this, we move the allocation and initialization of the workqueue\nfrom the `hi3110_open` function to the `hi3110_can_probe` function.\nThis ensures that the workqueue is properly initialized before it is\nused during device resume. And added logic to destroy the workqueue\nin the error handling paths of `hi3110_can_probe` and in the\n`hi3110_can_remove` function to prevent resource leaks."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:03.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1fc4c041459e2d4856c1b2501486ba4f0cbf96b"
},
{
"url": "https://git.kernel.org/stable/c/e93af787187e585933570563c643337fa731584a"
},
{
"url": "https://git.kernel.org/stable/c/1d2ef21f02baff0c109ad78b9e835fb4acb14533"
},
{
"url": "https://git.kernel.org/stable/c/fd00cf38fd437c979f0e5905e3ebdfc3f55a4b96"
},
{
"url": "https://git.kernel.org/stable/c/6b696808472197b77b888f50bc789a3bae077743"
}
],
"title": "can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40107",
"datePublished": "2025-11-03T12:15:12.587Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2026-01-02T15:33:03.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40042 (GCVE-0-2025-40042)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
There is a critical race condition in kprobe initialization that can lead to
NULL pointer dereference and kernel crash.
[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000
...
[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)
[1135630.269239] pc : kprobe_perf_func+0x30/0x260
[1135630.277643] lr : kprobe_dispatcher+0x44/0x60
[1135630.286041] sp : ffffaeff4977fa40
[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400
[1135630.302837] x27: 0000000000000000 x26: 0000000000000000
[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528
[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50
[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50
[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000
[1135630.349985] x17: 0000000000000000 x16: 0000000000000000
[1135630.359285] x15: 0000000000000000 x14: 0000000000000000
[1135630.368445] x13: 0000000000000000 x12: 0000000000000000
[1135630.377473] x11: 0000000000000000 x10: 0000000000000000
[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000
[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000
[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000
[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006
[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000
[1135630.429410] Call trace:
[1135630.434828] kprobe_perf_func+0x30/0x260
[1135630.441661] kprobe_dispatcher+0x44/0x60
[1135630.448396] aggr_pre_handler+0x70/0xc8
[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0
[1135630.462435] brk_handler+0xbc/0xd8
[1135630.468437] do_debug_exception+0x84/0x138
[1135630.475074] el1_dbg+0x18/0x8c
[1135630.480582] security_file_permission+0x0/0xd0
[1135630.487426] vfs_write+0x70/0x1c0
[1135630.493059] ksys_write+0x5c/0xc8
[1135630.498638] __arm64_sys_write+0x24/0x30
[1135630.504821] el0_svc_common+0x78/0x130
[1135630.510838] el0_svc_handler+0x38/0x78
[1135630.516834] el0_svc+0x8/0x1b0
kernel/trace/trace_kprobe.c: 1308
0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120]
include/linux/compiler.h: 294
0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0]
kernel/trace/trace_kprobe.c
1308: head = this_cpu_ptr(call->perf_events);
1309: if (hlist_empty(head))
1310: return 0;
crash> struct trace_event_call -o
struct trace_event_call {
...
[120] struct hlist_head *perf_events; //(call->perf_event)
...
}
crash> struct trace_event_call ffffaf015340e528
struct trace_event_call {
...
perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0
...
}
Race Condition Analysis:
The race occurs between kprobe activation and perf_events initialization:
CPU0 CPU1
==== ====
perf_kprobe_init
perf_trace_event_init
tp_event->perf_events = list;(1)
tp_event->class->reg (2)← KPROBE ACTIVE
Debug exception triggers
...
kprobe_dispatcher
kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)
head = this_cpu_ptr(call->perf_events)(3)
(perf_events is still NULL)
Problem:
1. CPU0 executes (1) assigning tp_event->perf_events = list
2. CPU0 executes (2) enabling kprobe functionality via class->reg()
3. CPU1 triggers and reaches kprobe_dispatcher
4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)
5. CPU1 calls kprobe_perf_func() and crashes at (3) because
call->perf_events is still NULL
CPU1 sees that kprobe functionality is enabled but does not see that
perf_events has been assigned.
Add pairing read an
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
50d780560785b068c358675c5f0bf6c83b5c373e , < 07926ce598a95de6fd874a74fb510e2ebdfd0aae
(git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 9c4951b691bb8d7a004acd010f45144391f85ea6 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 95dd33361061f808d1f68616d69ada639e737cfa (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < a6e89ada1ff6b70df73f579071ffa6ade8ae7f98 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 1a301228c0a8aedc3154fb1a274456f487416b96 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 0fa388ab2c290ef1115ff88ae88e881d0fb2db02 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 5ebea6561649d30ec7a18fea23d7f76738dae916 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_fprobe.c",
"kernel/trace/trace_kprobe.c",
"kernel/trace/trace_probe.h",
"kernel/trace/trace_uprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07926ce598a95de6fd874a74fb510e2ebdfd0aae",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "9c4951b691bb8d7a004acd010f45144391f85ea6",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "95dd33361061f808d1f68616d69ada639e737cfa",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "a6e89ada1ff6b70df73f579071ffa6ade8ae7f98",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "1a301228c0a8aedc3154fb1a274456f487416b96",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "0fa388ab2c290ef1115ff88ae88e881d0fb2db02",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "5ebea6561649d30ec7a18fea23d7f76738dae916",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_fprobe.c",
"kernel/trace/trace_kprobe.c",
"kernel/trace/trace_probe.h",
"kernel/trace/trace_uprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828] kprobe_perf_func+0x30/0x260\n[1135630.441661] kprobe_dispatcher+0x44/0x60\n[1135630.448396] aggr_pre_handler+0x70/0xc8\n[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435] brk_handler+0xbc/0xd8\n[1135630.468437] do_debug_exception+0x84/0x138\n[1135630.475074] el1_dbg+0x18/0x8c\n[1135630.480582] security_file_permission+0x0/0xd0\n[1135630.487426] vfs_write+0x70/0x1c0\n[1135630.493059] ksys_write+0x5c/0xc8\n[1135630.498638] __arm64_sys_write+0x24/0x30\n[1135630.504821] el0_svc_common+0x78/0x130\n[1135630.510838] el0_svc_handler+0x38/0x78\n[1135630.516834] el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec \u003ckprobe_perf_func+0x2c\u003e: ldr x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 \u003ckprobe_perf_func+0x30\u003e: ldr x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call-\u003eperf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash\u003e struct trace_event_call -o\nstruct trace_event_call {\n ...\n [120] struct hlist_head *perf_events; //(call-\u003eperf_event)\n ...\n}\n\ncrash\u003e struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n ...\n perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n CPU0 CPU1\n ==== ====\n perf_kprobe_init\n perf_trace_event_init\n tp_event-\u003eperf_events = list;(1)\n tp_event-\u003eclass-\u003ereg (2)\u2190 KPROBE ACTIVE\n Debug exception triggers\n ...\n kprobe_dispatcher\n kprobe_perf_func (tk-\u003etp.flags \u0026 TP_FLAG_PROFILE)\n head = this_cpu_ptr(call-\u003eperf_events)(3)\n (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event-\u003eperf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class-\u003ereg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n call-\u003eperf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:46.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07926ce598a95de6fd874a74fb510e2ebdfd0aae"
},
{
"url": "https://git.kernel.org/stable/c/9c4951b691bb8d7a004acd010f45144391f85ea6"
},
{
"url": "https://git.kernel.org/stable/c/95dd33361061f808d1f68616d69ada639e737cfa"
},
{
"url": "https://git.kernel.org/stable/c/a6e89ada1ff6b70df73f579071ffa6ade8ae7f98"
},
{
"url": "https://git.kernel.org/stable/c/1a301228c0a8aedc3154fb1a274456f487416b96"
},
{
"url": "https://git.kernel.org/stable/c/0fa388ab2c290ef1115ff88ae88e881d0fb2db02"
},
{
"url": "https://git.kernel.org/stable/c/5ebea6561649d30ec7a18fea23d7f76738dae916"
},
{
"url": "https://git.kernel.org/stable/c/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f"
}
],
"title": "tracing: Fix race condition in kprobe initialization causing NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40042",
"datePublished": "2025-10-28T11:48:21.638Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:46.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39857 (GCVE-0-2025-39857)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
BUG: kernel NULL pointer dereference, address: 00000000000002ec
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Workqueue: smc_hs_wq smc_listen_work [smc]
RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
...
Call Trace:
<TASK>
smcr_buf_map_link+0x211/0x2a0 [smc]
__smc_buf_create+0x522/0x970 [smc]
smc_buf_create+0x3a/0x110 [smc]
smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]
? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]
smc_listen_find_device+0x1dd/0x2b0 [smc]
smc_listen_work+0x30f/0x580 [smc]
process_one_work+0x18c/0x340
worker_thread+0x242/0x360
kthread+0xe7/0x220
ret_from_fork+0x13a/0x160
ret_from_fork_asm+0x1a/0x30
</TASK>
If the software RoCE device is used, ibdev->dma_device is a null pointer.
As a result, the problem occurs. Null pointer detection is added to
prevent problems.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0ef69e788411cba2af017db731a9fc62d255e9ac , < 0cdf1fd8fc59d44a48c694324611136910301ef9
(git)
Affected: 0ef69e788411cba2af017db731a9fc62d255e9ac , < f18d9b3abf9c6587372cc702f963a7592277ed56 (git) Affected: 0ef69e788411cba2af017db731a9fc62d255e9ac , < eb929910bd4b4165920fa06a87b22cc6cae92e0e (git) Affected: 0ef69e788411cba2af017db731a9fc62d255e9ac , < 34f17cbe027050b8d5316ea1b6f9bd7c378e92de (git) Affected: 0ef69e788411cba2af017db731a9fc62d255e9ac , < ba1e9421cf1a8369d25c3832439702a015d6b5f9 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:10.731Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_ib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cdf1fd8fc59d44a48c694324611136910301ef9",
"status": "affected",
"version": "0ef69e788411cba2af017db731a9fc62d255e9ac",
"versionType": "git"
},
{
"lessThan": "f18d9b3abf9c6587372cc702f963a7592277ed56",
"status": "affected",
"version": "0ef69e788411cba2af017db731a9fc62d255e9ac",
"versionType": "git"
},
{
"lessThan": "eb929910bd4b4165920fa06a87b22cc6cae92e0e",
"status": "affected",
"version": "0ef69e788411cba2af017db731a9fc62d255e9ac",
"versionType": "git"
},
{
"lessThan": "34f17cbe027050b8d5316ea1b6f9bd7c378e92de",
"status": "affected",
"version": "0ef69e788411cba2af017db731a9fc62d255e9ac",
"versionType": "git"
},
{
"lessThan": "ba1e9421cf1a8369d25c3832439702a015d6b5f9",
"status": "affected",
"version": "0ef69e788411cba2af017db731a9fc62d255e9ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_ib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()\n\nBUG: kernel NULL pointer dereference, address: 00000000000002ec\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nWorkqueue: smc_hs_wq smc_listen_work [smc]\nRIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]\n...\nCall Trace:\n \u003cTASK\u003e\n smcr_buf_map_link+0x211/0x2a0 [smc]\n __smc_buf_create+0x522/0x970 [smc]\n smc_buf_create+0x3a/0x110 [smc]\n smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]\n ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]\n smc_listen_find_device+0x1dd/0x2b0 [smc]\n smc_listen_work+0x30f/0x580 [smc]\n process_one_work+0x18c/0x340\n worker_thread+0x242/0x360\n kthread+0xe7/0x220\n ret_from_fork+0x13a/0x160\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nIf the software RoCE device is used, ibdev-\u003edma_device is a null pointer.\nAs a result, the problem occurs. Null pointer detection is added to\nprevent problems."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:10.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cdf1fd8fc59d44a48c694324611136910301ef9"
},
{
"url": "https://git.kernel.org/stable/c/f18d9b3abf9c6587372cc702f963a7592277ed56"
},
{
"url": "https://git.kernel.org/stable/c/eb929910bd4b4165920fa06a87b22cc6cae92e0e"
},
{
"url": "https://git.kernel.org/stable/c/34f17cbe027050b8d5316ea1b6f9bd7c378e92de"
},
{
"url": "https://git.kernel.org/stable/c/ba1e9421cf1a8369d25c3832439702a015d6b5f9"
}
],
"title": "net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39857",
"datePublished": "2025-09-19T15:26:28.225Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:10.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40307 (GCVE-0-2025-40307)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
exfat: validate cluster allocation bits of the allocation bitmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: validate cluster allocation bits of the allocation bitmap
syzbot created an exfat image with cluster bits not set for the allocation
bitmap. exfat-fs reads and uses the allocation bitmap without checking
this. The problem is that if the start cluster of the allocation bitmap
is 6, cluster 6 can be allocated when creating a directory with mkdir.
exfat zeros out this cluster in exfat_mkdir, which can delete existing
entries. This can reallocate the allocated entries. In addition,
the allocation bitmap is also zeroed out, so cluster 6 can be reallocated.
This patch adds exfat_test_bitmap_range to validate that clusters used for
the allocation bitmap are correctly marked as in-use.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 6bc58b4c53795ab5fe00648344aa7d9d61175f90
(git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf (git) Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 79c1587b6cda74deb0c86fc7ba194b92958c793c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bc58b4c53795ab5fe00648344aa7d9d61175f90",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "79c1587b6cda74deb0c86fc7ba194b92958c793c",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: validate cluster allocation bits of the allocation bitmap\n\nsyzbot created an exfat image with cluster bits not set for the allocation\nbitmap. exfat-fs reads and uses the allocation bitmap without checking\nthis. The problem is that if the start cluster of the allocation bitmap\nis 6, cluster 6 can be allocated when creating a directory with mkdir.\nexfat zeros out this cluster in exfat_mkdir, which can delete existing\nentries. This can reallocate the allocated entries. In addition,\nthe allocation bitmap is also zeroed out, so cluster 6 can be reallocated.\nThis patch adds exfat_test_bitmap_range to validate that clusters used for\nthe allocation bitmap are correctly marked as in-use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:58.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bc58b4c53795ab5fe00648344aa7d9d61175f90"
},
{
"url": "https://git.kernel.org/stable/c/13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf"
},
{
"url": "https://git.kernel.org/stable/c/79c1587b6cda74deb0c86fc7ba194b92958c793c"
}
],
"title": "exfat: validate cluster allocation bits of the allocation bitmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40307",
"datePublished": "2025-12-08T00:46:32.659Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:51:58.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68360 (GCVE-0-2025-68360)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks
MT7996 driver can use both wed and wed_hif2 devices to offload traffic
from/to the wireless NIC. In the current codebase we assume to always
use the primary wed device in wed callbacks resulting in the following
crash if the hw runs wed_hif2 (e.g. 6GHz link).
[ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a
[ 297.464928] Mem abort info:
[ 297.467722] ESR = 0x0000000096000005
[ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits
[ 297.476766] SET = 0, FnV = 0
[ 297.479809] EA = 0, S1PTW = 0
[ 297.482940] FSC = 0x05: level 1 translation fault
[ 297.487809] Data abort info:
[ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000
[ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000
[ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP
[ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0
[ 297.723908] Tainted: [O]=OOT_MODULE
[ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)
[ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]
[ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]
[ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80
[ 297.757126] sp : ffffffc080fe3ae0
[ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7
[ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00
[ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018
[ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000
[ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000
[ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da
[ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200
[ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002
[ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000
[ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8
[ 297.831686] Call trace:
[ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76]
[ 297.839254] mtk_wed_flow_remove+0x58/0x80
[ 297.843342] mtk_flow_offload_cmd+0x434/0x574
[ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40
[ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]
[ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]
[ 297.864463] process_one_work+0x174/0x300
[ 297.868465] worker_thread+0x278/0x430
[ 297.872204] kthread+0xd8/0xdc
[ 297.875251] ret_from_fork+0x10/0x20
[ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)
[ 297.884901] ---[ end trace 0000000000000000 ]---
Fix the issue detecting the proper wed reference to use running wed
callabacks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
83eafc9251d6d30574b629ac637c56d168fcbdd9 , < ab94ecb997fd1bbc501a0116c7aad51556b67c86
(git)
Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < d582d0e988d696698c94edf097062bb987ae592c (git) Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < 385aab8fccd7a8746b9f1a17f3c1e38498a14bc7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76.h",
"drivers/net/wireless/mediatek/mt76/mt7996/mmio.c",
"drivers/net/wireless/mediatek/mt76/wed.c",
"include/linux/soc/mediatek/mtk_wed.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab94ecb997fd1bbc501a0116c7aad51556b67c86",
"status": "affected",
"version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
"versionType": "git"
},
{
"lessThan": "d582d0e988d696698c94edf097062bb987ae592c",
"status": "affected",
"version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
"versionType": "git"
},
{
"lessThan": "385aab8fccd7a8746b9f1a17f3c1e38498a14bc7",
"status": "affected",
"version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76.h",
"drivers/net/wireless/mediatek/mt76/mt7996/mmio.c",
"drivers/net/wireless/mediatek/mt76/wed.c",
"include/linux/soc/mediatek/mtk_wed.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks\n\nMT7996 driver can use both wed and wed_hif2 devices to offload traffic\nfrom/to the wireless NIC. In the current codebase we assume to always\nuse the primary wed device in wed callbacks resulting in the following\ncrash if the hw runs wed_hif2 (e.g. 6GHz link).\n\n[ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a\n[ 297.464928] Mem abort info:\n[ 297.467722] ESR = 0x0000000096000005\n[ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 297.476766] SET = 0, FnV = 0\n[ 297.479809] EA = 0, S1PTW = 0\n[ 297.482940] FSC = 0x05: level 1 translation fault\n[ 297.487809] Data abort info:\n[ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000\n[ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000\n[ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP\n[ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0\n[ 297.723908] Tainted: [O]=OOT_MODULE\n[ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)\n[ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]\n[ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80\n[ 297.757126] sp : ffffffc080fe3ae0\n[ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7\n[ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00\n[ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018\n[ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000\n[ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000\n[ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da\n[ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200\n[ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002\n[ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000\n[ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8\n[ 297.831686] Call trace:\n[ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[ 297.839254] mtk_wed_flow_remove+0x58/0x80\n[ 297.843342] mtk_flow_offload_cmd+0x434/0x574\n[ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40\n[ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]\n[ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]\n[ 297.864463] process_one_work+0x174/0x300\n[ 297.868465] worker_thread+0x278/0x430\n[ 297.872204] kthread+0xd8/0xdc\n[ 297.875251] ret_from_fork+0x10/0x20\n[ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)\n[ 297.884901] ---[ end trace 0000000000000000 ]---\n\nFix the issue detecting the proper wed reference to use running wed\ncallabacks."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:55.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86"
},
{
"url": "https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c"
},
{
"url": "https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7"
}
],
"title": "wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68360",
"datePublished": "2025-12-24T10:32:49.121Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2026-02-09T08:31:55.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39871 (GCVE-0-2025-39871)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
dmaengine: idxd: Remove improper idxd_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Remove improper idxd_free
The call to idxd_free() introduces a duplicate put_device() leading to a
reference count underflow:
refcount_t: underflow; use-after-free.
WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
...
Call Trace:
<TASK>
idxd_remove+0xe4/0x120 [idxd]
pci_device_remove+0x3f/0xb0
device_release_driver_internal+0x197/0x200
driver_detach+0x48/0x90
bus_remove_driver+0x74/0xf0
pci_unregister_driver+0x2e/0xb0
idxd_exit_module+0x34/0x7a0 [idxd]
__do_sys_delete_module.constprop.0+0x183/0x280
do_syscall_64+0x54/0xd70
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The idxd_unregister_devices() which is invoked at the very beginning of
idxd_remove(), already takes care of the necessary put_device() through the
following call path:
idxd_unregister_devices() -> device_unregister() -> put_device()
In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may
trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is
called immediately after, it can result in a use-after-free.
Remove the improper idxd_free() to avoid both the refcount underflow and
potential memory corruption during module unload.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
68ac5a01f635b3791196fd1c39bc48497252c36f , < 24414bbcb37e1af95190af36c21ae51d497e1a9e
(git)
Affected: d2d05fd0fc95c4defed6f7b87550e20e8baa1d97 , < 0e95ee7f532b21206fe3f1c4054002b0d21e3b9c (git) Affected: 21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7 , < dd7a7e43269711d757fc260b0bbdf7138f75de11 (git) Affected: d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 , < da4fbc1488a4cec6748da685181ee4449a878dac (git) Affected: d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 , < f41c538881eec4dcf5961a242097d447f848cda6 (git) Affected: 2b7a961cea0e5b65afda911f76d14fec5c98d024 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24414bbcb37e1af95190af36c21ae51d497e1a9e",
"status": "affected",
"version": "68ac5a01f635b3791196fd1c39bc48497252c36f",
"versionType": "git"
},
{
"lessThan": "0e95ee7f532b21206fe3f1c4054002b0d21e3b9c",
"status": "affected",
"version": "d2d05fd0fc95c4defed6f7b87550e20e8baa1d97",
"versionType": "git"
},
{
"lessThan": "dd7a7e43269711d757fc260b0bbdf7138f75de11",
"status": "affected",
"version": "21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7",
"versionType": "git"
},
{
"lessThan": "da4fbc1488a4cec6748da685181ee4449a878dac",
"status": "affected",
"version": "d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805",
"versionType": "git"
},
{
"lessThan": "f41c538881eec4dcf5961a242097d447f848cda6",
"status": "affected",
"version": "d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805",
"versionType": "git"
},
{
"status": "affected",
"version": "2b7a961cea0e5b65afda911f76d14fec5c98d024",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n idxd_remove+0xe4/0x120 [idxd]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x197/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x74/0xf0\n pci_unregister_driver+0x2e/0xb0\n idxd_exit_module+0x34/0x7a0 [idxd]\n __do_sys_delete_module.constprop.0+0x183/0x280\n do_syscall_64+0x54/0xd70\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -\u003e device_unregister() -\u003e put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:23.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24414bbcb37e1af95190af36c21ae51d497e1a9e"
},
{
"url": "https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c4054002b0d21e3b9c"
},
{
"url": "https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0bbdf7138f75de11"
},
{
"url": "https://git.kernel.org/stable/c/da4fbc1488a4cec6748da685181ee4449a878dac"
},
{
"url": "https://git.kernel.org/stable/c/f41c538881eec4dcf5961a242097d447f848cda6"
}
],
"title": "dmaengine: idxd: Remove improper idxd_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39871",
"datePublished": "2025-09-23T06:00:44.882Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2026-01-11T16:29:23.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40123 (GCVE-0-2025-40123)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
bpf: Enforce expected_attach_type for tailcall compatibility
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Enforce expected_attach_type for tailcall compatibility
Yinhao et al. recently reported:
Our fuzzer tool discovered an uninitialized pointer issue in the
bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem.
This leads to a NULL pointer dereference when a BPF program attempts to
deference the txq member of struct xdp_buff object.
The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the
entry point for bpf_prog_test_run_xdp() and its expected_attach_type can
neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot
of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP
to pass xdp_is_valid_access() validation. The program returns struct xdp_md's
egress_ifindex, and the latter is only allowed to be accessed under mentioned
expected_attach_type. progB is then inserted into the tailcall which progA
calls.
The underlying issue goes beyond XDP though. Another example are programs
of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well
as sock_addr_func_proto() have different logic depending on the programs'
expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME
should not be allowed doing a tailcall into a program which calls bpf_bind()
out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.
In short, specifying expected_attach_type allows to open up additional
functionality or restrictions beyond what the basic bpf_prog_type enables.
The use of tailcalls must not violate these constraints. Fix it by enforcing
expected_attach_type in __bpf_prog_map_compatible().
Note that we only enforce this for tailcall maps, but not for BPF devmaps or
cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and
cpu_map_bpf_prog_run*() which set up a new environment / context and therefore
these situations are not prone to this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < a99de19128aec0913f3d529f529fbbff5edfaff8
(git)
Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < 08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32 (git) Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a (git) Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < c1ad19b5d8e23123503dcaf2d4342e1b90b923ad (git) Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < 4540aed51b12bc13364149bf95f6ecef013197c0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a99de19128aec0913f3d529f529fbbff5edfaff8",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "c1ad19b5d8e23123503dcaf2d4342e1b90b923ad",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "4540aed51b12bc13364149bf95f6ecef013197c0",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Enforce expected_attach_type for tailcall compatibility\n\nYinhao et al. recently reported:\n\n Our fuzzer tool discovered an uninitialized pointer issue in the\n bpf_prog_test_run_xdp() function within the Linux kernel\u0027s BPF subsystem.\n This leads to a NULL pointer dereference when a BPF program attempts to\n deference the txq member of struct xdp_buff object.\n\nThe test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the\nentry point for bpf_prog_test_run_xdp() and its expected_attach_type can\nneither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot\nof a tailcall map it owns. progB\u0027s expected_attach_type must be BPF_XDP_DEVMAP\nto pass xdp_is_valid_access() validation. The program returns struct xdp_md\u0027s\negress_ifindex, and the latter is only allowed to be accessed under mentioned\nexpected_attach_type. progB is then inserted into the tailcall which progA\ncalls.\n\nThe underlying issue goes beyond XDP though. Another example are programs\nof type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well\nas sock_addr_func_proto() have different logic depending on the programs\u0027\nexpected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME\nshould not be allowed doing a tailcall into a program which calls bpf_bind()\nout of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.\n\nIn short, specifying expected_attach_type allows to open up additional\nfunctionality or restrictions beyond what the basic bpf_prog_type enables.\nThe use of tailcalls must not violate these constraints. Fix it by enforcing\nexpected_attach_type in __bpf_prog_map_compatible().\n\nNote that we only enforce this for tailcall maps, but not for BPF devmaps or\ncpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and\ncpu_map_bpf_prog_run*() which set up a new environment / context and therefore\nthese situations are not prone to this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:28.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8"
},
{
"url": "https://git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32"
},
{
"url": "https://git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a"
},
{
"url": "https://git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923ad"
},
{
"url": "https://git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0"
}
],
"title": "bpf: Enforce expected_attach_type for tailcall compatibility",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40123",
"datePublished": "2025-11-12T10:23:19.589Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:28.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68245 (GCVE-0-2025-68245)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21
VLAI?
EPSS
Title
net: netpoll: fix incorrect refcount handling causing incorrect cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: netpoll: fix incorrect refcount handling causing incorrect cleanup
commit efa95b01da18 ("netpoll: fix use after free") incorrectly
ignored the refcount and prematurely set dev->npinfo to NULL during
netpoll cleanup, leading to improper behavior and memory leaks.
Scenario causing lack of proper cleanup:
1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is
allocated, and refcnt = 1
- Keep in mind that npinfo is shared among all netpoll instances. In
this case, there is just one.
2) Another netpoll is also associated with the same NIC and
npinfo->refcnt += 1.
- Now dev->npinfo->refcnt = 2;
- There is just one npinfo associated to the netdev.
3) When the first netpolls goes to clean up:
- The first cleanup succeeds and clears np->dev->npinfo, ignoring
refcnt.
- It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`
- Set dev->npinfo = NULL, without proper cleanup
- No ->ndo_netpoll_cleanup() is either called
4) Now the second target tries to clean up
- The second cleanup fails because np->dev->npinfo is already NULL.
* In this case, ops->ndo_netpoll_cleanup() was never called, and
the skb pool is not cleaned as well (for the second netpoll
instance)
- This leaks npinfo and skbpool skbs, which is clearly reported by
kmemleak.
Revert commit efa95b01da18 ("netpoll: fix use after free") and adds
clarifying comments emphasizing that npinfo cleanup should only happen
once the refcount reaches zero, ensuring stable and correct netpoll
behavior.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 8e6a50edad11e3e1426e4c29e7aa6201f3468ac2
(git)
Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 9b0bb18b4b9dc017c1825a2c5e763615e34a1593 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 890472d6fbf062e6de7fdd56642cb305ab79d669 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 4afd4ebbad52aa146838ec23082ba393e426a2bb (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < c645693180a98606c430825223d2029315d85e9d (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < c79a6d9da29219616b118a3adce9a14cd30f9bd0 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 9a51b5ccd1c79afec1c03a4e1e6688da52597556 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e6a50edad11e3e1426e4c29e7aa6201f3468ac2",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "9b0bb18b4b9dc017c1825a2c5e763615e34a1593",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "890472d6fbf062e6de7fdd56642cb305ab79d669",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "4afd4ebbad52aa146838ec23082ba393e426a2bb",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "c645693180a98606c430825223d2029315d85e9d",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "c79a6d9da29219616b118a3adce9a14cd30f9bd0",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "9a51b5ccd1c79afec1c03a4e1e6688da52597556",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "49c8d2c1f94cc2f4d1a108530d7ba52614b874c2",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: fix incorrect refcount handling causing incorrect cleanup\n\ncommit efa95b01da18 (\"netpoll: fix use after free\") incorrectly\nignored the refcount and prematurely set dev-\u003enpinfo to NULL during\nnetpoll cleanup, leading to improper behavior and memory leaks.\n\nScenario causing lack of proper cleanup:\n\n1) A netpoll is associated with a NIC (e.g., eth0) and netdev-\u003enpinfo is\n allocated, and refcnt = 1\n - Keep in mind that npinfo is shared among all netpoll instances. In\n this case, there is just one.\n\n2) Another netpoll is also associated with the same NIC and\n npinfo-\u003erefcnt += 1.\n - Now dev-\u003enpinfo-\u003erefcnt = 2;\n - There is just one npinfo associated to the netdev.\n\n3) When the first netpolls goes to clean up:\n - The first cleanup succeeds and clears np-\u003edev-\u003enpinfo, ignoring\n refcnt.\n - It basically calls `RCU_INIT_POINTER(np-\u003edev-\u003enpinfo, NULL);`\n - Set dev-\u003enpinfo = NULL, without proper cleanup\n - No -\u003endo_netpoll_cleanup() is either called\n\n4) Now the second target tries to clean up\n - The second cleanup fails because np-\u003edev-\u003enpinfo is already NULL.\n * In this case, ops-\u003endo_netpoll_cleanup() was never called, and\n the skb pool is not cleaned as well (for the second netpoll\n instance)\n - This leaks npinfo and skbpool skbs, which is clearly reported by\n kmemleak.\n\nRevert commit efa95b01da18 (\"netpoll: fix use after free\") and adds\nclarifying comments emphasizing that npinfo cleanup should only happen\nonce the refcount reaches zero, ensuring stable and correct netpoll\nbehavior."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:22.348Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e6a50edad11e3e1426e4c29e7aa6201f3468ac2"
},
{
"url": "https://git.kernel.org/stable/c/9b0bb18b4b9dc017c1825a2c5e763615e34a1593"
},
{
"url": "https://git.kernel.org/stable/c/890472d6fbf062e6de7fdd56642cb305ab79d669"
},
{
"url": "https://git.kernel.org/stable/c/4afd4ebbad52aa146838ec23082ba393e426a2bb"
},
{
"url": "https://git.kernel.org/stable/c/c645693180a98606c430825223d2029315d85e9d"
},
{
"url": "https://git.kernel.org/stable/c/c79a6d9da29219616b118a3adce9a14cd30f9bd0"
},
{
"url": "https://git.kernel.org/stable/c/9a51b5ccd1c79afec1c03a4e1e6688da52597556"
},
{
"url": "https://git.kernel.org/stable/c/49c8d2c1f94cc2f4d1a108530d7ba52614b874c2"
}
],
"title": "net: netpoll: fix incorrect refcount handling causing incorrect cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68245",
"datePublished": "2025-12-16T14:21:22.348Z",
"dateReserved": "2025-12-16T13:41:40.264Z",
"dateUpdated": "2025-12-16T14:21:22.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39978 (GCVE-0-2025-39978)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node"
and then dereferences it on the next line. Two lines later, we take
a mutex so I don't think this is an RCU safe region. Re-order it to do
the dereferences before queuing up the free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
68fbff68dbea35f9e6f7649dd22fce492a5aedac , < 5723120423a753a220b8b2954b273838b9d7e74a
(git)
Affected: 68fbff68dbea35f9e6f7649dd22fce492a5aedac , < df2c071061ed52d2225d97b212d27ecedf456b8a (git) Affected: 68fbff68dbea35f9e6f7649dd22fce492a5aedac , < c41b2941a024d4ec7c768e16ffb10a74b188fced (git) Affected: 68fbff68dbea35f9e6f7649dd22fce492a5aedac , < a8a63f27c3a8a3714210d32b12fd0f16d0337414 (git) Affected: 68fbff68dbea35f9e6f7649dd22fce492a5aedac , < d9c70e93ec5988ab07ad2a92d9f9d12867f02c56 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5723120423a753a220b8b2954b273838b9d7e74a",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "df2c071061ed52d2225d97b212d27ecedf456b8a",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "c41b2941a024d4ec7c768e16ffb10a74b188fced",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "a8a63f27c3a8a3714210d32b12fd0f16d0337414",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "d9c70e93ec5988ab07ad2a92d9f9d12867f02c56",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential use after free in otx2_tc_add_flow()\n\nThis code calls kfree_rcu(new_node, rcu) and then dereferences \"new_node\"\nand then dereferences it on the next line. Two lines later, we take\na mutex so I don\u0027t think this is an RCU safe region. Re-order it to do\nthe dereferences before queuing up the free."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:58.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5723120423a753a220b8b2954b273838b9d7e74a"
},
{
"url": "https://git.kernel.org/stable/c/df2c071061ed52d2225d97b212d27ecedf456b8a"
},
{
"url": "https://git.kernel.org/stable/c/c41b2941a024d4ec7c768e16ffb10a74b188fced"
},
{
"url": "https://git.kernel.org/stable/c/a8a63f27c3a8a3714210d32b12fd0f16d0337414"
},
{
"url": "https://git.kernel.org/stable/c/d9c70e93ec5988ab07ad2a92d9f9d12867f02c56"
}
],
"title": "octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39978",
"datePublished": "2025-10-15T07:55:58.949Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:55:58.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39854 (GCVE-0-2025-39854)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
ice: fix NULL access of tx->in_use in ice_ll_ts_intr
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix NULL access of tx->in_use in ice_ll_ts_intr
Recent versions of the E810 firmware have support for an extra interrupt to
handle report of the "low latency" Tx timestamps coming from the
specialized low latency firmware interface. Instead of polling the
registers, software can wait until the low latency interrupt is fired.
This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as
it uses the same "ready" bitmap to track which Tx timestamps complete.
Unfortunately, the ice_ll_ts_intr() function does not check if the
tracker is initialized before its first access. This results in NULL
dereference or use-after-free bugs similar to the issues fixed in the
ice_ptp_ts_irq() function.
Fix this by only checking the in_use bitmap (and other fields) if the
tracker is marked as initialized. The reset flow will clear the init field
under lock before it tears the tracker down, thus preventing any
use-after-free or NULL access.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
82e71b226e0ef770d7bc143701c8b4960b4eb3d5 , < 2cde98a02da958357fe240a6ba269b69d913b6ba
(git)
Affected: 82e71b226e0ef770d7bc143701c8b4960b4eb3d5 , < 923c267bdbb64f65bc1149d184efcf8b047d7d64 (git) Affected: 82e71b226e0ef770d7bc143701c8b4960b4eb3d5 , < f6486338fde3f04ed0ec59fe67a69a208c32734f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:21:46.800433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:12.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cde98a02da958357fe240a6ba269b69d913b6ba",
"status": "affected",
"version": "82e71b226e0ef770d7bc143701c8b4960b4eb3d5",
"versionType": "git"
},
{
"lessThan": "923c267bdbb64f65bc1149d184efcf8b047d7d64",
"status": "affected",
"version": "82e71b226e0ef770d7bc143701c8b4960b4eb3d5",
"versionType": "git"
},
{
"lessThan": "f6486338fde3f04ed0ec59fe67a69a208c32734f",
"status": "affected",
"version": "82e71b226e0ef770d7bc143701c8b4960b4eb3d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL access of tx-\u003ein_use in ice_ll_ts_intr\n\nRecent versions of the E810 firmware have support for an extra interrupt to\nhandle report of the \"low latency\" Tx timestamps coming from the\nspecialized low latency firmware interface. Instead of polling the\nregisters, software can wait until the low latency interrupt is fired.\n\nThis logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as\nit uses the same \"ready\" bitmap to track which Tx timestamps complete.\n\nUnfortunately, the ice_ll_ts_intr() function does not check if the\ntracker is initialized before its first access. This results in NULL\ndereference or use-after-free bugs similar to the issues fixed in the\nice_ptp_ts_irq() function.\n\nFix this by only checking the in_use bitmap (and other fields) if the\ntracker is marked as initialized. The reset flow will clear the init field\nunder lock before it tears the tracker down, thus preventing any\nuse-after-free or NULL access."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:07.096Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cde98a02da958357fe240a6ba269b69d913b6ba"
},
{
"url": "https://git.kernel.org/stable/c/923c267bdbb64f65bc1149d184efcf8b047d7d64"
},
{
"url": "https://git.kernel.org/stable/c/f6486338fde3f04ed0ec59fe67a69a208c32734f"
}
],
"title": "ice: fix NULL access of tx-\u003ein_use in ice_ll_ts_intr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39854",
"datePublished": "2025-09-19T15:26:25.989Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2026-01-14T19:23:12.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22976 (GCVE-0-2026-22976)
Vulnerability from cvelistv5 – Published: 2026-01-21 06:57 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class
itself is active.
Two qfq_class objects may point to the same leaf_qdisc. This happens
when:
1. one QFQ qdisc is attached to the dev as the root qdisc, and
2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()
/ qdisc_put()) and is pending to be destroyed, as in function
tc_new_tfilter.
When packets are enqueued through the root QFQ qdisc, the shared
leaf_qdisc->q.qlen increases. At the same time, the second QFQ
qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters
qfq_reset() with its own q->q.qlen == 0, but its class's leaf
qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate
an inactive aggregate and trigger a null-deref in qfq_deactivate_agg:
[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 0.903571] #PF: supervisor write access in kernel mode
[ 0.903860] #PF: error_code(0x0002) - not-present page
[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0
[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI
[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE
[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.910247] PKRU: 55555554
[ 0.910391] Call Trace:
[ 0.910527] <TASK>
[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)
[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)
[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)
[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)
[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)
[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)
[ 0.912484] netlink_sendmsg (net/netlink/af
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0545a3037773512d3448557ba048cebb73b3e4af , < 6116a83ec167d3ab1390cded854d237481f41b63
(git)
Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 0809c4bc06c9c961222df29f2eccfd449304056f (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < cdb24200b043438a144df501f1ebbd926bb1a2c7 (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 43497313d0da3e12b5cfcd97aa17bf48ee663f95 (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 51ffd447bc37bf1a5776b85523f51d2bc69977f6 (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < c1d73b1480235731e35c81df70b08f4714a7d095 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6116a83ec167d3ab1390cded854d237481f41b63",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "0809c4bc06c9c961222df29f2eccfd449304056f",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "cdb24200b043438a144df501f1ebbd926bb1a2c7",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "43497313d0da3e12b5cfcd97aa17bf48ee663f95",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "51ffd447bc37bf1a5776b85523f51d2bc69977f6",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "c1d73b1480235731e35c81df70b08f4714a7d095",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\n\n`qfq_class-\u003eleaf_qdisc-\u003eq.qlen \u003e 0` does not imply that the class\nitself is active.\n\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\nwhen:\n\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\n\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\n/ qdisc_put()) and is pending to be destroyed, as in function\ntc_new_tfilter.\n\nWhen packets are enqueued through the root QFQ qdisc, the shared\nleaf_qdisc-\u003eq.qlen increases. At the same time, the second QFQ\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\nqfq_reset() with its own q-\u003eq.qlen == 0, but its class\u0027s leaf\nqdisc-\u003eq.qlen \u003e 0. Therefore, the qfq_reset would wrongly deactivate\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\n\n[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 0.903571] #PF: supervisor write access in kernel mode\n[ 0.903860] #PF: error_code(0x0002) - not-present page\n[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\n[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\n[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\n[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\n[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\n\nCode starting with the faulting instruction\n===========================================\n 0:\t0f 84 4d 01 00 00 \tje 0x153\n 6:\t48 89 70 18 \tmov %rsi,0x18(%rax)\n a:\t8b 4b 10 \tmov 0x10(%rbx),%ecx\n d:\t48 c7 c2 ff ff ff ff \tmov $0xffffffffffffffff,%rdx\n 14:\t48 8b 78 08 \tmov 0x8(%rax),%rdi\n 18:\t48 d3 e2 \tshl %cl,%rdx\n 1b:\t48 21 f2 \tand %rsi,%rdx\n 1e:\t48 2b 13 \tsub (%rbx),%rdx\n 21:\t48 8b 30 \tmov (%rax),%rsi\n 24:\t48 d3 ea \tshr %cl,%rdx\n 27:\t8b 4b 18 \tmov 0x18(%rbx),%ecx\n\t...\n[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\n[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\n[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\n[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\n[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\n[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\n[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\n[ 0.910247] PKRU: 55555554\n[ 0.910391] Call Trace:\n[ 0.910527] \u003cTASK\u003e\n[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\n[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\n[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)\n[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)\n[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\n[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\n[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)\n[ 0.912484] netlink_sendmsg (net/netlink/af\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:25.989Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63"
},
{
"url": "https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f"
},
{
"url": "https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7"
},
{
"url": "https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb"
},
{
"url": "https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95"
},
{
"url": "https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6"
},
{
"url": "https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095"
}
],
"title": "net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22976",
"datePublished": "2026-01-21T06:57:23.939Z",
"dateReserved": "2026-01-13T15:37:45.935Z",
"dateUpdated": "2026-02-09T08:36:25.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22992 (GCVE-0-2026-22992)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: return the handler error from mon_handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: return the handler error from mon_handle_auth_done()
Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 77229551f2cf72f3e35636db68e6a825b912cf16
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 33908769248b38a5e77cf9292817bb28e641992d (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < e097cd858196b1914309e7e3d79b4fa79383754d (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < d2c4a5f6996683f287f3851ef5412797042de7f1 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 9e0101e57534ef0e7578dd09608a6106736b82e5 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < e84b48d31b5008932c0a0902982809fbaa1d3b70 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77229551f2cf72f3e35636db68e6a825b912cf16",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "33908769248b38a5e77cf9292817bb28e641992d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e097cd858196b1914309e7e3d79b4fa79383754d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "d2c4a5f6996683f287f3851ef5412797042de7f1",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "9e0101e57534ef0e7578dd09608a6106736b82e5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e84b48d31b5008932c0a0902982809fbaa1d3b70",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn\u0027t returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:43.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16"
},
{
"url": "https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d"
},
{
"url": "https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d"
},
{
"url": "https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1"
},
{
"url": "https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5"
},
{
"url": "https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70"
}
],
"title": "libceph: return the handler error from mon_handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22992",
"datePublished": "2026-01-23T15:24:12.993Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:43.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68266 (GCVE-0-2025-68266)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:47 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
bfs: Reconstruct file type when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfs: Reconstruct file type when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted
or when the 32bits "attributes" field loaded from disk are corrupted.
A documentation says that BFS uses only lower 9 bits of the "mode" field.
But I can't find an explicit explanation that the unused upper 23 bits
(especially, the S_IFMT bits) are initialized with 0.
Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk.
Also, verify that the value of the "attributes" field loaded from disk is
either BFS_VREG or BFS_VDIR (because BFS supports only regular files and
the root directory).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8f73336b75bd3457b6f9410f2a0601a238f32238 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a9f626396bfe66f49b743601e862767928237cc0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 77899444d46162aeb65f229590c26ba266864223 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a8cb796e7e2cb7971311ba236922f5e7e1be77e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 34ab4c75588c07cca12884f2bf6b0347c7a13872 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/bfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f73336b75bd3457b6f9410f2a0601a238f32238",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9f626396bfe66f49b743601e862767928237cc0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "77899444d46162aeb65f229590c26ba266864223",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8cb796e7e2cb7971311ba236922f5e7e1be77e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34ab4c75588c07cca12884f2bf6b0347c7a13872",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/bfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfs: Reconstruct file type when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 32bits \"mode\" field loaded from disk are corrupted\nor when the 32bits \"attributes\" field loaded from disk are corrupted.\n\nA documentation says that BFS uses only lower 9 bits of the \"mode\" field.\nBut I can\u0027t find an explicit explanation that the unused upper 23 bits\n(especially, the S_IFMT bits) are initialized with 0.\n\nTherefore, ignore the S_IFMT bits of the \"mode\" field loaded from disk.\nAlso, verify that the value of the \"attributes\" field loaded from disk is\neither BFS_VREG or BFS_VDIR (because BFS supports only regular files and\nthe root directory)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:15.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4"
},
{
"url": "https://git.kernel.org/stable/c/aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d"
},
{
"url": "https://git.kernel.org/stable/c/8f73336b75bd3457b6f9410f2a0601a238f32238"
},
{
"url": "https://git.kernel.org/stable/c/a9f626396bfe66f49b743601e862767928237cc0"
},
{
"url": "https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223"
},
{
"url": "https://git.kernel.org/stable/c/a8cb796e7e2cb7971311ba236922f5e7e1be77e6"
},
{
"url": "https://git.kernel.org/stable/c/34ab4c75588c07cca12884f2bf6b0347c7a13872"
}
],
"title": "bfs: Reconstruct file type when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68266",
"datePublished": "2025-12-16T14:47:06.240Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-01-19T12:18:15.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40010 (GCVE-0-2025-40010)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
EPSS
Title
afs: Fix potential null pointer dereference in afs_put_server
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix potential null pointer dereference in afs_put_server
afs_put_server() accessed server->debug_id before the NULL check, which
could lead to a null pointer dereference. Move the debug_id assignment,
ensuring we never dereference a NULL server pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2757a4dc184997c66ef1de32636f73b9f21aac14 , < 7b8381f3c405b864a814d747e526e078c3ef4bc2
(git)
Affected: 2757a4dc184997c66ef1de32636f73b9f21aac14 , < cab278cead49a547ac84c3e185f446f381303eae (git) Affected: 2757a4dc184997c66ef1de32636f73b9f21aac14 , < a13dbc5e20c7284b82afe6f08debdecf51d2ca04 (git) Affected: 2757a4dc184997c66ef1de32636f73b9f21aac14 , < 41782c44bb8431c43043129ae42f2ba614938479 (git) Affected: 2757a4dc184997c66ef1de32636f73b9f21aac14 , < 9158c6bb245113d4966df9b2ba602197a379412e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/server.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b8381f3c405b864a814d747e526e078c3ef4bc2",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "cab278cead49a547ac84c3e185f446f381303eae",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "a13dbc5e20c7284b82afe6f08debdecf51d2ca04",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "41782c44bb8431c43043129ae42f2ba614938479",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "9158c6bb245113d4966df9b2ba602197a379412e",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/afs/server.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix potential null pointer dereference in afs_put_server\n\nafs_put_server() accessed server-\u003edebug_id before the NULL check, which\ncould lead to a null pointer dereference. Move the debug_id assignment,\nensuring we never dereference a NULL server pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:55.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b8381f3c405b864a814d747e526e078c3ef4bc2"
},
{
"url": "https://git.kernel.org/stable/c/cab278cead49a547ac84c3e185f446f381303eae"
},
{
"url": "https://git.kernel.org/stable/c/a13dbc5e20c7284b82afe6f08debdecf51d2ca04"
},
{
"url": "https://git.kernel.org/stable/c/41782c44bb8431c43043129ae42f2ba614938479"
},
{
"url": "https://git.kernel.org/stable/c/9158c6bb245113d4966df9b2ba602197a379412e"
}
],
"title": "afs: Fix potential null pointer dereference in afs_put_server",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40010",
"datePublished": "2025-10-20T15:26:55.874Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:55.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40238 (GCVE-0-2025-40238)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
net/mlx5: Fix IPsec cleanup over MPV device
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix IPsec cleanup over MPV device
When we do mlx5e_detach_netdev() we eventually disable blocking events
notifier, among those events are IPsec MPV events from IB to core.
So before disabling those blocking events, make sure to also unregister
the devcom device and mark all this device operations as complete,
in order to prevent the other device from using invalid netdev
during future devcom events which could cause the trace below.
BUG: kernel NULL pointer dereference, address: 0000000000000010
PGD 146427067 P4D 146427067 PUD 146488067 PMD 0
Oops: Oops: 0000 [#1] SMP
CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]
Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40
RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206
RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00
RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000
R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600
R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80
FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x20/0x60
? page_fault_oops+0x150/0x3e0
? exc_page_fault+0x74/0x130
? asm_exc_page_fault+0x22/0x30
? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]
mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core]
mlx5_devcom_send_event+0x8c/0x170 [mlx5_core]
blocking_event+0x17b/0x230 [mlx5_core]
notifier_call_chain+0x35/0xa0
blocking_notifier_call_chain+0x3d/0x60
mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]
mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core]
mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib]
mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib]
? idr_alloc_cyclic+0x50/0xb0
? __kmalloc_cache_noprof+0x167/0x340
? __kmalloc_noprof+0x1a7/0x430
__mlx5_ib_add+0x34/0xd0 [mlx5_ib]
mlx5r_probe+0xe9/0x310 [mlx5_ib]
? kernfs_add_one+0x107/0x150
? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]
auxiliary_bus_probe+0x3e/0x90
really_probe+0xc5/0x3a0
? driver_probe_device+0x90/0x90
__driver_probe_device+0x80/0x160
driver_probe_device+0x1e/0x90
__device_attach_driver+0x7d/0x100
bus_for_each_drv+0x80/0xd0
__device_attach+0xbc/0x1f0
bus_probe_device+0x86/0xa0
device_add+0x62d/0x830
__auxiliary_device_add+0x3b/0xa0
? auxiliary_device_init+0x41/0x90
add_adev+0xd1/0x150 [mlx5_core]
mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core]
esw_mode_change+0x6c/0xc0 [mlx5_core]
mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core]
devlink_nl_eswitch_set_doit+0x60/0xe0
genl_family_rcv_msg_doit+0xd0/0x120
genl_rcv_msg+0x180/0x2b0
? devlink_get_from_attrs_lock+0x170/0x170
? devlink_nl_eswitch_get_doit+0x290/0x290
? devlink_nl_pre_doit_port_optional+0x50/0x50
? genl_family_rcv_msg_dumpit+0xf0/0xf0
netlink_rcv_skb+0x54/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x1fc/0x2d0
netlink_sendmsg+0x1e4/0x410
__sock_sendmsg+0x38/0x60
? sockfd_lookup_light+0x12/0x60
__sys_sendto+0x105/0x160
? __sys_recvmsg+0x4e/0x90
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x4c/0x100
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f27bc91b13a
Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
82f9378c443c206d3f9e45844306e5270e7e4109 , < 7e212cebc863c2c7a82f480446cd731721451691
(git)
Affected: 82f9378c443c206d3f9e45844306e5270e7e4109 , < 8956686d398eca6d324d2d164f9d2a281175a3a1 (git) Affected: 82f9378c443c206d3f9e45844306e5270e7e4109 , < 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e212cebc863c2c7a82f480446cd731721451691",
"status": "affected",
"version": "82f9378c443c206d3f9e45844306e5270e7e4109",
"versionType": "git"
},
{
"lessThan": "8956686d398eca6d324d2d164f9d2a281175a3a1",
"status": "affected",
"version": "82f9378c443c206d3f9e45844306e5270e7e4109",
"versionType": "git"
},
{
"lessThan": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"status": "affected",
"version": "82f9378c443c206d3f9e45844306e5270e7e4109",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix IPsec cleanup over MPV device\n\nWhen we do mlx5e_detach_netdev() we eventually disable blocking events\nnotifier, among those events are IPsec MPV events from IB to core.\n\nSo before disabling those blocking events, make sure to also unregister\nthe devcom device and mark all this device operations as complete,\nin order to prevent the other device from using invalid netdev\nduring future devcom events which could cause the trace below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nPGD 146427067 P4D 146427067 PUD 146488067 PMD 0\nOops: Oops: 0000 [#1] SMP\nCPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\nCode: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 \u003c48\u003e 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40\nRSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206\nRAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00\nRDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000\nR10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600\nR13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80\nFS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\n mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core]\n mlx5_devcom_send_event+0x8c/0x170 [mlx5_core]\n blocking_event+0x17b/0x230 [mlx5_core]\n notifier_call_chain+0x35/0xa0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core]\n mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib]\n mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib]\n ? idr_alloc_cyclic+0x50/0xb0\n ? __kmalloc_cache_noprof+0x167/0x340\n ? __kmalloc_noprof+0x1a7/0x430\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe9/0x310 [mlx5_ib]\n ? kernfs_add_one+0x107/0x150\n ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]\n auxiliary_bus_probe+0x3e/0x90\n really_probe+0xc5/0x3a0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x62d/0x830\n __auxiliary_device_add+0x3b/0xa0\n ? auxiliary_device_init+0x41/0x90\n add_adev+0xd1/0x150 [mlx5_core]\n mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core]\n esw_mode_change+0x6c/0xc0 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x180/0x2b0\n ? devlink_get_from_attrs_lock+0x170/0x170\n ? devlink_nl_eswitch_get_doit+0x290/0x290\n ? devlink_nl_pre_doit_port_optional+0x50/0x50\n ? genl_family_rcv_msg_dumpit+0xf0/0xf0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1fc/0x2d0\n netlink_sendmsg+0x1e4/0x410\n __sock_sendmsg+0x38/0x60\n ? sockfd_lookup_light+0x12/0x60\n __sys_sendto+0x105/0x160\n ? __sys_recvmsg+0x4e/0x90\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f27bc91b13a\nCode: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:28.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691"
},
{
"url": "https://git.kernel.org/stable/c/8956686d398eca6d324d2d164f9d2a281175a3a1"
},
{
"url": "https://git.kernel.org/stable/c/664f76be38a18c61151d0ef248c7e2f3afb4f3c7"
}
],
"title": "net/mlx5: Fix IPsec cleanup over MPV device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40238",
"datePublished": "2025-12-04T15:31:28.243Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T15:31:28.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39826 (GCVE-0-2025-39826)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
net: rose: convert 'use' field to refcount_t
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: convert 'use' field to refcount_t
The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.
For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.
This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fb07156cc0742ba4e93dfcc84280c011d05b301f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f8c29fc437d03a98fb075c31c5be761cc8326284 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0085b250fcc79f900c82a69980ec2f3e1871823b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 203e4f42596ede31498744018716a3db6dbb7f51 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d860d1faa6b2ce3becfdb8b0c2b048ad31800061 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:47.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/rose.h",
"net/rose/af_rose.c",
"net/rose/rose_in.c",
"net/rose/rose_route.c",
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb07156cc0742ba4e93dfcc84280c011d05b301f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8c29fc437d03a98fb075c31c5be761cc8326284",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0085b250fcc79f900c82a69980ec2f3e1871823b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "203e4f42596ede31498744018716a3db6dbb7f51",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d860d1faa6b2ce3becfdb8b0c2b048ad31800061",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/rose.h",
"net/rose/af_rose.c",
"net/rose/rose_in.c",
"net/rose/rose_route.c",
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:27.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f"
},
{
"url": "https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284"
},
{
"url": "https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b"
},
{
"url": "https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51"
},
{
"url": "https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061"
}
],
"title": "net: rose: convert \u0027use\u0027 field to refcount_t",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39826",
"datePublished": "2025-09-16T13:00:24.618Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:47.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40049 (GCVE-0-2025-40049)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
Squashfs: fix uninit-value in squashfs_get_parent
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix uninit-value in squashfs_get_parent
Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
This is caused by open_by_handle_at() being called with a file handle
containing an invalid parent inode number. In particular the inode number
is that of a symbolic link, rather than a directory.
Squashfs_get_parent() gets called with that symbolic link inode, and
accesses the parent member field.
unsigned int parent_ino = squashfs_i(inode)->parent;
Because non-directory inodes in Squashfs do not have a parent value, this
is uninitialised, and this causes an uninitialised value access.
The fix is to initialise parent with the invalid inode 0, which will cause
an EINVAL error to be returned.
Regular inodes used to share the parent field with the block_list_start
field. This is removed in this commit to enable the parent field to
contain the invalid inode number 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
122601408d20c77704268f1dea9f9ce4abf997c2 , < f81a5bc9e924ee1950e0dd82bd10749048390f6e
(git)
Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < 382a47fae449e554ef1e8c198667fd2f3270b945 (git) Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < 61d38b5ce2782bff3cacaacbb8164087a73ed1a5 (git) Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < 81a2bca52d43fc9d9abf07408b91255131c5dc53 (git) Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < c28b0ca029edf5d0558abcd76cb8c732706cd339 (git) Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < 1b3ccd0019132880c94bb00ca7088c1749308f82 (git) Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < 91b99db7a92e57ff48a96a1b10fddfd2547e7f53 (git) Affected: 122601408d20c77704268f1dea9f9ce4abf997c2 , < 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c",
"fs/squashfs/squashfs_fs_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81a5bc9e924ee1950e0dd82bd10749048390f6e",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "382a47fae449e554ef1e8c198667fd2f3270b945",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "61d38b5ce2782bff3cacaacbb8164087a73ed1a5",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "81a2bca52d43fc9d9abf07408b91255131c5dc53",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "c28b0ca029edf5d0558abcd76cb8c732706cd339",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "1b3ccd0019132880c94bb00ca7088c1749308f82",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "91b99db7a92e57ff48a96a1b10fddfd2547e7f53",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c",
"fs/squashfs/squashfs_fs_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix uninit-value in squashfs_get_parent\n\nSyzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug.\n\nThis is caused by open_by_handle_at() being called with a file handle\ncontaining an invalid parent inode number. In particular the inode number\nis that of a symbolic link, rather than a directory.\n\nSquashfs_get_parent() gets called with that symbolic link inode, and\naccesses the parent member field.\n\n\tunsigned int parent_ino = squashfs_i(inode)-\u003eparent;\n\nBecause non-directory inodes in Squashfs do not have a parent value, this\nis uninitialised, and this causes an uninitialised value access.\n\nThe fix is to initialise parent with the invalid inode 0, which will cause\nan EINVAL error to be returned.\n\nRegular inodes used to share the parent field with the block_list_start\nfield. This is removed in this commit to enable the parent field to\ncontain the invalid inode number 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:55.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81a5bc9e924ee1950e0dd82bd10749048390f6e"
},
{
"url": "https://git.kernel.org/stable/c/382a47fae449e554ef1e8c198667fd2f3270b945"
},
{
"url": "https://git.kernel.org/stable/c/61d38b5ce2782bff3cacaacbb8164087a73ed1a5"
},
{
"url": "https://git.kernel.org/stable/c/81a2bca52d43fc9d9abf07408b91255131c5dc53"
},
{
"url": "https://git.kernel.org/stable/c/c28b0ca029edf5d0558abcd76cb8c732706cd339"
},
{
"url": "https://git.kernel.org/stable/c/1b3ccd0019132880c94bb00ca7088c1749308f82"
},
{
"url": "https://git.kernel.org/stable/c/91b99db7a92e57ff48a96a1b10fddfd2547e7f53"
},
{
"url": "https://git.kernel.org/stable/c/74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf"
}
],
"title": "Squashfs: fix uninit-value in squashfs_get_parent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40049",
"datePublished": "2025-10-28T11:48:25.862Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:16:55.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68282 (GCVE-0-2025-68282)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < dddc944d65169b552e09cb54e3ed4fbb9ea26416
(git)
Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < c12a0c3ef815ddd67e47f9c819f9fe822fed5467 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < f02a412c0a18f02f0f91b0a3d9788315a721b7fd (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < 10014310193cf6736c1aeb4105c5f4a0818d0c65 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < 3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < baeb66fbd4201d1c4325074e78b1f557dff89b5b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c",
"include/linux/usb/gadget.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dddc944d65169b552e09cb54e3ed4fbb9ea26416",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "c12a0c3ef815ddd67e47f9c819f9fe822fed5467",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "f02a412c0a18f02f0f91b0a3d9788315a721b7fd",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "10014310193cf6736c1aeb4105c5f4a0818d0c65",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "baeb66fbd4201d1c4325074e78b1f557dff89b5b",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c",
"include/linux/usb/gadget.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: udc: fix use-after-free in usb_gadget_state_work\n\nA race condition during gadget teardown can lead to a use-after-free\nin usb_gadget_state_work(), as reported by KASAN:\n\n BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0\n Workqueue: events usb_gadget_state_work\n\nThe fundamental race occurs because a concurrent event (e.g., an\ninterrupt) can call usb_gadget_set_state() and schedule gadget-\u003ework\nat any time during the cleanup process in usb_del_gadget().\n\nCommit 399a45e5237c (\"usb: gadget: core: flush gadget workqueue after\ndevice removal\") attempted to fix this by moving flush_work() to after\ndevice_del(). However, this does not fully solve the race, as a new\nwork item can still be scheduled *after* flush_work() completes but\nbefore the gadget\u0027s memory is freed, leading to the same use-after-free.\n\nThis patch fixes the race condition robustly by introducing a \u0027teardown\u0027\nflag and a \u0027state_lock\u0027 spinlock to the usb_gadget struct. The flag is\nset during cleanup in usb_del_gadget() *before* calling flush_work() to\nprevent any new work from being scheduled once cleanup has commenced.\nThe scheduling site, usb_gadget_set_state(), now checks this flag under\nthe lock before queueing the work, thus safely closing the race window."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:16.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dddc944d65169b552e09cb54e3ed4fbb9ea26416"
},
{
"url": "https://git.kernel.org/stable/c/eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5"
},
{
"url": "https://git.kernel.org/stable/c/c12a0c3ef815ddd67e47f9c819f9fe822fed5467"
},
{
"url": "https://git.kernel.org/stable/c/f02a412c0a18f02f0f91b0a3d9788315a721b7fd"
},
{
"url": "https://git.kernel.org/stable/c/10014310193cf6736c1aeb4105c5f4a0818d0c65"
},
{
"url": "https://git.kernel.org/stable/c/3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9"
},
{
"url": "https://git.kernel.org/stable/c/baeb66fbd4201d1c4325074e78b1f557dff89b5b"
}
],
"title": "usb: gadget: udc: fix use-after-free in usb_gadget_state_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68282",
"datePublished": "2025-12-16T15:06:04.332Z",
"dateReserved": "2025-12-16T14:48:05.291Z",
"dateUpdated": "2026-01-19T12:18:16.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68298 (GCVE-0-2025-68298)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)
That function can return NULL in some cases. Even when it returns
NULL, though, we still go on to call btusb_mtk_claim_iso_intf().
As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
when `btmtk_data->isopkt_intf` is NULL will cause a crash because
we'll end up passing a bad pointer to device_lock(). Prior to that
commit we'd pass the NULL pointer directly to
usb_driver_claim_interface() which would detect it and return an
error, which was handled.
Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
at the start of the function. This makes the code handle a NULL
`btmtk_data->isopkt_intf` the same way it did before the problematic
commit (just with a slight change to the error message printed).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
930e1790b99e5839e1af69d2f7fd808f1fba2df9 , < 2fa09fe98ca3b114d66285f65f7e108fea131815
(git)
Affected: e9087e828827e5a5c85e124ce77503f2b81c3491 , < c3b990e0b23068da65f0004cd38ee31f43f36460 (git) Affected: e9087e828827e5a5c85e124ce77503f2b81c3491 , < c884a0b27b4586e607431d86a1aa0bb4fb39169c (git) Affected: 4194766ec8756f4f654d595ae49962acbac49490 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fa09fe98ca3b114d66285f65f7e108fea131815",
"status": "affected",
"version": "930e1790b99e5839e1af69d2f7fd808f1fba2df9",
"versionType": "git"
},
{
"lessThan": "c3b990e0b23068da65f0004cd38ee31f43f36460",
"status": "affected",
"version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
"versionType": "git"
},
{
"lessThan": "c884a0b27b4586e607431d86a1aa0bb4fb39169c",
"status": "affected",
"version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
"versionType": "git"
},
{
"status": "affected",
"version": "4194766ec8756f4f654d595ae49962acbac49490",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref\n\nIn btusb_mtk_setup(), we set `btmtk_data-\u003eisopkt_intf` to:\n usb_ifnum_to_if(data-\u003eudev, MTK_ISO_IFNUM)\n\nThat function can return NULL in some cases. Even when it returns\nNULL, though, we still go on to call btusb_mtk_claim_iso_intf().\n\nAs of commit e9087e828827 (\"Bluetooth: btusb: mediatek: Add locks for\nusb_driver_claim_interface()\"), calling btusb_mtk_claim_iso_intf()\nwhen `btmtk_data-\u003eisopkt_intf` is NULL will cause a crash because\nwe\u0027ll end up passing a bad pointer to device_lock(). Prior to that\ncommit we\u0027d pass the NULL pointer directly to\nusb_driver_claim_interface() which would detect it and return an\nerror, which was handled.\n\nResolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check\nat the start of the function. This makes the code handle a NULL\n`btmtk_data-\u003eisopkt_intf` the same way it did before the problematic\ncommit (just with a slight change to the error message printed)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:17.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815"
},
{
"url": "https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460"
},
{
"url": "https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c"
}
],
"title": "Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68298",
"datePublished": "2025-12-16T15:06:17.526Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:17.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68375 (GCVE-0-2025-68375)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
perf/x86: Fix NULL event access and potential PEBS record loss
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86: Fix NULL event access and potential PEBS record loss
When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the
perf_event_overflow() could be called to process the last PEBS record.
While perf_event_overflow() could trigger the interrupt throttle and
stop all events of the group, like what the below call-chain shows.
perf_event_overflow()
-> __perf_event_overflow()
->__perf_event_account_interrupt()
-> perf_event_throttle_group()
-> perf_event_throttle()
-> event->pmu->stop()
-> x86_pmu_stop()
The side effect of stopping the events is that all corresponding event
pointers in cpuc->events[] array are cleared to NULL.
Assume there are two PEBS events (event a and event b) in a group. When
intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the
last PEBS record of PEBS event a, interrupt throttle is triggered and
all pointers of event a and event b are cleared to NULL. Then
intel_pmu_drain_pebs_icl() tries to process the last PEBS record of
event b and encounters NULL pointer access.
To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop()
to x86_pmu_del(). It's safe since cpuc->active_mask or
cpuc->pebs_enabled is always checked before access the event pointer
from cpuc->events[].
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9734e25fbf5ae68eb04234b2cd14a4b36ab89141 , < cf69b99805c263117305ac6dffbc85aaf9259d32
(git)
Affected: 9734e25fbf5ae68eb04234b2cd14a4b36ab89141 , < 6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e (git) Affected: 9734e25fbf5ae68eb04234b2cd14a4b36ab89141 , < 7e772a93eb61cb6265bdd1c5bde17d0f2718b452 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf69b99805c263117305ac6dffbc85aaf9259d32",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
},
{
"lessThan": "6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
},
{
"lessThan": "7e772a93eb61cb6265bdd1c5bde17d0f2718b452",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Fix NULL event access and potential PEBS record loss\n\nWhen intel_pmu_drain_pebs_icl() is called to drain PEBS records, the\nperf_event_overflow() could be called to process the last PEBS record.\n\nWhile perf_event_overflow() could trigger the interrupt throttle and\nstop all events of the group, like what the below call-chain shows.\n\nperf_event_overflow()\n -\u003e __perf_event_overflow()\n -\u003e__perf_event_account_interrupt()\n -\u003e perf_event_throttle_group()\n -\u003e perf_event_throttle()\n -\u003e event-\u003epmu-\u003estop()\n -\u003e x86_pmu_stop()\n\nThe side effect of stopping the events is that all corresponding event\npointers in cpuc-\u003eevents[] array are cleared to NULL.\n\nAssume there are two PEBS events (event a and event b) in a group. When\nintel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the\nlast PEBS record of PEBS event a, interrupt throttle is triggered and\nall pointers of event a and event b are cleared to NULL. Then\nintel_pmu_drain_pebs_icl() tries to process the last PEBS record of\nevent b and encounters NULL pointer access.\n\nTo avoid this issue, move cpuc-\u003eevents[] clearing from x86_pmu_stop()\nto x86_pmu_del(). It\u0027s safe since cpuc-\u003eactive_mask or\ncpuc-\u003epebs_enabled is always checked before access the event pointer\nfrom cpuc-\u003eevents[]."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:13.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf69b99805c263117305ac6dffbc85aaf9259d32"
},
{
"url": "https://git.kernel.org/stable/c/6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e"
},
{
"url": "https://git.kernel.org/stable/c/7e772a93eb61cb6265bdd1c5bde17d0f2718b452"
}
],
"title": "perf/x86: Fix NULL event access and potential PEBS record loss",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68375",
"datePublished": "2025-12-24T10:33:04.819Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:13.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40262 (GCVE-0-2025-40262)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:39
VLAI?
EPSS
Title
Input: imx_sc_key - fix memory corruption on unload
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: imx_sc_key - fix memory corruption on unload
This is supposed to be "priv" but we accidentally pass "&priv" which is
an address in the stack and so it will lead to memory corruption when
the imx_sc_key_action() function is called. Remove the &.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
768062fd1284529212daffd360314e9aa93abb62 , < 3e96803b169dc948847f0fc2bae729a80914eb7b
(git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 4ce5218b101205b3425099fe3df88a61b58f9cc2 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < a155292c3ce722036014da5477ee0e4c87b5e6b3 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < ca9a08de9b294422376f47ade323d69590dbc6f2 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 56881294915a6e866d31a46f9bcb5e19167cfbaa (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 6524a15d33951b18ac408ebbcb9c16e14e21c336 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/imx_sc_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e96803b169dc948847f0fc2bae729a80914eb7b",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "4ce5218b101205b3425099fe3df88a61b58f9cc2",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "a155292c3ce722036014da5477ee0e4c87b5e6b3",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "ca9a08de9b294422376f47ade323d69590dbc6f2",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "56881294915a6e866d31a46f9bcb5e19167cfbaa",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "6524a15d33951b18ac408ebbcb9c16e14e21c336",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/imx_sc_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: imx_sc_key - fix memory corruption on unload\n\nThis is supposed to be \"priv\" but we accidentally pass \"\u0026priv\" which is\nan address in the stack and so it will lead to memory corruption when\nthe imx_sc_key_action() function is called. Remove the \u0026."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:39:03.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b"
},
{
"url": "https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2"
},
{
"url": "https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3"
},
{
"url": "https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2"
},
{
"url": "https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa"
},
{
"url": "https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336"
},
{
"url": "https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4"
}
],
"title": "Input: imx_sc_key - fix memory corruption on unload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40262",
"datePublished": "2025-12-04T16:08:22.043Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:39:03.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40283 (GCVE-0-2025-40283)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
There is a KASAN: slab-use-after-free read in btusb_disconnect().
Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will
free the btusb data associated with the interface. The same data is
then used later in the function, hence the UAF.
Fix by moving the accesses to btusb data to before the data is free'd.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fd913ef7ce619467c6b0644af48ba1fec499c623 , < 297dbf87989e09af98f81f2bcb938041785557e8
(git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < f858f004bc343a7ae9f2533bbb2a3ab27428532f (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 7a6d1e740220ff9dfcb6a8c994d6ba49e76db198 (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 5dc00065a0496c36694afe11e52a5bc64524a9b8 (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 1c28c1e1522c773a94e26950ffb145e88cd9834b (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < a2610ecd9fd5708be8997ca8f033e4200c0bb6af (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 23d22f2f71768034d6ef86168213843fc49bf550 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "297dbf87989e09af98f81f2bcb938041785557e8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "f858f004bc343a7ae9f2533bbb2a3ab27428532f",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "7a6d1e740220ff9dfcb6a8c994d6ba49e76db198",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "5dc00065a0496c36694afe11e52a5bc64524a9b8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "1c28c1e1522c773a94e26950ffb145e88cd9834b",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "a2610ecd9fd5708be8997ca8f033e4200c0bb6af",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "23d22f2f71768034d6ef86168213843fc49bf550",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\n\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\nCalling \"usb_driver_release_interface(\u0026btusb_driver, data-\u003eintf)\" will\nfree the btusb data associated with the interface. The same data is\nthen used later in the function, hence the UAF.\n\nFix by moving the accesses to btusb data to before the data is free\u0027d."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:07.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8"
},
{
"url": "https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f"
},
{
"url": "https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198"
},
{
"url": "https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8"
},
{
"url": "https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b"
},
{
"url": "https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d"
},
{
"url": "https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af"
},
{
"url": "https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550"
}
],
"title": "Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40283",
"datePublished": "2025-12-06T21:51:07.409Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:07.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71116 (GCVE-0-2025-71116)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
libceph: make decode_pool() more resilient against corrupted osdmaps
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make decode_pool() more resilient against corrupted osdmaps
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < d061be4c8040ffb1110d537654a038b8b6ad39d2
(git)
Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 145d140abda80e33331c5781d6603014fa75d258 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < c82e39ff67353a5a6cbc07b786b8690bd2c45aaa (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < e927ab132b87ba3f076705fc2684d94b24201ed1 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 5d0d8c292531fe356c4e94dcfdf7d7212aca9957 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 2acb8517429ab42146c6c0ac1daed1f03d2fd125 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 8c738512714e8c0aa18f8a10c072d5b01c83db39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d061be4c8040ffb1110d537654a038b8b6ad39d2",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "145d140abda80e33331c5781d6603014fa75d258",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "c82e39ff67353a5a6cbc07b786b8690bd2c45aaa",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "e927ab132b87ba3f076705fc2684d94b24201ed1",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "5d0d8c292531fe356c4e94dcfdf7d7212aca9957",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "2acb8517429ab42146c6c0ac1daed1f03d2fd125",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "8c738512714e8c0aa18f8a10c072d5b01c83db39",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:10.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2"
},
{
"url": "https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258"
},
{
"url": "https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa"
},
{
"url": "https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1"
},
{
"url": "https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957"
},
{
"url": "https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125"
},
{
"url": "https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39"
}
],
"title": "libceph: make decode_pool() more resilient against corrupted osdmaps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71116",
"datePublished": "2026-01-14T15:06:04.476Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:10.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68373 (GCVE-0-2025-68373)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
md: avoid repeated calls to del_gendisk
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: avoid repeated calls to del_gendisk
There is a uaf problem which is found by case 23rdev-lifetime:
Oops: general protection fault, probably for non-canonical address 0xdead000000000122
RIP: 0010:bdi_unregister+0x4b/0x170
Call Trace:
<TASK>
__del_gendisk+0x356/0x3e0
mddev_unlock+0x351/0x360
rdev_attr_store+0x217/0x280
kernfs_fop_write_iter+0x14a/0x210
vfs_write+0x29e/0x550
ksys_write+0x74/0xf0
do_syscall_64+0xbb/0x380
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff5250a177e
The sequence is:
1. rdev remove path gets reconfig_mutex
2. rdev remove path release reconfig_mutex in mddev_unlock
3. md stop calls do_md_stop and sets MD_DELETED
4. rdev remove path calls del_gendisk because MD_DELETED is set
5. md stop path release reconfig_mutex and calls del_gendisk again
So there is a race condition we should resolve. This patch adds a
flag MD_DO_DELETE to avoid the race condition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9e59d609763f70a992a8f3808dabcce60f14eb5c , < b4c5cf406062ad44cd178269571530c6435b2f3b
(git)
Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < f0fae1debeb9102398ddf2ef69b4f5d395afafed (git) Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < 90e3bb44c0a86e245d8e5c6520206fa113acb1ee (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4c5cf406062ad44cd178269571530c6435b2f3b",
"status": "affected",
"version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
"versionType": "git"
},
{
"lessThan": "f0fae1debeb9102398ddf2ef69b4f5d395afafed",
"status": "affected",
"version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
"versionType": "git"
},
{
"lessThan": "90e3bb44c0a86e245d8e5c6520206fa113acb1ee",
"status": "affected",
"version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: avoid repeated calls to del_gendisk\n\nThere is a uaf problem which is found by case 23rdev-lifetime:\n\nOops: general protection fault, probably for non-canonical address 0xdead000000000122\nRIP: 0010:bdi_unregister+0x4b/0x170\nCall Trace:\n \u003cTASK\u003e\n __del_gendisk+0x356/0x3e0\n mddev_unlock+0x351/0x360\n rdev_attr_store+0x217/0x280\n kernfs_fop_write_iter+0x14a/0x210\n vfs_write+0x29e/0x550\n ksys_write+0x74/0xf0\n do_syscall_64+0xbb/0x380\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff5250a177e\n\nThe sequence is:\n1. rdev remove path gets reconfig_mutex\n2. rdev remove path release reconfig_mutex in mddev_unlock\n3. md stop calls do_md_stop and sets MD_DELETED\n4. rdev remove path calls del_gendisk because MD_DELETED is set\n5. md stop path release reconfig_mutex and calls del_gendisk again\n\nSo there is a race condition we should resolve. This patch adds a\nflag MD_DO_DELETE to avoid the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:10.924Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4c5cf406062ad44cd178269571530c6435b2f3b"
},
{
"url": "https://git.kernel.org/stable/c/f0fae1debeb9102398ddf2ef69b4f5d395afafed"
},
{
"url": "https://git.kernel.org/stable/c/90e3bb44c0a86e245d8e5c6520206fa113acb1ee"
}
],
"title": "md: avoid repeated calls to del_gendisk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68373",
"datePublished": "2025-12-24T10:33:03.375Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:10.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40345 (GCVE-0-2025-40345)
Vulnerability from cvelistv5 – Published: 2025-12-12 17:53 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
usb: storage: sddr55: Reject out-of-bound new_pba
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: storage: sddr55: Reject out-of-bound new_pba
Discovered by Atuin - Automated Vulnerability Discovery Engine.
new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.
Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d00a6c04a502cd52425dbf35588732c652b16490
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 26e9b5da3231da7dc357b363883b5b7b51a64092 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aa64e0e17e3a5991a25e6a46007770c629039869 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 04a8a6393f3f2f471e05eacca33282dd30b01432 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5ebe8d479aaf4f41ac35e6955332304193c646f6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b59d4fda7e7d0aff1043a7f742487cb829f5aac1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/sddr55.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00a6c04a502cd52425dbf35588732c652b16490",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "26e9b5da3231da7dc357b363883b5b7b51a64092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa64e0e17e3a5991a25e6a46007770c629039869",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "04a8a6393f3f2f471e05eacca33282dd30b01432",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ebe8d479aaf4f41ac35e6955332304193c646f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b59d4fda7e7d0aff1043a7f742487cb829f5aac1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/sddr55.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: sddr55: Reject out-of-bound new_pba\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nnew_pba comes from the status packet returned after each write.\nA bogus device could report values beyond the block count derived\nfrom info-\u003ecapacity, letting the driver walk off the end of\npba_to_lba[] and corrupt heap memory.\n\nReject PBAs that exceed the computed block count and fail the\ntransfer so we avoid touching out-of-range mapping entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:43.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490"
},
{
"url": "https://git.kernel.org/stable/c/26e9b5da3231da7dc357b363883b5b7b51a64092"
},
{
"url": "https://git.kernel.org/stable/c/aa64e0e17e3a5991a25e6a46007770c629039869"
},
{
"url": "https://git.kernel.org/stable/c/04a8a6393f3f2f471e05eacca33282dd30b01432"
},
{
"url": "https://git.kernel.org/stable/c/a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f"
},
{
"url": "https://git.kernel.org/stable/c/5ebe8d479aaf4f41ac35e6955332304193c646f6"
},
{
"url": "https://git.kernel.org/stable/c/b59d4fda7e7d0aff1043a7f742487cb829f5aac1"
}
],
"title": "usb: storage: sddr55: Reject out-of-bound new_pba",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40345",
"datePublished": "2025-12-12T17:53:06.853Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:43.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41014 (GCVE-0-2024-41014)
Vulnerability from cvelistv5 – Published: 2024-07-29 06:37 – Updated: 2026-01-05 10:37
VLAI?
EPSS
Title
xfs: add bounds checking to xlog_recover_process_data
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: add bounds checking to xlog_recover_process_data
There is a lack of verification of the space occupied by fixed members
of xlog_op_header in the xlog_recover_process_data.
We can create a crafted image to trigger an out of bounds read by
following these steps:
1) Mount an image of xfs, and do some file operations to leave records
2) Before umounting, copy the image for subsequent steps to simulate
abnormal exit. Because umount will ensure that tail_blk and
head_blk are the same, which will result in the inability to enter
xlog_recover_process_data
3) Write a tool to parse and modify the copied image in step 2
4) Make the end of the xlog_op_header entries only 1 byte away from
xlog_rec_header->h_size
5) xlog_rec_header->h_num_logops++
6) Modify xlog_rec_header->h_crc
Fix:
Add a check to make sure there is sufficient space to access fixed members
of xlog_op_header.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1e3efe783365db59da88f08a2e0bfe1cc95b143
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fb63435b7c7dc112b1ae1baea5486e0a6e27b196 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:38:27.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:24:49.673152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:05.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log_recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1e3efe783365db59da88f08a2e0bfe1cc95b143",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb63435b7c7dc112b1ae1baea5486e0a6e27b196",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log_recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header-\u003eh_size\n 5) xlog_rec_header-\u003eh_num_logops++\n 6) Modify xlog_rec_header-\u003eh_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:37:21.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1e3efe783365db59da88f08a2e0bfe1cc95b143"
},
{
"url": "https://git.kernel.org/stable/c/7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1"
},
{
"url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196"
}
],
"title": "xfs: add bounds checking to xlog_recover_process_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41014",
"datePublished": "2024-07-29T06:37:00.826Z",
"dateReserved": "2024-07-12T12:17:45.611Z",
"dateUpdated": "2026-01-05T10:37:21.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40009 (GCVE-0-2025-40009)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
EPSS
Title
fs/proc/task_mmu: check p->vec_buf for NULL
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/proc/task_mmu: check p->vec_buf for NULL
When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches
pagemap_scan_backout_range(), kernel panics with null-ptr-deref:
[ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none)
[ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80
<snip registers, unreliable trace>
[ 44.946828] Call Trace:
[ 44.947030] <TASK>
[ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0
[ 44.952593] walk_pmd_range.isra.0+0x302/0x910
[ 44.954069] walk_pud_range.isra.0+0x419/0x790
[ 44.954427] walk_p4d_range+0x41e/0x620
[ 44.954743] walk_pgd_range+0x31e/0x630
[ 44.955057] __walk_page_range+0x160/0x670
[ 44.956883] walk_page_range_mm+0x408/0x980
[ 44.958677] walk_page_range+0x66/0x90
[ 44.958984] do_pagemap_scan+0x28d/0x9c0
[ 44.961833] do_pagemap_cmd+0x59/0x80
[ 44.962484] __x64_sys_ioctl+0x18d/0x210
[ 44.962804] do_syscall_64+0x5b/0x290
[ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e
vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are
allocated and p->vec_buf remains set to NULL.
This breaks an assumption made later in pagemap_scan_backout_range(), that
page_region is always allocated for p->vec_buf_index.
Fix it by explicitly checking p->vec_buf for NULL before dereferencing.
Other sites that might run into same deref-issue are already (directly or
transitively) protected by checking p->vec_buf.
Note:
From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output
is requested and it's only the side effects caller is interested in,
hence it passes check in pagemap_scan_get_args().
This issue was found by syzkaller.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
52526ca7fdb905a768a93f8faa418e9b988fc34b , < ca988dcdc6683ecd9de5f525ce469588a9141c21
(git)
Affected: 52526ca7fdb905a768a93f8faa418e9b988fc34b , < a2cb8818a3d915cd33a1e8b2babc1bb0c34862c3 (git) Affected: 52526ca7fdb905a768a93f8faa418e9b988fc34b , < 28aa29986dde79e8466bc87569141291053833f5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/task_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca988dcdc6683ecd9de5f525ce469588a9141c21",
"status": "affected",
"version": "52526ca7fdb905a768a93f8faa418e9b988fc34b",
"versionType": "git"
},
{
"lessThan": "a2cb8818a3d915cd33a1e8b2babc1bb0c34862c3",
"status": "affected",
"version": "52526ca7fdb905a768a93f8faa418e9b988fc34b",
"versionType": "git"
},
{
"lessThan": "28aa29986dde79e8466bc87569141291053833f5",
"status": "affected",
"version": "52526ca7fdb905a768a93f8faa418e9b988fc34b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/task_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: check p-\u003evec_buf for NULL\n\nWhen the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches\npagemap_scan_backout_range(), kernel panics with null-ptr-deref:\n\n[ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none)\n[ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80\n\n\u003csnip registers, unreliable trace\u003e\n\n[ 44.946828] Call Trace:\n[ 44.947030] \u003cTASK\u003e\n[ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0\n[ 44.952593] walk_pmd_range.isra.0+0x302/0x910\n[ 44.954069] walk_pud_range.isra.0+0x419/0x790\n[ 44.954427] walk_p4d_range+0x41e/0x620\n[ 44.954743] walk_pgd_range+0x31e/0x630\n[ 44.955057] __walk_page_range+0x160/0x670\n[ 44.956883] walk_page_range_mm+0x408/0x980\n[ 44.958677] walk_page_range+0x66/0x90\n[ 44.958984] do_pagemap_scan+0x28d/0x9c0\n[ 44.961833] do_pagemap_cmd+0x59/0x80\n[ 44.962484] __x64_sys_ioctl+0x18d/0x210\n[ 44.962804] do_syscall_64+0x5b/0x290\n[ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nvec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are\nallocated and p-\u003evec_buf remains set to NULL.\n\nThis breaks an assumption made later in pagemap_scan_backout_range(), that\npage_region is always allocated for p-\u003evec_buf_index.\n\nFix it by explicitly checking p-\u003evec_buf for NULL before dereferencing.\n\nOther sites that might run into same deref-issue are already (directly or\ntransitively) protected by checking p-\u003evec_buf.\n\nNote:\nFrom PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output\nis requested and it\u0027s only the side effects caller is interested in,\nhence it passes check in pagemap_scan_get_args().\n\nThis issue was found by syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:55.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca988dcdc6683ecd9de5f525ce469588a9141c21"
},
{
"url": "https://git.kernel.org/stable/c/a2cb8818a3d915cd33a1e8b2babc1bb0c34862c3"
},
{
"url": "https://git.kernel.org/stable/c/28aa29986dde79e8466bc87569141291053833f5"
}
],
"title": "fs/proc/task_mmu: check p-\u003evec_buf for NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40009",
"datePublished": "2025-10-20T15:26:55.208Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:55.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40309 (GCVE-0-2025-40309)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
Bluetooth: SCO: Fix UAF on sco_conn_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix UAF on sco_conn_free
BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]
BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410
net/bluetooth/sco.c:107
Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352
CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted
6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci13 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x191/0x550 mm/kasan/report.c:482
kasan_report+0xc4/0x100 mm/kasan/report.c:595
sco_conn_free net/bluetooth/sco.c:87 [inline]
kref_put include/linux/kref.h:65 [inline]
sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107
sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441
hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313
hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121
hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147
hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689
hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319
worker_thread+0xbee/0x1200 kernel/workqueue.c:3400
kthread+0x3c7/0x870 kernel/kthread.c:463
ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 31370:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4382 [inline]
__kmalloc_noprof+0x22f/0x390 mm/slub.c:4394
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0xae/0x220 net/core/sock.c:2239
sk_alloc+0x34/0x5a0 net/core/sock.c:2295
bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151
sco_sock_alloc net/bluetooth/sco.c:562 [inline]
sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593
bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135
__sock_create+0x3ad/0x780 net/socket.c:1589
sock_create net/socket.c:1647 [inline]
__sys_socket_create net/socket.c:1684 [inline]
__sys_socket+0xd5/0x330 net/socket.c:1731
__do_sys_socket net/socket.c:1745 [inline]
__se_sys_socket net/socket.c:1743 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1743
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 31374:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2428 [inline]
slab_free mm/slub.c:4701 [inline]
kfree+0x199/0x3b0 mm/slub.c:4900
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x4aa/0x630 net/core/sock.c:2373
sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333
__sock_release net/socket.c:649 [inline]
sock_close+0xb8/0x230 net/socket.c:1439
__fput+0x3d1/0x9e0 fs/file_table.c:468
task_work_run+0x206/0x2a0 kernel/task_work.c:227
get_signal+0x1201/0x1410 kernel/signal.c:2807
arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
s
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "391f83547b7b2c63e4b572ab838e10a06cfa4425",
"status": "affected",
"version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
"versionType": "git"
},
{
"lessThan": "ecb9a843be4d6fd710d7026e359f21015a062572",
"status": "affected",
"version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:30.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
},
{
"url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
}
],
"title": "Bluetooth: SCO: Fix UAF on sco_conn_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40309",
"datePublished": "2025-12-08T00:46:34.785Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:30.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68286 (GCVE-0-2025-68286)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amd/display: Check NULL before accessing
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check NULL before accessing
[WHAT]
IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic
fails with NULL pointer dereference. This can be reproduced with
both an eDP panel and a DP monitors connected.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted
6.16.0-99-custom #8 PREEMPT(voluntary)
Hardware name: AMD ........
RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]
Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49
89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30
c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02
RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668
RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000
RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760
R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000
R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c
FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]
amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]
? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]
amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]
drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400
drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30
drm_crtc_get_last_vbltimestamp+0x55/0x90
drm_crtc_next_vblank_start+0x45/0xa0
drm_atomic_helper_wait_for_fences+0x81/0x1f0
...
(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 781f2f32e9c19eb791b52af283c96f9a9677a7f2
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 09092269cb762378ca8b56024746b1a136761e0d (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 109e9c92543f3105e8e1efd2c5e6b92ef55d5743 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 62150f1e7ec707da76ff353fb7db51fef9cd6557 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 3ce62c189693e8ed7b3abe551802bbc67f3ace54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "781f2f32e9c19eb791b52af283c96f9a9677a7f2",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "09092269cb762378ca8b56024746b1a136761e0d",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "109e9c92543f3105e8e1efd2c5e6b92ef55d5743",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "62150f1e7ec707da76ff353fb7db51fef9cd6557",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3ce62c189693e8ed7b3abe551802bbc67f3ace54",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check NULL before accessing\n\n[WHAT]\nIGT kms_cursor_legacy\u0027s long-nonblocking-modeset-vs-cursor-atomic\nfails with NULL pointer dereference. This can be reproduced with\nboth an eDP panel and a DP monitors connected.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted\n6.16.0-99-custom #8 PREEMPT(voluntary)\n Hardware name: AMD ........\n RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]\n Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49\n 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30\n c2 \u003c48\u003e 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02\n RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668\n RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000\n RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760\n R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000\n R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c\n FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)\nknlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]\n amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]\n ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]\n amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]\n drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400\n drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30\n drm_crtc_get_last_vbltimestamp+0x55/0x90\n drm_crtc_next_vblank_start+0x45/0xa0\n drm_atomic_helper_wait_for_fences+0x81/0x1f0\n ...\n\n(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:20.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2"
},
{
"url": "https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d"
},
{
"url": "https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743"
},
{
"url": "https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9"
},
{
"url": "https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf"
},
{
"url": "https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557"
},
{
"url": "https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54"
}
],
"title": "drm/amd/display: Check NULL before accessing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68286",
"datePublished": "2025-12-16T15:06:07.838Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-20T08:52:20.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71105 (GCVE-0-2025-71105)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
f2fs: use global inline_xattr_slab instead of per-sb slab cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: use global inline_xattr_slab instead of per-sb slab cache
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
__kmem_cache_create include/linux/slab.h:353 [inline]
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
vfs_get_tree+0x43/0x140 fs/super.c:1815
do_new_mount+0x201/0x550 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a999150f4fe3abbb7efd05411fd5b460be699943 , < 93d30fe19660dec6bf1bd3d5c186c1c737b21aa5
(git)
Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 474cc3ed37436ddfd63cac8dbffe3b1e219e9100 (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 72ce19dfed162da6e430467333b2da70471d08a4 (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < e6d828eae00ec192e18c2ddaa2fd32050a96048a (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c",
"fs/f2fs/xattr.c",
"fs/f2fs/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d30fe19660dec6bf1bd3d5c186c1c737b21aa5",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "474cc3ed37436ddfd63cac8dbffe3b1e219e9100",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "72ce19dfed162da6e430467333b2da70471d08a4",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "1eb0b130196bcbc56c5c80c83139fa70c0aa82c5",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "e6d828eae00ec192e18c2ddaa2fd32050a96048a",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "1f27ef42bb0b7c0740c5616ec577ec188b8a1d05",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c",
"fs/f2fs/xattr.c",
"fs/f2fs/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\n\nAs Hong Yun reported in mailing list:\n\nloop7: detected capacity change from 0 to 131072\n------------[ cut here ]------------\nkmem_cache of name \u0027f2fs_xattr_entry-7:7\u0027 already exists\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCall Trace:\n\u00a0__kmem_cache_create include/linux/slab.h:353 [inline]\n\u00a0f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\n\u00a0f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\n\u00a0f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\n\u00a0get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\n\u00a0vfs_get_tree+0x43/0x140 fs/super.c:1815\n\u00a0do_new_mount+0x201/0x550 fs/namespace.c:3808\n\u00a0do_mount fs/namespace.c:4136 [inline]\n\u00a0__do_sys_mount fs/namespace.c:4347 [inline]\n\u00a0__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\n\u00a0do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n\u00a0do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\n\u00a0entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug can be reproduced w/ below scripts:\n- mount /dev/vdb /mnt1\n- mount /dev/vdc /mnt2\n- umount /mnt1\n- mounnt /dev/vdb /mnt1\n\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\nslab system will only create one slab cache core structure which has\nslab name of \"f2fs_xattr_entry-7:3\", and two slab caches share the same\nstructure and cache address.\n\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\ndecrease reference count of slab cache, rather than release slab cache\nentirely, since there is one more user has referenced the cache.\n\nThen, if we try to create slab cache w/ name \"f2fs_xattr_entry-7:3\" again,\nslab system will find that there is existed cache which has the same name\nand trigger the warning.\n\nLet\u0027s changes to use global inline_xattr_slab instead of per-sb slab cache\nfor fixing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:58.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5"
},
{
"url": "https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100"
},
{
"url": "https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4"
},
{
"url": "https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a"
},
{
"url": "https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5"
},
{
"url": "https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a"
},
{
"url": "https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05"
}
],
"title": "f2fs: use global inline_xattr_slab instead of per-sb slab cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71105",
"datePublished": "2026-01-14T15:05:54.510Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:58.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68221 (GCVE-0-2025-68221)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
mptcp: fix address removal logic in mptcp_pm_nl_rm_addr
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix address removal logic in mptcp_pm_nl_rm_addr
Fix inverted WARN_ON_ONCE condition that prevented normal address
removal counter updates. The current code only executes decrement
logic when the counter is already 0 (abnormal state), while
normal removals (counter > 0) are ignored.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7d953c38245c0e9d8e268fb6a9e524602fb44ec",
"status": "affected",
"version": "63611391850850bf27f81afb0d0b6d1237a34006",
"versionType": "git"
},
{
"lessThan": "92e239e36d600002559074994a545fcfac9afd2d",
"status": "affected",
"version": "63611391850850bf27f81afb0d0b6d1237a34006",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix address removal logic in mptcp_pm_nl_rm_addr\n\nFix inverted WARN_ON_ONCE condition that prevented normal address\nremoval counter updates. The current code only executes decrement\nlogic when the counter is already 0 (abnormal state), while\nnormal removals (counter \u003e 0) are ignored."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:14.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7d953c38245c0e9d8e268fb6a9e524602fb44ec"
},
{
"url": "https://git.kernel.org/stable/c/92e239e36d600002559074994a545fcfac9afd2d"
}
],
"title": "mptcp: fix address removal logic in mptcp_pm_nl_rm_addr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68221",
"datePublished": "2025-12-16T13:57:14.836Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:14.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40350 (GCVE-0-2025-40350)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30
VLAI?
EPSS
Title
net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ
XDP programs can change the layout of an xdp_buff through
bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver
cannot assume the size of the linear data area nor fragments. Fix the
bug in mlx5 by generating skb according to xdp_buff after XDP programs
run.
Currently, when handling multi-buf XDP, the mlx5 driver assumes the
layout of an xdp_buff to be unchanged. That is, the linear data area
continues to be empty and fragments remain the same. This may cause
the driver to generate erroneous skb or triggering a kernel
warning. When an XDP program added linear data through
bpf_xdp_adjust_head(), the linear data will be ignored as
mlx5e_build_linear_skb() builds an skb without linear data and then
pull data from fragments to fill the linear data area. When an XDP
program has shrunk the non-linear data through bpf_xdp_adjust_tail(),
the delta passed to __pskb_pull_tail() may exceed the actual nonlinear
data size and trigger the BUG_ON in it.
To fix the issue, first record the original number of fragments. If the
number of fragments changes after the XDP program runs, rewind the end
fragment pointer by the difference and recalculate the truesize. Then,
build the skb with the linear data area matching the xdp_buff. Finally,
only pull data in if there is non-linear data and fill the linear part
up to 256 bytes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f52ac7028bec22e925c8fece4f21641eb13b4d6f , < 8b051d7f530e8a5237da242fbeafef02fec6b813
(git)
Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < cb9edd583e23979ee546981be963ad5f217e8b18 (git) Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < f2557d7fa38e9475b38588f5c124476091480f53 (git) Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < 87bcef158ac1faca1bd7e0104588e8e2956d10be (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b051d7f530e8a5237da242fbeafef02fec6b813",
"status": "affected",
"version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
"versionType": "git"
},
{
"lessThan": "cb9edd583e23979ee546981be963ad5f217e8b18",
"status": "affected",
"version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
"versionType": "git"
},
{
"lessThan": "f2557d7fa38e9475b38588f5c124476091480f53",
"status": "affected",
"version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
"versionType": "git"
},
{
"lessThan": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"status": "affected",
"version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ\n\nXDP programs can change the layout of an xdp_buff through\nbpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver\ncannot assume the size of the linear data area nor fragments. Fix the\nbug in mlx5 by generating skb according to xdp_buff after XDP programs\nrun.\n\nCurrently, when handling multi-buf XDP, the mlx5 driver assumes the\nlayout of an xdp_buff to be unchanged. That is, the linear data area\ncontinues to be empty and fragments remain the same. This may cause\nthe driver to generate erroneous skb or triggering a kernel\nwarning. When an XDP program added linear data through\nbpf_xdp_adjust_head(), the linear data will be ignored as\nmlx5e_build_linear_skb() builds an skb without linear data and then\npull data from fragments to fill the linear data area. When an XDP\nprogram has shrunk the non-linear data through bpf_xdp_adjust_tail(),\nthe delta passed to __pskb_pull_tail() may exceed the actual nonlinear\ndata size and trigger the BUG_ON in it.\n\nTo fix the issue, first record the original number of fragments. If the\nnumber of fragments changes after the XDP program runs, rewind the end\nfragment pointer by the difference and recalculate the truesize. Then,\nbuild the skb with the linear data area matching the xdp_buff. Finally,\nonly pull data in if there is non-linear data and fill the linear part\nup to 256 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:23.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b051d7f530e8a5237da242fbeafef02fec6b813"
},
{
"url": "https://git.kernel.org/stable/c/cb9edd583e23979ee546981be963ad5f217e8b18"
},
{
"url": "https://git.kernel.org/stable/c/f2557d7fa38e9475b38588f5c124476091480f53"
},
{
"url": "https://git.kernel.org/stable/c/87bcef158ac1faca1bd7e0104588e8e2956d10be"
}
],
"title": "net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40350",
"datePublished": "2025-12-16T13:30:23.896Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:23.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40037 (GCVE-0-2025-40037)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
fbdev: simplefb: Fix use after free in simplefb_detach_genpds()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: simplefb: Fix use after free in simplefb_detach_genpds()
The pm_domain cleanup can not be devres managed as it uses struct
simplefb_par which is allocated within struct fb_info by
framebuffer_alloc(). This allocation is explicitly freed by
unregister_framebuffer() in simplefb_remove().
Devres managed cleanup runs after the device remove call and thus can no
longer access struct simplefb_par.
Call simplefb_detach_genpds() explicitly from simplefb_destroy() like
the cleanup functions for clocks and regulators.
Fixes an use after free on M2 Mac mini during
aperture_remove_conflicting_devices() using the downstream asahi kernel
with Debian's kernel config. For unknown reasons this started to
consistently dereference an invalid pointer in v6.16.3 based kernels.
[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220
[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227
[ 6.750697]
[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY
[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC
[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)
[ 6.752189] Call trace:
[ 6.752190] show_stack+0x34/0x98 (C)
[ 6.752194] dump_stack_lvl+0x60/0x80
[ 6.752197] print_report+0x17c/0x4d8
[ 6.752201] kasan_report+0xb4/0x100
[ 6.752206] __asan_report_load4_noabort+0x20/0x30
[ 6.752209] simplefb_detach_genpds+0x58/0x220
[ 6.752213] devm_action_release+0x50/0x98
[ 6.752216] release_nodes+0xd0/0x2c8
[ 6.752219] devres_release_all+0xfc/0x178
[ 6.752221] device_unbind_cleanup+0x28/0x168
[ 6.752224] device_release_driver_internal+0x34c/0x470
[ 6.752228] device_release_driver+0x20/0x38
[ 6.752231] bus_remove_device+0x1b0/0x380
[ 6.752234] device_del+0x314/0x820
[ 6.752238] platform_device_del+0x3c/0x1e8
[ 6.752242] platform_device_unregister+0x20/0x50
[ 6.752246] aperture_detach_platform_device+0x1c/0x30
[ 6.752250] aperture_detach_devices+0x16c/0x290
[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50
...
[ 6.752343]
[ 6.967409] Allocated by task 62:
[ 6.970724] kasan_save_stack+0x3c/0x70
[ 6.974560] kasan_save_track+0x20/0x40
[ 6.978397] kasan_save_alloc_info+0x40/0x58
[ 6.982670] __kasan_kmalloc+0xd4/0xd8
[ 6.986420] __kmalloc_noprof+0x194/0x540
[ 6.990432] framebuffer_alloc+0xc8/0x130
[ 6.994444] simplefb_probe+0x258/0x2378
...
[ 7.054356]
[ 7.055838] Freed by task 227:
[ 7.058891] kasan_save_stack+0x3c/0x70
[ 7.062727] kasan_save_track+0x20/0x40
[ 7.066565] kasan_save_free_info+0x4c/0x80
[ 7.070751] __kasan_slab_free+0x6c/0xa0
[ 7.074675] kfree+0x10c/0x380
[ 7.077727] framebuffer_release+0x5c/0x90
[ 7.081826] simplefb_destroy+0x1b4/0x2c0
[ 7.085837] put_fb_info+0x98/0x100
[ 7.089326] unregister_framebuffer+0x178/0x320
[ 7.093861] simplefb_remove+0x3c/0x60
[ 7.097611] platform_remove+0x60/0x98
[ 7.101361] device_remove+0xb8/0x160
[ 7.105024] device_release_driver_internal+0x2fc/0x470
[ 7.110256] device_release_driver+0x20/0x38
[ 7.114529] bus_remove_device+0x1b0/0x380
[ 7.118628] device_del+0x314/0x820
[ 7.122116] platform_device_del+0x3c/0x1e8
[ 7.126302] platform_device_unregister+0x20/0x50
[ 7.131012] aperture_detach_platform_device+0x1c/0x30
[ 7.136157] aperture_detach_devices+0x16c/0x290
[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
92a511a568e44cf11681a2223cae4d576a1a515d , < b1deb39cfd614fb2f278b71011692a8dbf0f05ba
(git)
Affected: 92a511a568e44cf11681a2223cae4d576a1a515d , < b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353 (git) Affected: 92a511a568e44cf11681a2223cae4d576a1a515d , < da1bb9135213744e7ec398826c8f2e843de4fb94 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"status": "affected",
"version": "92a511a568e44cf11681a2223cae4d576a1a515d",
"versionType": "git"
},
{
"lessThan": "b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"status": "affected",
"version": "92a511a568e44cf11681a2223cae4d576a1a515d",
"versionType": "git"
},
{
"lessThan": "da1bb9135213744e7ec398826c8f2e843de4fb94",
"status": "affected",
"version": "92a511a568e44cf11681a2223cae4d576a1a515d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: simplefb: Fix use after free in simplefb_detach_genpds()\n\nThe pm_domain cleanup can not be devres managed as it uses struct\nsimplefb_par which is allocated within struct fb_info by\nframebuffer_alloc(). This allocation is explicitly freed by\nunregister_framebuffer() in simplefb_remove().\nDevres managed cleanup runs after the device remove call and thus can no\nlonger access struct simplefb_par.\nCall simplefb_detach_genpds() explicitly from simplefb_destroy() like\nthe cleanup functions for clocks and regulators.\n\nFixes an use after free on M2 Mac mini during\naperture_remove_conflicting_devices() using the downstream asahi kernel\nwith Debian\u0027s kernel config. For unknown reasons this started to\nconsistently dereference an invalid pointer in v6.16.3 based kernels.\n\n[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220\n[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227\n[ 6.750697]\n[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY\n[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)\n[ 6.752189] Call trace:\n[ 6.752190] show_stack+0x34/0x98 (C)\n[ 6.752194] dump_stack_lvl+0x60/0x80\n[ 6.752197] print_report+0x17c/0x4d8\n[ 6.752201] kasan_report+0xb4/0x100\n[ 6.752206] __asan_report_load4_noabort+0x20/0x30\n[ 6.752209] simplefb_detach_genpds+0x58/0x220\n[ 6.752213] devm_action_release+0x50/0x98\n[ 6.752216] release_nodes+0xd0/0x2c8\n[ 6.752219] devres_release_all+0xfc/0x178\n[ 6.752221] device_unbind_cleanup+0x28/0x168\n[ 6.752224] device_release_driver_internal+0x34c/0x470\n[ 6.752228] device_release_driver+0x20/0x38\n[ 6.752231] bus_remove_device+0x1b0/0x380\n[ 6.752234] device_del+0x314/0x820\n[ 6.752238] platform_device_del+0x3c/0x1e8\n[ 6.752242] platform_device_unregister+0x20/0x50\n[ 6.752246] aperture_detach_platform_device+0x1c/0x30\n[ 6.752250] aperture_detach_devices+0x16c/0x290\n[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50\n...\n[ 6.752343]\n[ 6.967409] Allocated by task 62:\n[ 6.970724] kasan_save_stack+0x3c/0x70\n[ 6.974560] kasan_save_track+0x20/0x40\n[ 6.978397] kasan_save_alloc_info+0x40/0x58\n[ 6.982670] __kasan_kmalloc+0xd4/0xd8\n[ 6.986420] __kmalloc_noprof+0x194/0x540\n[ 6.990432] framebuffer_alloc+0xc8/0x130\n[ 6.994444] simplefb_probe+0x258/0x2378\n...\n[ 7.054356]\n[ 7.055838] Freed by task 227:\n[ 7.058891] kasan_save_stack+0x3c/0x70\n[ 7.062727] kasan_save_track+0x20/0x40\n[ 7.066565] kasan_save_free_info+0x4c/0x80\n[ 7.070751] __kasan_slab_free+0x6c/0xa0\n[ 7.074675] kfree+0x10c/0x380\n[ 7.077727] framebuffer_release+0x5c/0x90\n[ 7.081826] simplefb_destroy+0x1b4/0x2c0\n[ 7.085837] put_fb_info+0x98/0x100\n[ 7.089326] unregister_framebuffer+0x178/0x320\n[ 7.093861] simplefb_remove+0x3c/0x60\n[ 7.097611] platform_remove+0x60/0x98\n[ 7.101361] device_remove+0xb8/0x160\n[ 7.105024] device_release_driver_internal+0x2fc/0x470\n[ 7.110256] device_release_driver+0x20/0x38\n[ 7.114529] bus_remove_device+0x1b0/0x380\n[ 7.118628] device_del+0x314/0x820\n[ 7.122116] platform_device_del+0x3c/0x1e8\n[ 7.126302] platform_device_unregister+0x20/0x50\n[ 7.131012] aperture_detach_platform_device+0x1c/0x30\n[ 7.136157] aperture_detach_devices+0x16c/0x290\n[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:41.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba"
},
{
"url": "https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"
},
{
"url": "https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94"
}
],
"title": "fbdev: simplefb: Fix use after free in simplefb_detach_genpds()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40037",
"datePublished": "2025-10-28T11:48:18.274Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:41.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68241 (GCVE-0-2025-68241)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21
VLAI?
EPSS
Title
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
The race window is between fnhe_remove_oldest() selecting fnheX for
deletion and the subsequent kfree_rcu(). During this time, the
concurrent path's __mkroute_output() -> find_exception() can fetch the
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
new dst using a dst_hold(). When the original fnheX is freed via RCU,
the dst reference remains permanently leaked.
CPU 0 CPU 1
__mkroute_output()
find_exception() [fnheX]
update_or_create_fnhe()
fnhe_remove_oldest() [fnheX]
rt_bind_exception() [bind dst]
RCU callback [fnheX freed, dst leak]
This issue manifests as a device reference count leak and a warning in
dmesg when unregistering the net device:
unregister_netdevice: waiting for sitX to become free. Usage count = N
Ido Schimmel provided the simple test validation method [1].
The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
Since rt_bind_exception() checks this field, setting it to zero prevents
the stale fnhe from being reused and bound to a new dst just before it
is freed.
[1]
ip netns add ns1
ip -n ns1 link set dev lo up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name dummy1 up type dummy
ip -n ns1 route add 192.0.2.2/32 dev dummy1
ip -n ns1 link add name gretap1 up arp off type gretap \
local 192.0.2.1 remote 192.0.2.2
ip -n ns1 route add 198.51.0.0/16 dev gretap1
taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
sleep 10
ip netns pids ns1 | xargs kill
ip netns del ns1
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e46e23c289f62ccd8e2230d9ce652072d777ff30 , < 69d35c12168f9c59b159ae566f77dfad9f96d7ca
(git)
Affected: 5867e20e1808acd0c832ddea2587e5ee49813874 , < 4b7210da22429765d19460d38c30eeca72656282 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < 298f1e0694ab4edb6092d66efed93c4554e6ced1 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < 041ab9ca6e80d8f792bb69df28ebf1ef39c06af8 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < b84f083f50ecc736a95091691339a1b363962f0e (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < 0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < ac1499fcd40fe06479e9b933347b837ccabc2a40 (git) Affected: bed8941fbdb72a61f6348c4deb0db69c4de87aca (git) Affected: f10ce783bcc4d8ea454563a7d56ae781640e7dcb (git) Affected: f484595be6b7ef9d095a32becabb5dae8204fb2a (git) Affected: 3e6bd2b583f18da9856fc9741ffa200a74a52cba (git) Affected: 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008 (git) Affected: 4589a12dcf80af31137ef202be1ff4a321707a73 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69d35c12168f9c59b159ae566f77dfad9f96d7ca",
"status": "affected",
"version": "e46e23c289f62ccd8e2230d9ce652072d777ff30",
"versionType": "git"
},
{
"lessThan": "4b7210da22429765d19460d38c30eeca72656282",
"status": "affected",
"version": "5867e20e1808acd0c832ddea2587e5ee49813874",
"versionType": "git"
},
{
"lessThan": "298f1e0694ab4edb6092d66efed93c4554e6ced1",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "041ab9ca6e80d8f792bb69df28ebf1ef39c06af8",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "b84f083f50ecc736a95091691339a1b363962f0e",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "ac1499fcd40fe06479e9b933347b837ccabc2a40",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"status": "affected",
"version": "bed8941fbdb72a61f6348c4deb0db69c4de87aca",
"versionType": "git"
},
{
"status": "affected",
"version": "f10ce783bcc4d8ea454563a7d56ae781640e7dcb",
"versionType": "git"
},
{
"status": "affected",
"version": "f484595be6b7ef9d095a32becabb5dae8204fb2a",
"versionType": "git"
},
{
"status": "affected",
"version": "3e6bd2b583f18da9856fc9741ffa200a74a52cba",
"versionType": "git"
},
{
"status": "affected",
"version": "5ae06218331f39ec45b5d039aa7cb3ddd4bb8008",
"versionType": "git"
},
{
"status": "affected",
"version": "4589a12dcf80af31137ef202be1ff4a321707a73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver\u0027s packet transmission path calls: sit_tunnel_xmit() -\u003e\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path\u0027s __mkroute_output() -\u003e find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0 CPU 1\n__mkroute_output()\n find_exception() [fnheX]\n update_or_create_fnhe()\n fnhe_remove_oldest() [fnheX]\n rt_bind_exception() [bind dst]\n RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears \u0027oldest-\u003efnhe_daddr\u0027 before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:18.682Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca"
},
{
"url": "https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282"
},
{
"url": "https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1"
},
{
"url": "https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"
},
{
"url": "https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"
},
{
"url": "https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e"
},
{
"url": "https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"
},
{
"url": "https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40"
}
],
"title": "ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68241",
"datePublished": "2025-12-16T14:21:18.682Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:21:18.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68262 (GCVE-0-2025-68262)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
crypto: zstd - fix double-free in per-CPU stream cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: zstd - fix double-free in per-CPU stream cleanup
The crypto/zstd module has a double-free bug that occurs when multiple
tfms are allocated and freed.
The issue happens because zstd_streams (per-CPU contexts) are freed in
zstd_exit() during every tfm destruction, rather than being managed at
the module level. When multiple tfms exist, each tfm exit attempts to
free the same shared per-CPU streams, resulting in a double-free.
This leads to a stack trace similar to:
BUG: Bad page state in process kworker/u16:1 pfn:106fd93
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93
flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero entire_mapcount
Modules linked in: ...
CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B
Hardware name: ...
Workqueue: btrfs-delalloc btrfs_work_helper
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
bad_page+0x71/0xd0
free_unref_page_prepare+0x24e/0x490
free_unref_page+0x60/0x170
crypto_acomp_free_streams+0x5d/0xc0
crypto_acomp_exit_tfm+0x23/0x50
crypto_destroy_tfm+0x60/0xc0
...
Change the lifecycle management of zstd_streams to free the streams only
once during module cleanup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f5ad93ffb54119a8dc5e18f070624d4ead586969 , < dc0f4509b0ed5d82bef78e058db0ac4df04d0695
(git)
Affected: f5ad93ffb54119a8dc5e18f070624d4ead586969 , < e983feaa79de1e46c9087fb9f02fedb0e5397ce6 (git) Affected: f5ad93ffb54119a8dc5e18f070624d4ead586969 , < 48bc9da3c97c15f1ea24934bcb3b736acd30163d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/zstd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc0f4509b0ed5d82bef78e058db0ac4df04d0695",
"status": "affected",
"version": "f5ad93ffb54119a8dc5e18f070624d4ead586969",
"versionType": "git"
},
{
"lessThan": "e983feaa79de1e46c9087fb9f02fedb0e5397ce6",
"status": "affected",
"version": "f5ad93ffb54119a8dc5e18f070624d4ead586969",
"versionType": "git"
},
{
"lessThan": "48bc9da3c97c15f1ea24934bcb3b736acd30163d",
"status": "affected",
"version": "f5ad93ffb54119a8dc5e18f070624d4ead586969",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/zstd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: zstd - fix double-free in per-CPU stream cleanup\n\nThe crypto/zstd module has a double-free bug that occurs when multiple\ntfms are allocated and freed.\n\nThe issue happens because zstd_streams (per-CPU contexts) are freed in\nzstd_exit() during every tfm destruction, rather than being managed at\nthe module level. When multiple tfms exist, each tfm exit attempts to\nfree the same shared per-CPU streams, resulting in a double-free.\n\nThis leads to a stack trace similar to:\n\n BUG: Bad page state in process kworker/u16:1 pfn:106fd93\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93\n flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: nonzero entire_mapcount\n Modules linked in: ...\n CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B\n Hardware name: ...\n Workqueue: btrfs-delalloc btrfs_work_helper\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5d/0x80\n bad_page+0x71/0xd0\n free_unref_page_prepare+0x24e/0x490\n free_unref_page+0x60/0x170\n crypto_acomp_free_streams+0x5d/0xc0\n crypto_acomp_exit_tfm+0x23/0x50\n crypto_destroy_tfm+0x60/0xc0\n ...\n\nChange the lifecycle management of zstd_streams to free the streams only\nonce during module cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:21.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc0f4509b0ed5d82bef78e058db0ac4df04d0695"
},
{
"url": "https://git.kernel.org/stable/c/e983feaa79de1e46c9087fb9f02fedb0e5397ce6"
},
{
"url": "https://git.kernel.org/stable/c/48bc9da3c97c15f1ea24934bcb3b736acd30163d"
}
],
"title": "crypto: zstd - fix double-free in per-CPU stream cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68262",
"datePublished": "2025-12-16T14:45:04.198Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:21.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40358 (GCVE-0-2025-40358)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2025-12-16 13:39
VLAI?
EPSS
Title
riscv: stacktrace: Disable KASAN checks for non-current tasks
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: stacktrace: Disable KASAN checks for non-current tasks
Unwinding the stack of a task other than current, KASAN would report
"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460"
There is a same issue on x86 and has been resolved by the commit
84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks")
The solution could be applied to RISC-V too.
This patch also can solve the issue:
https://seclists.org/oss-sec/2025/q4/23
[pjw@kernel.org: clean up checkpatch issues]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < f34ba22989da61186f30a40b6a82e0b3337b96fc
(git)
Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < 27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2 (git) Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < 2c8d2b53866fb229b438296526ef0fa5a990e5e5 (git) Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < 060ea84a484e852b52b938f234bf9b5503a6c910 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/stacktrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f34ba22989da61186f30a40b6a82e0b3337b96fc",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "2c8d2b53866fb229b438296526ef0fa5a990e5e5",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "060ea84a484e852b52b938f234bf9b5503a6c910",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/stacktrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: stacktrace: Disable KASAN checks for non-current tasks\n\nUnwinding the stack of a task other than current, KASAN would report\n\"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\"\n\nThere is a same issue on x86 and has been resolved by the commit\n84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\")\nThe solution could be applied to RISC-V too.\n\nThis patch also can solve the issue:\nhttps://seclists.org/oss-sec/2025/q4/23\n\n[pjw@kernel.org: clean up checkpatch issues]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:39:57.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f34ba22989da61186f30a40b6a82e0b3337b96fc"
},
{
"url": "https://git.kernel.org/stable/c/27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2"
},
{
"url": "https://git.kernel.org/stable/c/2c8d2b53866fb229b438296526ef0fa5a990e5e5"
},
{
"url": "https://git.kernel.org/stable/c/060ea84a484e852b52b938f234bf9b5503a6c910"
}
],
"title": "riscv: stacktrace: Disable KASAN checks for non-current tasks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40358",
"datePublished": "2025-12-16T13:39:57.847Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:39:57.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40051 (GCVE-0-2025-40051)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
vhost: vringh: Modify the return value check
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost: vringh: Modify the return value check
The return value of copy_from_iter and copy_to_iter can't be negative,
check whether the copied lengths are equal.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < db042925a5ab7a550b710addeadbf6f72e3a8a4b
(git)
Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < 78dc7362662fedaa1928fb8e4f27401c8322905d (git) Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < baa37b1c7e29546f79c39bef0d18c4edc9f39bb1 (git) Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < cfa0654402c06d086201a9ff167eb95da5844fc3 (git) Affected: 309bba39c945ac8ab8083ac05cd6cfe5822968e0 , < 82a8d0fda55b35361ee7f35b54fa2b66d7847d2b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db042925a5ab7a550b710addeadbf6f72e3a8a4b",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "78dc7362662fedaa1928fb8e4f27401c8322905d",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "baa37b1c7e29546f79c39bef0d18c4edc9f39bb1",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "cfa0654402c06d086201a9ff167eb95da5844fc3",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "82a8d0fda55b35361ee7f35b54fa2b66d7847d2b",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: vringh: Modify the return value check\n\nThe return value of copy_from_iter and copy_to_iter can\u0027t be negative,\ncheck whether the copied lengths are equal."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:57.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db042925a5ab7a550b710addeadbf6f72e3a8a4b"
},
{
"url": "https://git.kernel.org/stable/c/78dc7362662fedaa1928fb8e4f27401c8322905d"
},
{
"url": "https://git.kernel.org/stable/c/baa37b1c7e29546f79c39bef0d18c4edc9f39bb1"
},
{
"url": "https://git.kernel.org/stable/c/cfa0654402c06d086201a9ff167eb95da5844fc3"
},
{
"url": "https://git.kernel.org/stable/c/82a8d0fda55b35361ee7f35b54fa2b66d7847d2b"
}
],
"title": "vhost: vringh: Modify the return value check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40051",
"datePublished": "2025-10-28T11:48:27.279Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:16:57.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40137 (GCVE-0-2025-40137)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
f2fs: fix to truncate first page in error path of f2fs_truncate()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to truncate first page in error path of f2fs_truncate()
syzbot reports a bug as below:
loop0: detected capacity change from 0 to 40427
F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.
------------[ cut here ]------------
kernel BUG at fs/inode.c:753!
RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753
Call Trace:
<TASK>
evict+0x504/0x9c0 fs/inode.c:810
f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692
vfs_get_tree+0x8f/0x2b0 fs/super.c:1815
do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x317/0x410 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
During f2fs_evict_inode(), clear_inode() detects that we missed to truncate
all page cache before destorying inode, that is because in below path, we
will create page #0 in cache, but missed to drop it in error path, let's fix
it.
- evict
- f2fs_evict_inode
- f2fs_truncate
- f2fs_convert_inline_inode
- f2fs_grab_cache_folio
: create page #0 in cache
- f2fs_convert_inline_folio
: sanity check failed, return -EFSCORRUPTED
- clear_inode detects that inode->i_data.nrpages is not zero
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
92dffd01790a5219d234fc83c3ba854f4490b7f4 , < 83a8e4efea022506a0e049e7206bdf8be9f78148
(git)
Affected: 92dffd01790a5219d234fc83c3ba854f4490b7f4 , < a7b7ebdd7045a36454b3e388a2ecf50344fad9e6 (git) Affected: 92dffd01790a5219d234fc83c3ba854f4490b7f4 , < 3b0c8908faa18cded84d64822882a830ab1f4d26 (git) Affected: 92dffd01790a5219d234fc83c3ba854f4490b7f4 , < 9251a9e6e871cb03c4714a18efa8f5d4a8818450 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83a8e4efea022506a0e049e7206bdf8be9f78148",
"status": "affected",
"version": "92dffd01790a5219d234fc83c3ba854f4490b7f4",
"versionType": "git"
},
{
"lessThan": "a7b7ebdd7045a36454b3e388a2ecf50344fad9e6",
"status": "affected",
"version": "92dffd01790a5219d234fc83c3ba854f4490b7f4",
"versionType": "git"
},
{
"lessThan": "3b0c8908faa18cded84d64822882a830ab1f4d26",
"status": "affected",
"version": "92dffd01790a5219d234fc83c3ba854f4490b7f4",
"versionType": "git"
},
{
"lessThan": "9251a9e6e871cb03c4714a18efa8f5d4a8818450",
"status": "affected",
"version": "92dffd01790a5219d234fc83c3ba854f4490b7f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate first page in error path of f2fs_truncate()\n\nsyzbot reports a bug as below:\n\nloop0: detected capacity change from 0 to 40427\nF2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)\nF2FS-fs (loop0): Can\u0027t find valid F2FS filesystem in 1th superblock\nF2FS-fs (loop0): invalid crc value\nF2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.\n------------[ cut here ]------------\nkernel BUG at fs/inode.c:753!\nRIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753\nCall Trace:\n \u003cTASK\u003e\n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047\n get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692\n vfs_get_tree+0x8f/0x2b0 fs/super.c:1815\n do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808\n do_mount fs/namespace.c:4136 [inline]\n __do_sys_mount fs/namespace.c:4347 [inline]\n __se_sys_mount+0x317/0x410 fs/namespace.c:4324\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDuring f2fs_evict_inode(), clear_inode() detects that we missed to truncate\nall page cache before destorying inode, that is because in below path, we\nwill create page #0 in cache, but missed to drop it in error path, let\u0027s fix\nit.\n\n- evict\n - f2fs_evict_inode\n - f2fs_truncate\n - f2fs_convert_inline_inode\n - f2fs_grab_cache_folio\n : create page #0 in cache\n - f2fs_convert_inline_folio\n : sanity check failed, return -EFSCORRUPTED\n - clear_inode detects that inode-\u003ei_data.nrpages is not zero"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:44.670Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83a8e4efea022506a0e049e7206bdf8be9f78148"
},
{
"url": "https://git.kernel.org/stable/c/a7b7ebdd7045a36454b3e388a2ecf50344fad9e6"
},
{
"url": "https://git.kernel.org/stable/c/3b0c8908faa18cded84d64822882a830ab1f4d26"
},
{
"url": "https://git.kernel.org/stable/c/9251a9e6e871cb03c4714a18efa8f5d4a8818450"
}
],
"title": "f2fs: fix to truncate first page in error path of f2fs_truncate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40137",
"datePublished": "2025-11-12T10:23:23.624Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:44.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40205 (GCVE-0-2025-40205)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db
(git)
Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 742b44342204e5dfe3926433823623c1a0c581df (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < d3a9a8e1275eb9b87f006b5562a287aea3f6885f (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < d91f6626133698362bba08fbc04bd72c466806d3 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 0276c8582488022f057b4cec21975a5edf079f47 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 361d67276eb8ec6be8f27f4ad6c6090459438fee (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 43143776b0a7604d873d1a6f3e552a00aa930224 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < dff4f9ff5d7f289e4545cc936362e01ed3252742 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "742b44342204e5dfe3926433823623c1a0c581df",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d3a9a8e1275eb9b87f006b5562a287aea3f6885f",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d91f6626133698362bba08fbc04bd72c466806d3",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "0276c8582488022f057b4cec21975a5edf079f47",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "361d67276eb8ec6be8f27f4ad6c6090459438fee",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "43143776b0a7604d873d1a6f3e552a00aa930224",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "dff4f9ff5d7f289e4545cc936362e01ed3252742",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid-\u003eparent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:08.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db"
},
{
"url": "https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df"
},
{
"url": "https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f"
},
{
"url": "https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3"
},
{
"url": "https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47"
},
{
"url": "https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee"
},
{
"url": "https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224"
},
{
"url": "https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742"
}
],
"title": "btrfs: avoid potential out-of-bounds in btrfs_encode_fh()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40205",
"datePublished": "2025-11-12T21:56:35.403Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:08.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40031 (GCVE-0-2025-40031)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
tee: fix register_shm_helper()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tee: fix register_shm_helper()
In register_shm_helper(), fix incorrect error handling for a call to
iov_iter_extract_pages(). A case is missing for when
iov_iter_extract_pages() only got some pages and return a number larger
than 0, but not the requested amount.
This fixes a possible NULL pointer dereference following a bad input from
ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7bdee41575919773818e525ea19e54eb817770af , < 9338093db954918558677a468d32e77041c65167
(git)
Affected: 7bdee41575919773818e525ea19e54eb817770af , < 6a7874ab814ce12003c46a92f7afc9b035c8e8e9 (git) Affected: 7bdee41575919773818e525ea19e54eb817770af , < d5cf5b37064b1699d946e8b7ab4ac7d7d101814c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9338093db954918558677a468d32e77041c65167",
"status": "affected",
"version": "7bdee41575919773818e525ea19e54eb817770af",
"versionType": "git"
},
{
"lessThan": "6a7874ab814ce12003c46a92f7afc9b035c8e8e9",
"status": "affected",
"version": "7bdee41575919773818e525ea19e54eb817770af",
"versionType": "git"
},
{
"lessThan": "d5cf5b37064b1699d946e8b7ab4ac7d7d101814c",
"status": "affected",
"version": "7bdee41575919773818e525ea19e54eb817770af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix register_shm_helper()\n\nIn register_shm_helper(), fix incorrect error handling for a call to\niov_iter_extract_pages(). A case is missing for when\niov_iter_extract_pages() only got some pages and return a number larger\nthan 0, but not the requested amount.\n\nThis fixes a possible NULL pointer dereference following a bad input from\nioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn\u0027t mapped."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:34.067Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9338093db954918558677a468d32e77041c65167"
},
{
"url": "https://git.kernel.org/stable/c/6a7874ab814ce12003c46a92f7afc9b035c8e8e9"
},
{
"url": "https://git.kernel.org/stable/c/d5cf5b37064b1699d946e8b7ab4ac7d7d101814c"
}
],
"title": "tee: fix register_shm_helper()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40031",
"datePublished": "2025-10-28T11:48:13.644Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:34.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68728 (GCVE-0-2025-68728)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Fix a KMSAN un-init bug found by syzkaller.
ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be
uptodate. We do not bring the buffer uptodate before setting it as
uptodate. If the buffer were to not be uptodate, it could mean adding a
buffer with un-init data to the mi record. Attempting to load that record
will trigger KMSAN.
Avoid this by setting the buffer as uptodate, if it’s not already, by
overwriting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4342306f0f0d5ff4315a204d315c1b51b914fca5 , < afb144bc8e920db43a23e996eb0a6f9bdea84341
(git)
Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < c70b3abfd530c7f574bc25a5f84707e6fdf0def8 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 8bf729b96303bb862d7c6dc05edcf51274ae04cf (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 7ce8f2028dfccb2161b905cf8ab85cdd9e93909c (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 46f2a881e5a7311d41551edb3915e4d4e8802341 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 81ffe9a265df3e41534726b852ab08792e3d374d (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afb144bc8e920db43a23e996eb0a6f9bdea84341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "c70b3abfd530c7f574bc25a5f84707e6fdf0def8",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "8bf729b96303bb862d7c6dc05edcf51274ae04cf",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "7ce8f2028dfccb2161b905cf8ab85cdd9e93909c",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "46f2a881e5a7311d41551edb3915e4d4e8802341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "81ffe9a265df3e41534726b852ab08792e3d374d",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "73e6b9dacf72a1e7a4265eacca46f8f33e0997d6",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix uninit memory after failed mi_read in mi_format_new\n\nFix a KMSAN un-init bug found by syzkaller.\n\nntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be\nuptodate. We do not bring the buffer uptodate before setting it as\nuptodate. If the buffer were to not be uptodate, it could mean adding a\nbuffer with un-init data to the mi record. Attempting to load that record\nwill trigger KMSAN.\n\nAvoid this by setting the buffer as uptodate, if it\u2019s not already, by\noverwriting it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:24.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afb144bc8e920db43a23e996eb0a6f9bdea84341"
},
{
"url": "https://git.kernel.org/stable/c/c70b3abfd530c7f574bc25a5f84707e6fdf0def8"
},
{
"url": "https://git.kernel.org/stable/c/8bf729b96303bb862d7c6dc05edcf51274ae04cf"
},
{
"url": "https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c"
},
{
"url": "https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341"
},
{
"url": "https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d"
},
{
"url": "https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6"
}
],
"title": "ntfs3: fix uninit memory after failed mi_read in mi_format_new",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68728",
"datePublished": "2025-12-24T10:33:11.847Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:24.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68172 (GCVE-0-2025-68172)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
crypto: aspeed - fix double free caused by devm
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: aspeed - fix double free caused by devm
The clock obtained via devm_clk_get_enabled() is automatically managed
by devres and will be disabled and freed on driver detach. Manually
calling clk_disable_unprepare() in error path and remove function
causes double free.
Remove the manual clock cleanup in both aspeed_acry_probe()'s error
path and aspeed_acry_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 0dd6474ced33489076e6c0f3fe5077bf12e85b28
(git)
Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 29d0504077044a7e1ffbd09a6118018d5954a6e5 (git) Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < e8407dfd267018f4647ffb061a9bd4a6d7ebacc6 (git) Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/aspeed/aspeed-acry.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0dd6474ced33489076e6c0f3fe5077bf12e85b28",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
},
{
"lessThan": "29d0504077044a7e1ffbd09a6118018d5954a6e5",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
},
{
"lessThan": "e8407dfd267018f4647ffb061a9bd4a6d7ebacc6",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
},
{
"lessThan": "3c9bf72cc1ced1297b235f9422d62b613a3fdae9",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/aspeed/aspeed-acry.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aspeed - fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the manual clock cleanup in both aspeed_acry_probe()\u0027s error\npath and aspeed_acry_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:52.141Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0dd6474ced33489076e6c0f3fe5077bf12e85b28"
},
{
"url": "https://git.kernel.org/stable/c/29d0504077044a7e1ffbd09a6118018d5954a6e5"
},
{
"url": "https://git.kernel.org/stable/c/e8407dfd267018f4647ffb061a9bd4a6d7ebacc6"
},
{
"url": "https://git.kernel.org/stable/c/3c9bf72cc1ced1297b235f9422d62b613a3fdae9"
}
],
"title": "crypto: aspeed - fix double free caused by devm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68172",
"datePublished": "2025-12-16T13:42:52.141Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2025-12-16T13:42:52.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68293 (GCVE-0-2025-68293)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
mm/huge_memory: fix NULL pointer deference when splitting folio
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: fix NULL pointer deference when splitting folio
Commit c010d47f107f ("mm: thp: split huge page to any lower order pages")
introduced an early check on the folio's order via mapping->flags before
proceeding with the split work.
This check introduced a bug: for shmem folios in the swap cache and
truncated folios, the mapping pointer can be NULL. Accessing
mapping->flags in this state leads directly to a NULL pointer dereference.
This commit fixes the issue by moving the check for mapping != NULL before
any attempt to access mapping->flags.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c010d47f107f609b9f4d6a103b6dfc53889049e9 , < 592db83615a9f0164472ec789c2ed34ad35f732f
(git)
Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < d1b83fbacd4397a1d2f8c6b13427a8636ae2b307 (git) Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < cff47b9e39a6abf03dde5f4f156f841b0c54bba0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "592db83615a9f0164472ec789c2ed34ad35f732f",
"status": "affected",
"version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
"versionType": "git"
},
{
"lessThan": "d1b83fbacd4397a1d2f8c6b13427a8636ae2b307",
"status": "affected",
"version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
"versionType": "git"
},
{
"lessThan": "cff47b9e39a6abf03dde5f4f156f841b0c54bba0",
"status": "affected",
"version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix NULL pointer deference when splitting folio\n\nCommit c010d47f107f (\"mm: thp: split huge page to any lower order pages\")\nintroduced an early check on the folio\u0027s order via mapping-\u003eflags before\nproceeding with the split work.\n\nThis check introduced a bug: for shmem folios in the swap cache and\ntruncated folios, the mapping pointer can be NULL. Accessing\nmapping-\u003eflags in this state leads directly to a NULL pointer dereference.\n\nThis commit fixes the issue by moving the check for mapping != NULL before\nany attempt to access mapping-\u003eflags."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:13.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/592db83615a9f0164472ec789c2ed34ad35f732f"
},
{
"url": "https://git.kernel.org/stable/c/d1b83fbacd4397a1d2f8c6b13427a8636ae2b307"
},
{
"url": "https://git.kernel.org/stable/c/cff47b9e39a6abf03dde5f4f156f841b0c54bba0"
}
],
"title": "mm/huge_memory: fix NULL pointer deference when splitting folio",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68293",
"datePublished": "2025-12-16T15:06:13.428Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:13.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68223 (GCVE-0-2025-68223)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-02-06 16:31
VLAI?
EPSS
Title
drm/radeon: delete radeon_fence_process in is_signaled, no deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: delete radeon_fence_process in is_signaled, no deadlock
Delete the attempt to progress the queue when checking if fence is
signaled. This avoids deadlock.
dma-fence_ops::signaled can be called with the fence lock in unknown
state. For radeon, the fence lock is also the wait queue lock. This can
cause a self deadlock when signaled() tries to make forward progress on
the wait queue. But advancing the queue is unneeded because incorrectly
returning false from signaled() is perfectly acceptable.
(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
954605ca3f897ad617123279eb3404a404cce5ab , < d40a72d7e3bad4dfb311ef078f5a57362f088c7f
(git)
Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 9d0ed508a9e2af82951ce7d834f58c139fc2bd9b (git) Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 73bc12d6a547f9571ce4393acfd73c004e2df9e5 (git) Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 7e3e9b3a44c23c8eac86a41308c05077d6d30f41 (git) Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d40a72d7e3bad4dfb311ef078f5a57362f088c7f",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
},
{
"lessThan": "9d0ed508a9e2af82951ce7d834f58c139fc2bd9b",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
},
{
"lessThan": "73bc12d6a547f9571ce4393acfd73c004e2df9e5",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
},
{
"lessThan": "7e3e9b3a44c23c8eac86a41308c05077d6d30f41",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
},
{
"lessThan": "9eb00b5f5697bd56baa3222c7a1426fa15bacfb5",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: delete radeon_fence_process in is_signaled, no deadlock\n\nDelete the attempt to progress the queue when checking if fence is\nsignaled. This avoids deadlock.\n\ndma-fence_ops::signaled can be called with the fence lock in unknown\nstate. For radeon, the fence lock is also the wait queue lock. This can\ncause a self deadlock when signaled() tries to make forward progress on\nthe wait queue. But advancing the queue is unneeded because incorrectly\nreturning false from signaled() is perfectly acceptable.\n\n(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:32.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d40a72d7e3bad4dfb311ef078f5a57362f088c7f"
},
{
"url": "https://git.kernel.org/stable/c/9d0ed508a9e2af82951ce7d834f58c139fc2bd9b"
},
{
"url": "https://git.kernel.org/stable/c/73bc12d6a547f9571ce4393acfd73c004e2df9e5"
},
{
"url": "https://git.kernel.org/stable/c/7e3e9b3a44c23c8eac86a41308c05077d6d30f41"
},
{
"url": "https://git.kernel.org/stable/c/9eb00b5f5697bd56baa3222c7a1426fa15bacfb5"
}
],
"title": "drm/radeon: delete radeon_fence_process in is_signaled, no deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68223",
"datePublished": "2025-12-16T13:57:16.764Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2026-02-06T16:31:32.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68754 (GCVE-0-2025-68754)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
rtc: amlogic-a4: fix double free caused by devm
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtc: amlogic-a4: fix double free caused by devm
The clock obtained via devm_clk_get_enabled() is automatically managed
by devres and will be disabled and freed on driver detach. Manually
calling clk_disable_unprepare() in error path and remove function
causes double free.
Remove the redundant clk_disable_unprepare() calls from the probe
error path and aml_rtc_remove(), allowing the devm framework to
automatically manage the clock lifecycle.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c89ac9182ee297597f1c6971045382bae19c3f9d , < 9fed02c16488050cd4e33e045506336b216d7301
(git)
Affected: c89ac9182ee297597f1c6971045382bae19c3f9d , < 2e1c79299036614ac32b251d145fad5391f4bcab (git) Affected: c89ac9182ee297597f1c6971045382bae19c3f9d , < 384150d7a5b60c1086790a8ee07b0629f906cca2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-amlogic-a4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fed02c16488050cd4e33e045506336b216d7301",
"status": "affected",
"version": "c89ac9182ee297597f1c6971045382bae19c3f9d",
"versionType": "git"
},
{
"lessThan": "2e1c79299036614ac32b251d145fad5391f4bcab",
"status": "affected",
"version": "c89ac9182ee297597f1c6971045382bae19c3f9d",
"versionType": "git"
},
{
"lessThan": "384150d7a5b60c1086790a8ee07b0629f906cca2",
"status": "affected",
"version": "c89ac9182ee297597f1c6971045382bae19c3f9d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-amlogic-a4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: amlogic-a4: fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the redundant clk_disable_unprepare() calls from the probe\nerror path and aml_rtc_remove(), allowing the devm framework to\nautomatically manage the clock lifecycle."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:58.379Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fed02c16488050cd4e33e045506336b216d7301"
},
{
"url": "https://git.kernel.org/stable/c/2e1c79299036614ac32b251d145fad5391f4bcab"
},
{
"url": "https://git.kernel.org/stable/c/384150d7a5b60c1086790a8ee07b0629f906cca2"
}
],
"title": "rtc: amlogic-a4: fix double free caused by devm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68754",
"datePublished": "2026-01-05T09:32:27.788Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:32:58.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71086 (GCVE-0-2025-71086)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net: rose: fix invalid array index in rose_kill_by_device()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: fix invalid array index in rose_kill_by_device()
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
12e5a4719c99d7f4104e7e962393dfb8baa1c591 , < 819fb41ae54960f66025802400c9d3935eef4042
(git)
Affected: c0e527c532a07556ca44642f5873b002c44da22c , < ed2639414d43ba037f798eaf619e878309310451 (git) Affected: 3e0d1585799d8a991eba9678f297fd78d9f1846e , < 1418c12cd3bba79dc56b57b61c99efe40f579981 (git) Affected: ffced26692f83212aa09d0ece0213b23cc2f611d , < 9f6185a32496834d6980b168cffcccc2d6b17280 (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < b409ba9e1e63ccf3ab4cc061e33c1f804183543e (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < 92d900aac3a5721fb54f3328f1e089b44a861c38 (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < 6595beb40fb0ec47223d3f6058ee40354694c8e4 (git) Affected: bd7de4734535140fda33240c2335a07fdab6f88e (git) Affected: b10265532df7bc3666bc53261b7f03f0fd14b1c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "819fb41ae54960f66025802400c9d3935eef4042",
"status": "affected",
"version": "12e5a4719c99d7f4104e7e962393dfb8baa1c591",
"versionType": "git"
},
{
"lessThan": "ed2639414d43ba037f798eaf619e878309310451",
"status": "affected",
"version": "c0e527c532a07556ca44642f5873b002c44da22c",
"versionType": "git"
},
{
"lessThan": "1418c12cd3bba79dc56b57b61c99efe40f579981",
"status": "affected",
"version": "3e0d1585799d8a991eba9678f297fd78d9f1846e",
"versionType": "git"
},
{
"lessThan": "9f6185a32496834d6980b168cffcccc2d6b17280",
"status": "affected",
"version": "ffced26692f83212aa09d0ece0213b23cc2f611d",
"versionType": "git"
},
{
"lessThan": "b409ba9e1e63ccf3ab4cc061e33c1f804183543e",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "92d900aac3a5721fb54f3328f1e089b44a861c38",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "6595beb40fb0ec47223d3f6058ee40354694c8e4",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"status": "affected",
"version": "bd7de4734535140fda33240c2335a07fdab6f88e",
"versionType": "git"
},
{
"status": "affected",
"version": "b10265532df7bc3666bc53261b7f03f0fd14b1c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.266",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt \u003c\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:37.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042"
},
{
"url": "https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451"
},
{
"url": "https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981"
},
{
"url": "https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280"
},
{
"url": "https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e"
},
{
"url": "https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38"
},
{
"url": "https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4"
}
],
"title": "net: rose: fix invalid array index in rose_kill_by_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71086",
"datePublished": "2026-01-13T15:34:49.007Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:37.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39902 (GCVE-0-2025-39902)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mm/slub: avoid accessing metadata when pointer is invalid in object_err()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: avoid accessing metadata when pointer is invalid in object_err()
object_err() reports details of an object for further debugging, such as
the freelist pointer, redzone, etc. However, if the pointer is invalid,
attempting to access object metadata can lead to a crash since it does
not point to a valid object.
One known path to the crash is when alloc_consistency_checks()
determines the pointer to the allocated object is invalid because of a
freelist corruption, and calls object_err() to report it. The debug code
should report and handle the corruption gracefully and not crash in the
process.
In case the pointer is NULL or check_valid_pointer() returns false for
the pointer, only print the pointer value and skip accessing metadata.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 872f2c34ff232af1e65ad2df86d61163c8ffad42
(git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < f66012909e7bf383fcdc5850709ed5716073fdc4 (git) Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 7e287256904ee796c9477e3ec92b07f236481ef3 (git) Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 1f0797f17927b5cad0fb7eced422f9a7c30a3191 (git) Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 0ef7058b4dc6fcef622ac23b45225db57f17b83f (git) Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < dda6ec365ab04067adae40ef17015db447e90736 (git) Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 3baa1da473e6e50281324ff1d332d1a07a3bb02e (git) Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < b4efccec8d06ceb10a7d34d7b1c449c569d53770 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:33.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "872f2c34ff232af1e65ad2df86d61163c8ffad42",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "f66012909e7bf383fcdc5850709ed5716073fdc4",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "7e287256904ee796c9477e3ec92b07f236481ef3",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "1f0797f17927b5cad0fb7eced422f9a7c30a3191",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "0ef7058b4dc6fcef622ac23b45225db57f17b83f",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "dda6ec365ab04067adae40ef17015db447e90736",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "3baa1da473e6e50281324ff1d332d1a07a3bb02e",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "b4efccec8d06ceb10a7d34d7b1c449c569d53770",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid accessing metadata when pointer is invalid in object_err()\n\nobject_err() reports details of an object for further debugging, such as\nthe freelist pointer, redzone, etc. However, if the pointer is invalid,\nattempting to access object metadata can lead to a crash since it does\nnot point to a valid object.\n\nOne known path to the crash is when alloc_consistency_checks()\ndetermines the pointer to the allocated object is invalid because of a\nfreelist corruption, and calls object_err() to report it. The debug code\nshould report and handle the corruption gracefully and not crash in the\nprocess.\n\nIn case the pointer is NULL or check_valid_pointer() returns false for\nthe pointer, only print the pointer value and skip accessing metadata."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:49.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/872f2c34ff232af1e65ad2df86d61163c8ffad42"
},
{
"url": "https://git.kernel.org/stable/c/f66012909e7bf383fcdc5850709ed5716073fdc4"
},
{
"url": "https://git.kernel.org/stable/c/7e287256904ee796c9477e3ec92b07f236481ef3"
},
{
"url": "https://git.kernel.org/stable/c/1f0797f17927b5cad0fb7eced422f9a7c30a3191"
},
{
"url": "https://git.kernel.org/stable/c/0ef7058b4dc6fcef622ac23b45225db57f17b83f"
},
{
"url": "https://git.kernel.org/stable/c/dda6ec365ab04067adae40ef17015db447e90736"
},
{
"url": "https://git.kernel.org/stable/c/3baa1da473e6e50281324ff1d332d1a07a3bb02e"
},
{
"url": "https://git.kernel.org/stable/c/b4efccec8d06ceb10a7d34d7b1c449c569d53770"
}
],
"title": "mm/slub: avoid accessing metadata when pointer is invalid in object_err()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39902",
"datePublished": "2025-10-01T07:42:49.415Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:33.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40351 (GCVE-0-2025-40351)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
The syzbot reported issue in hfsplus_delete_cat():
[ 70.682285][ T9333] =====================================================
[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
[ 70.685447][ T9333] do_rmdir+0x964/0xea0
[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.687646][ T9333]
[ 70.687856][ T9333] Uninit was stored to memory at:
[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.692773][ T9333]
[ 70.692990][ T9333] Uninit was stored to memory at:
[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
[ 70.694911][ T9333] mount_bdev+0x37b/0x530
[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.699730][ T9333]
[ 70.699946][ T9333] Uninit was created at:
[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
[ 70.703598][ T9333] alloc_inode+0x82/0x490
[ 70.703984][ T9333] iget_locked+0x22e/0x1320
[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
[ 70.705776][ T9333] mount_bdev+0x37b/0x530
[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.710611][ T9333]
[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.712490][ T9333] =====================================================
[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
[ 70.714159][ T9333]
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d7d673a591701f131e53d4fd4e2b9352f1316642 , < a2bee43b451615531ae6f3cf45054f02915ef885
(git)
Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < b07630afe1671096dc64064190cae3b6165cf6e4 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 9df3c241fbf69edce968b20eeeeb3f6da34af041 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 1b9e5ade272f8be6421c9eea4c4f6810180017f9 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 2bb8bc99b1a7a46d83f95c46f530305f6df84eaf (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 295527bfdefd5bf31ec8218e2891a65777141d05 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 4891bf2b09c313622a6e07d7f108aa5e123c768d (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 9b3d15a758910bb98ba8feb4109d99cc67450ee4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2bee43b451615531ae6f3cf45054f02915ef885",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "b07630afe1671096dc64064190cae3b6165cf6e4",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "9df3c241fbf69edce968b20eeeeb3f6da34af041",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "1b9e5ade272f8be6421c9eea4c4f6810180017f9",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "2bb8bc99b1a7a46d83f95c46f530305f6df84eaf",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "295527bfdefd5bf31ec8218e2891a65777141d05",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "4891bf2b09c313622a6e07d7f108aa5e123c768d",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "9b3d15a758910bb98ba8feb4109d99cc67450ee4",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n\nThe syzbot reported issue in hfsplus_delete_cat():\n\n[ 70.682285][ T9333] =====================================================\n[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0\n[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310\n[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810\n[ 70.685447][ T9333] do_rmdir+0x964/0xea0\n[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0\n[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0\n[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.687646][ T9333]\n[ 70.687856][ T9333] Uninit was stored to memory at:\n[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600\n[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70\n[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0\n[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30\n[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0\n[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0\n[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.692773][ T9333]\n[ 70.692990][ T9333] Uninit was stored to memory at:\n[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700\n[ 70.694911][ T9333] mount_bdev+0x37b/0x530\n[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.696588][ T9333] do_new_mount+0x73e/0x1630\n[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.697425][ T9333] __se_sys_mount+0x733/0x830\n[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.699730][ T9333]\n[ 70.699946][ T9333] Uninit was created at:\n[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60\n[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0\n[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0\n[ 70.701774][ T9333] allocate_slab+0x30e/0x1390\n[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0\n[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20\n[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0\n[ 70.703598][ T9333] alloc_inode+0x82/0x490\n[ 70.703984][ T9333] iget_locked+0x22e/0x1320\n[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0\n[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0\n[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700\n[ 70.705776][ T9333] mount_bdev+0x37b/0x530\n[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.707444][ T9333] do_new_mount+0x73e/0x1630\n[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.708270][ T9333] __se_sys_mount+0x733/0x830\n[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.710611][ T9333]\n[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17\n[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.712490][ T9333] =====================================================\n[ 70.713085][ T9333] Disabling lock debugging due to kernel taint\n[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.714159][ T9333] \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:46.209Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885"
},
{
"url": "https://git.kernel.org/stable/c/b07630afe1671096dc64064190cae3b6165cf6e4"
},
{
"url": "https://git.kernel.org/stable/c/9df3c241fbf69edce968b20eeeeb3f6da34af041"
},
{
"url": "https://git.kernel.org/stable/c/1b9e5ade272f8be6421c9eea4c4f6810180017f9"
},
{
"url": "https://git.kernel.org/stable/c/2bb8bc99b1a7a46d83f95c46f530305f6df84eaf"
},
{
"url": "https://git.kernel.org/stable/c/295527bfdefd5bf31ec8218e2891a65777141d05"
},
{
"url": "https://git.kernel.org/stable/c/4891bf2b09c313622a6e07d7f108aa5e123c768d"
},
{
"url": "https://git.kernel.org/stable/c/9b3d15a758910bb98ba8feb4109d99cc67450ee4"
}
],
"title": "hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40351",
"datePublished": "2025-12-16T13:30:24.764Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:46.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68300 (GCVE-0-2025-68300)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
fs/namespace: fix reference leak in grab_requested_mnt_ns
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/namespace: fix reference leak in grab_requested_mnt_ns
lookup_mnt_ns() already takes a reference on mnt_ns.
grab_requested_mnt_ns() doesn't need to take an extra reference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ba306daa7fa8ae0be5d64c215e9d43a88b4bc8bf , < 4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5
(git)
Affected: 8ff97ade912dcfc5ac1783c4b8d615aacd26fd17 , < fe256e59b8e7f126b2464ee32bd9fee131f0a883 (git) Affected: 78f0e33cd6c939a555aa80dbed2fec6b333a7660 , < 7b6dcd9bfd869eee7693e45b1817dac8c56e5f86 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5",
"status": "affected",
"version": "ba306daa7fa8ae0be5d64c215e9d43a88b4bc8bf",
"versionType": "git"
},
{
"lessThan": "fe256e59b8e7f126b2464ee32bd9fee131f0a883",
"status": "affected",
"version": "8ff97ade912dcfc5ac1783c4b8d615aacd26fd17",
"versionType": "git"
},
{
"lessThan": "7b6dcd9bfd869eee7693e45b1817dac8c56e5f86",
"status": "affected",
"version": "78f0e33cd6c939a555aa80dbed2fec6b333a7660",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.61",
"status": "affected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThan": "6.17.11",
"status": "affected",
"version": "6.17.9",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/namespace: fix reference leak in grab_requested_mnt_ns\n\nlookup_mnt_ns() already takes a reference on mnt_ns.\ngrab_requested_mnt_ns() doesn\u0027t need to take an extra reference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:18.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5"
},
{
"url": "https://git.kernel.org/stable/c/fe256e59b8e7f126b2464ee32bd9fee131f0a883"
},
{
"url": "https://git.kernel.org/stable/c/7b6dcd9bfd869eee7693e45b1817dac8c56e5f86"
}
],
"title": "fs/namespace: fix reference leak in grab_requested_mnt_ns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68300",
"datePublished": "2025-12-16T15:06:18.941Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:18.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68303 (GCVE-0-2025-68303)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
platform/x86: intel: punit_ipc: fix memory corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel: punit_ipc: fix memory corruption
This passes the address of the pointer "&punit_ipcdev" when the intent
was to pass the pointer itself "punit_ipcdev" (without the ampersand).
This means that the:
complete(&ipcdev->cmd_complete);
in intel_punit_ioc() will write to a wrong memory address corrupting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fdca4f16f57da76a8e68047923588a87d1c01f0a , < 15d560cdf5b36c51fffec07ac2a983ab3bff4cb2
(git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 46e9d6f54184573dae1dcbcf6685a572ba6f4480 (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 3e7442c5802146fd418ba3f68dcb9ca92b5cec83 (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < a21615a4ac6fecbb586d59fe2206b63501021789 (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < c2ee6d38996775a19bfdf20cb01a9b8698cb0baa (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 9b9c0adbc3f8a524d291baccc9d0c04097fb4869 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d560cdf5b36c51fffec07ac2a983ab3bff4cb2",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "46e9d6f54184573dae1dcbcf6685a572ba6f4480",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "3e7442c5802146fd418ba3f68dcb9ca92b5cec83",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "a21615a4ac6fecbb586d59fe2206b63501021789",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "c2ee6d38996775a19bfdf20cb01a9b8698cb0baa",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "9b9c0adbc3f8a524d291baccc9d0c04097fb4869",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel: punit_ipc: fix memory corruption\n\nThis passes the address of the pointer \"\u0026punit_ipcdev\" when the intent\nwas to pass the pointer itself \"punit_ipcdev\" (without the ampersand).\nThis means that the:\n\n\tcomplete(\u0026ipcdev-\u003ecmd_complete);\n\nin intel_punit_ioc() will write to a wrong memory address corrupting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:21.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2"
},
{
"url": "https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480"
},
{
"url": "https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83"
},
{
"url": "https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789"
},
{
"url": "https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa"
},
{
"url": "https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869"
}
],
"title": "platform/x86: intel: punit_ipc: fix memory corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68303",
"datePublished": "2025-12-16T15:06:21.208Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:21.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68782 (GCVE-0-2025-68782)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
scsi: target: Reset t_task_cdb pointer in error case
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Reset t_task_cdb pointer in error case
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 6cac97b12bdab04832e0416d049efcd0d48d303b
(git)
Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 45fd86b444105c8bd07a763f58635c87e5dc7aea (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 8727663ded659aad55eef21e3864ebf5a4796a96 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 0260ad551b0815eb788d47f32899fbcd65d6f128 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 0d36db68fdb8a3325386fd9523b67735f944e1f3 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 8edbb9e371af186b4cf40819dab65fafe109df4d (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 5053eab38a4c4543522d0c320c639c56a8b59908 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cac97b12bdab04832e0416d049efcd0d48d303b",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "45fd86b444105c8bd07a763f58635c87e5dc7aea",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8727663ded659aad55eef21e3864ebf5a4796a96",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0260ad551b0815eb788d47f32899fbcd65d6f128",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0d36db68fdb8a3325386fd9523b67735f944e1f3",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8edbb9e371af186b4cf40819dab65fafe109df4d",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "5053eab38a4c4543522d0c320c639c56a8b59908",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Reset t_task_cdb pointer in error case\n\nIf allocation of cmd-\u003et_task_cdb fails, it remains NULL but is later\ndereferenced in the \u0027err\u0027 path.\n\nIn case of error, reset NULL t_task_cdb value to point at the default\nfixed-size buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:28.650Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b"
},
{
"url": "https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea"
},
{
"url": "https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96"
},
{
"url": "https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128"
},
{
"url": "https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3"
},
{
"url": "https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d"
},
{
"url": "https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908"
}
],
"title": "scsi: target: Reset t_task_cdb pointer in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68782",
"datePublished": "2026-01-13T15:28:56.929Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:28.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40080 (GCVE-0-2025-40080)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
nbd: restrict sockets to TCP and UDP
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: restrict sockets to TCP and UDP
Recently, syzbot started to abuse NBD with all kinds of sockets.
Commit cf1b2326b734 ("nbd: verify socket is supported during setup")
made sure the socket supported a shutdown() method.
Explicitely accept TCP and UNIX stream sockets.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf1b2326b734896734c6e167e41766f9cee7686a , < c365e8f20f4201d873a70385bd919f0fb531e960
(git)
Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7 (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 37ad11f20e164c23ce827dd455b42c0fdd29685c (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 808e2335bc1cf2293b9e36ccc94c267c81509c71 (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 9f7c02e031570e8291a63162c6c046dc15ff85b0 (git) Affected: 4df728651b8a99693c69962d8e5a5b9e5a3bbcc7 (git) Affected: 083322455c67d278c56a66b73f1221f004ee600a (git) Affected: 4fa1cbd587ef967812f9d9f6ce46ec1dead7502c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c365e8f20f4201d873a70385bd919f0fb531e960",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "37ad11f20e164c23ce827dd455b42c0fdd29685c",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "808e2335bc1cf2293b9e36ccc94c267c81509c71",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "9f7c02e031570e8291a63162c6c046dc15ff85b0",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"status": "affected",
"version": "4df728651b8a99693c69962d8e5a5b9e5a3bbcc7",
"versionType": "git"
},
{
"status": "affected",
"version": "083322455c67d278c56a66b73f1221f004ee600a",
"versionType": "git"
},
{
"status": "affected",
"version": "4fa1cbd587ef967812f9d9f6ce46ec1dead7502c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: restrict sockets to TCP and UDP\n\nRecently, syzbot started to abuse NBD with all kinds of sockets.\n\nCommit cf1b2326b734 (\"nbd: verify socket is supported during setup\")\nmade sure the socket supported a shutdown() method.\n\nExplicitely accept TCP and UNIX stream sockets."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:37.510Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c365e8f20f4201d873a70385bd919f0fb531e960"
},
{
"url": "https://git.kernel.org/stable/c/4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7"
},
{
"url": "https://git.kernel.org/stable/c/37ad11f20e164c23ce827dd455b42c0fdd29685c"
},
{
"url": "https://git.kernel.org/stable/c/808e2335bc1cf2293b9e36ccc94c267c81509c71"
},
{
"url": "https://git.kernel.org/stable/c/9f7c02e031570e8291a63162c6c046dc15ff85b0"
}
],
"title": "nbd: restrict sockets to TCP and UDP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40080",
"datePublished": "2025-10-28T11:48:44.796Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:37.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40310 (GCVE-0-2025-40310)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw
Summary
In the Linux kernel, the following vulnerability has been resolved:
amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw
There is race in amdgpu_amdkfd_device_fini_sw and interrupt.
if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and
kfree(kfd), and KGD interrupt generated.
kernel panic log:
BUG: kernel NULL pointer dereference, address: 0000000000000098
amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP
PGD d78c68067 P4D d78c68067
kfd kfd: amdgpu: Allocated 3969056 bytes on gart
PUD 1465b8067 PMD @
Oops: @002 [#1] SMP NOPTI
kfd kfd: amdgpu: Total number of KFD nodes to be created: 4
CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K
RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40
Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 <fO> OF b1 17 75 Ba 4c 89 e@ 41 Sc
89 c6 e8 07 38 5d
RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018
0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098
ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020
0000000000000000 R11: 0000000000000000 R12: 0900000000000002
ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00
CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033
CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0
0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]
? amdgpu_fence_process+0xa4/0x150 [amdgpu]
kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace
amdgpu_irq_dispatch+0x165/0x210 [amdgpu]
amdgpu_ih_process+0x80/0x100 [amdgpu]
amdgpu: Virtual CRAT table created for GPU
amdgpu_irq_handler+0x1f/@x60 [amdgpu]
__handle_irq_event_percpu+0x3d/0x170
amdgpu: Topology: Add dGPU node [0x74a2:0x1002]
handle_irq_event+0x5a/@xcO
handle_edge_irq+0x93/0x240
kfd kfd: amdgpu: KFD node 1 partition @ size 49148M
asm_call_irq_on_stack+0xf/@x20
</IRQ>
common_interrupt+0xb3/0x130
asm_common_interrupt+0x1le/0x40
5.10.134-010.a1i5000.a18.x86_64 #1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 93f8d67ef8b50334a26129df4da5a4cb60ad4090
(git)
Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < bc9e789053abe463f8cf74eee5fc2f157c11a79f (git) Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 2f89a2d15550b653caaeeab7ab68c4d7583fd4fe (git) Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 99d7181bca34e96fbf61bdb6844918bdd4df2814 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93f8d67ef8b50334a26129df4da5a4cb60ad4090",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
},
{
"lessThan": "bc9e789053abe463f8cf74eee5fc2f157c11a79f",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
},
{
"lessThan": "2f89a2d15550b653caaeeab7ab68c4d7583fd4fe",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
},
{
"lessThan": "99d7181bca34e96fbf61bdb6844918bdd4df2814",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw\n\nThere is race in amdgpu_amdkfd_device_fini_sw and interrupt.\nif amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and\n kfree(kfd), and KGD interrupt generated.\n\nkernel panic log:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000098\namdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP\n\nPGD d78c68067 P4D d78c68067\n\nkfd kfd: amdgpu: Allocated 3969056 bytes on gart\n\nPUD 1465b8067 PMD @\n\nOops: @002 [#1] SMP NOPTI\n\nkfd kfd: amdgpu: Total number of KFD nodes to be created: 4\nCPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K\n\nRIP: 0010:_raw_spin_lock_irqsave+0x12/0x40\n\nCode: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 \u003cfO\u003e OF b1 17 75 Ba 4c 89 e@ 41 Sc\n\n89 c6 e8 07 38 5d\n\nRSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046\n\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018\n0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098\nffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020\n0000000000000000 R11: 0000000000000000 R12: 0900000000000002\nffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00\n\nCS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033\n\nCR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0\n0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400\n\nPKRU: 55555554\n\nCall Trace:\n\n\u003cIRQ\u003e\n\nkgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]\n\n? amdgpu_fence_process+0xa4/0x150 [amdgpu]\n\nkfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace\n\namdgpu_irq_dispatch+0x165/0x210 [amdgpu]\n\namdgpu_ih_process+0x80/0x100 [amdgpu]\n\namdgpu: Virtual CRAT table created for GPU\n\namdgpu_irq_handler+0x1f/@x60 [amdgpu]\n\n__handle_irq_event_percpu+0x3d/0x170\n\namdgpu: Topology: Add dGPU node [0x74a2:0x1002]\n\nhandle_irq_event+0x5a/@xcO\n\nhandle_edge_irq+0x93/0x240\n\nkfd kfd: amdgpu: KFD node 1 partition @ size 49148M\n\nasm_call_irq_on_stack+0xf/@x20\n\n\u003c/IRQ\u003e\n\ncommon_interrupt+0xb3/0x130\n\nasm_common_interrupt+0x1le/0x40\n\n5.10.134-010.a1i5000.a18.x86_64 #1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:48.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93f8d67ef8b50334a26129df4da5a4cb60ad4090"
},
{
"url": "https://git.kernel.org/stable/c/bc9e789053abe463f8cf74eee5fc2f157c11a79f"
},
{
"url": "https://git.kernel.org/stable/c/2f89a2d15550b653caaeeab7ab68c4d7583fd4fe"
},
{
"url": "https://git.kernel.org/stable/c/99d7181bca34e96fbf61bdb6844918bdd4df2814"
}
],
"title": "amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40310",
"datePublished": "2025-12-08T00:46:35.862Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-26T16:17:48.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39848 (GCVE-0-2025-39848)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
ax25: properly unshare skbs in ax25_kiss_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ax25: properly unshare skbs in ax25_kiss_rcv()
Bernard Pidoux reported a regression apparently caused by commit
c353e8983e0d ("net: introduce per netns packet chains").
skb->dev becomes NULL and we crash in __netif_receive_skb_core().
Before above commit, different kind of bugs or corruptions could happen
without a major crash.
But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
without checking if this skb is shared or not.
Many thanks to Bernard Pidoux for his help, diagnosis and tests.
We had a similar issue years ago fixed with commit 7aaed57c5c28
("phonet: properly unshare skbs in phonet_rcv()").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 42b46684e2c78ee052d8c2ee8d9c2089233c9094
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5b079be1b9da49ad88fc304c874d4be7085f7883 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2bd0f67212908243ce88e35bf69fa77155b47b14 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 01a2984cb803f2d487b7074f9718db2bf3531f69 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d449b7a6c8ee434d10a483feed7c5c50108cf56 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 89064cf534bea4bb28c83fe6bbb26657b19dd5fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b1c71d674a308d2fbc83efcf88bfc4217a86aa17 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8156210d36a43e76372312c87eb5ea3dbb405a85 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:06.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ax25/ax25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42b46684e2c78ee052d8c2ee8d9c2089233c9094",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b079be1b9da49ad88fc304c874d4be7085f7883",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bd0f67212908243ce88e35bf69fa77155b47b14",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01a2984cb803f2d487b7074f9718db2bf3531f69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d449b7a6c8ee434d10a483feed7c5c50108cf56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89064cf534bea4bb28c83fe6bbb26657b19dd5fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1c71d674a308d2fbc83efcf88bfc4217a86aa17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8156210d36a43e76372312c87eb5ea3dbb405a85",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ax25/ax25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb-\u003edev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:58.643Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094"
},
{
"url": "https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883"
},
{
"url": "https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14"
},
{
"url": "https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69"
},
{
"url": "https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56"
},
{
"url": "https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe"
},
{
"url": "https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17"
},
{
"url": "https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85"
}
],
"title": "ax25: properly unshare skbs in ax25_kiss_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39848",
"datePublished": "2025-09-19T15:26:21.403Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:06.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22103 (GCVE-0-2025-22103)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-24 09:49
VLAI?
EPSS
Title
net: fix NULL pointer dereference in l3mdev_l3_rcv
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix NULL pointer dereference in l3mdev_l3_rcv
When delete l3s ipvlan:
ip link del link eth0 ipvlan1 type ipvlan mode l3s
This may cause a null pointer dereference:
Call trace:
ip_rcv_finish+0x48/0xd0
ip_rcv+0x5c/0x100
__netif_receive_skb_one_core+0x64/0xb0
__netif_receive_skb+0x20/0x80
process_backlog+0xb4/0x204
napi_poll+0xe8/0x294
net_rx_action+0xd8/0x22c
__do_softirq+0x12c/0x354
This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after
ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process
like this:
(CPU1) | (CPU2)
l3mdev_l3_rcv() |
check dev->priv_flags: |
master = skb->dev; |
|
| ipvlan_l3s_unregister()
| set dev->priv_flags
| dev->l3mdev_ops = NULL;
|
visit master->l3mdev_ops |
To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c675e06a98a474f7ad0af32ce467613da818da52 , < 52b44d8c653459c658b733d13658afdde45f6836
(git)
Affected: c675e06a98a474f7ad0af32ce467613da818da52 , < 59599bce44af3df7a215ebc81cb166426e1c9204 (git) Affected: c675e06a98a474f7ad0af32ce467613da818da52 , < f9dff65140efc289f01bcf39c3ca66a8806b6132 (git) Affected: c675e06a98a474f7ad0af32ce467613da818da52 , < 0032c99e83b9ce6d5995d65900aa4b6ffb501cce (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan_l3s.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52b44d8c653459c658b733d13658afdde45f6836",
"status": "affected",
"version": "c675e06a98a474f7ad0af32ce467613da818da52",
"versionType": "git"
},
{
"lessThan": "59599bce44af3df7a215ebc81cb166426e1c9204",
"status": "affected",
"version": "c675e06a98a474f7ad0af32ce467613da818da52",
"versionType": "git"
},
{
"lessThan": "f9dff65140efc289f01bcf39c3ca66a8806b6132",
"status": "affected",
"version": "c675e06a98a474f7ad0af32ce467613da818da52",
"versionType": "git"
},
{
"lessThan": "0032c99e83b9ce6d5995d65900aa4b6ffb501cce",
"status": "affected",
"version": "c675e06a98a474f7ad0af32ce467613da818da52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan_l3s.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer dereference in l3mdev_l3_rcv\n\nWhen delete l3s ipvlan:\n\n ip link del link eth0 ipvlan1 type ipvlan mode l3s\n\nThis may cause a null pointer dereference:\n\n Call trace:\n ip_rcv_finish+0x48/0xd0\n ip_rcv+0x5c/0x100\n __netif_receive_skb_one_core+0x64/0xb0\n __netif_receive_skb+0x20/0x80\n process_backlog+0xb4/0x204\n napi_poll+0xe8/0x294\n net_rx_action+0xd8/0x22c\n __do_softirq+0x12c/0x354\n\nThis is because l3mdev_l3_rcv() visit dev-\u003el3mdev_ops after\nipvlan_l3s_unregister() assign the dev-\u003el3mdev_ops to NULL. The process\nlike this:\n\n (CPU1) | (CPU2)\n l3mdev_l3_rcv() |\n check dev-\u003epriv_flags: |\n master = skb-\u003edev; |\n |\n | ipvlan_l3s_unregister()\n | set dev-\u003epriv_flags\n | dev-\u003el3mdev_ops = NULL;\n |\n visit master-\u003el3mdev_ops |\n\nTo avoid this by do not set dev-\u003el3mdev_ops when unregister l3s ipvlan."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T09:49:39.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52b44d8c653459c658b733d13658afdde45f6836"
},
{
"url": "https://git.kernel.org/stable/c/59599bce44af3df7a215ebc81cb166426e1c9204"
},
{
"url": "https://git.kernel.org/stable/c/f9dff65140efc289f01bcf39c3ca66a8806b6132"
},
{
"url": "https://git.kernel.org/stable/c/0032c99e83b9ce6d5995d65900aa4b6ffb501cce"
}
],
"title": "net: fix NULL pointer dereference in l3mdev_l3_rcv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22103",
"datePublished": "2025-04-16T14:12:52.164Z",
"dateReserved": "2024-12-29T08:45:45.819Z",
"dateUpdated": "2025-11-24T09:49:39.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68233 (GCVE-0-2025-68233)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:04 – Updated: 2025-12-16 14:04
VLAI?
EPSS
Title
drm/tegra: Add call to put_pid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: Add call to put_pid()
Add a call to put_pid() corresponding to get_task_pid().
host1x_memory_context_alloc() does not take ownership of the PID so we
need to free it here to avoid leaking.
[mperttunen@nvidia.com: reword commit message]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e09db97889ec647ad373f7a7422c83099c6120c5 , < 6b572e5154af08ee13f8d2673e86f83bc5ff86cd
(git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 2e78580e6e7deac6556236ef96db5bbf7b46857e (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5 (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 27ea5c2c75c3419a9a019240ca44b9256f628df1 (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/uapi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b572e5154af08ee13f8d2673e86f83bc5ff86cd",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "2e78580e6e7deac6556236ef96db5bbf7b46857e",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "27ea5c2c75c3419a9a019240ca44b9256f628df1",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/uapi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Add call to put_pid()\n\nAdd a call to put_pid() corresponding to get_task_pid().\nhost1x_memory_context_alloc() does not take ownership of the PID so we\nneed to free it here to avoid leaking.\n\n[mperttunen@nvidia.com: reword commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:04:13.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b572e5154af08ee13f8d2673e86f83bc5ff86cd"
},
{
"url": "https://git.kernel.org/stable/c/2e78580e6e7deac6556236ef96db5bbf7b46857e"
},
{
"url": "https://git.kernel.org/stable/c/cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5"
},
{
"url": "https://git.kernel.org/stable/c/27ea5c2c75c3419a9a019240ca44b9256f628df1"
},
{
"url": "https://git.kernel.org/stable/c/6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a"
}
],
"title": "drm/tegra: Add call to put_pid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68233",
"datePublished": "2025-12-16T14:04:13.490Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:04:13.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71093 (GCVE-0-2025-71093)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
e1000: fix OOB in e1000_tbi_should_accept()
Summary
In the Linux kernel, the following vulnerability has been resolved:
e1000: fix OOB in e1000_tbi_should_accept()
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2037110c96d5f1dd71453fcd0d54e79be12a352b , < 4ccfa56f272241e8d8e2c38191fdbb03df489d80
(git)
Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 278b7cfe0d4da7502c7fd679b15032f014c92892 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < ad7a2a45e2417ac54089926b520924f8f0d91aea (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 2c4c0c09f9648ba766d399917d420d03e7b3e1f8 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 26c8bebc2f25288c2bcac7bc0a7662279a0e817c (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < ee7c125fb3e8b04dd46510130b9fc92380e5d578 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 9c72a5182ed92904d01057f208c390a303f00a0f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ccfa56f272241e8d8e2c38191fdbb03df489d80",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "278b7cfe0d4da7502c7fd679b15032f014c92892",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ad7a2a45e2417ac54089926b520924f8f0d91aea",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "2c4c0c09f9648ba766d399917d420d03e7b3e1f8",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "26c8bebc2f25288c2bcac7bc0a7662279a0e817c",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ee7c125fb3e8b04dd46510130b9fc92380e5d578",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "9c72a5182ed92904d01057f208c390a303f00a0f",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: fix OOB in e1000_tbi_should_accept()\n\nIn e1000_tbi_should_accept() we read the last byte of the frame via\n\u0027data[length - 1]\u0027 to evaluate the TBI workaround. If the descriptor-\nreported length is zero or larger than the actual RX buffer size, this\nread goes out of bounds and can hit unrelated slab objects. The issue\nis observed from the NAPI receive path (e1000_clean_rx_irq):\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790\nRead of size 1 at addr ffff888014114e54 by task sshd/363\n\nCPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x5a/0x74\n print_address_description+0x7b/0x440\n print_report+0x101/0x200\n kasan_report+0xc1/0xf0\n e1000_tbi_should_accept+0x610/0x790\n e1000_clean_rx_irq+0xa8c/0x1110\n e1000_clean+0xde2/0x3c10\n __napi_poll+0x98/0x380\n net_rx_action+0x491/0xa20\n __do_softirq+0x2c9/0x61d\n do_softirq+0xd1/0x120\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xfe/0x130\n ip_finish_output2+0x7d5/0xb00\n __ip_queue_xmit+0xe24/0x1ab0\n __tcp_transmit_skb+0x1bcb/0x3340\n tcp_write_xmit+0x175d/0x6bd0\n __tcp_push_pending_frames+0x7b/0x280\n tcp_sendmsg_locked+0x2e4f/0x32d0\n tcp_sendmsg+0x24/0x40\n sock_write_iter+0x322/0x430\n vfs_write+0x56c/0xa60\n ksys_write+0xd1/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f511b476b10\nCode: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24\nRSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10\nRDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003\nRBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00\nR10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003\n \u003c/TASK\u003e\nAllocated by task 1:\n __kasan_krealloc+0x131/0x1c0\n krealloc+0x90/0xc0\n add_sysfs_param+0xcb/0x8a0\n kernel_add_sysfs_param+0x81/0xd4\n param_sysfs_builtin+0x138/0x1a6\n param_sysfs_init+0x57/0x5b\n do_one_initcall+0x104/0x250\n do_initcall_level+0x102/0x132\n do_initcalls+0x46/0x74\n kernel_init_freeable+0x28f/0x393\n kernel_init+0x14/0x1a0\n ret_from_fork+0x22/0x30\nThe buggy address belongs to the object at ffff888014114000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1620 bytes to the right of\n 2048-byte region [ffff888014114000, ffff888014114800]\nThe buggy address belongs to the physical page:\npage:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110\nhead:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x100000000010200(slab|head|node=0|zone=1)\nraw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000\nraw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n==================================================================\n\nThis happens because the TBI check unconditionally dereferences the last\nbyte without validating the reported length first:\n\n\tu8 last_byte = *(data + length - 1);\n\nFix by rejecting the frame early if the length is zero, or if it exceeds\nadapter-\u003erx_buffer_len. This preserves the TBI workaround semantics for\nvalid frames and prevents touching memory beyond the RX buffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:45.622Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80"
},
{
"url": "https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892"
},
{
"url": "https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea"
},
{
"url": "https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8"
},
{
"url": "https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c"
},
{
"url": "https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578"
},
{
"url": "https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f"
}
],
"title": "e1000: fix OOB in e1000_tbi_should_accept()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71093",
"datePublished": "2026-01-13T15:34:53.803Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:45.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40286 (GCVE-0-2025-40286)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
smb/server: fix possible memory leak in smb2_read()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/server: fix possible memory leak in smb2_read()
Memory leak occurs when ksmbd_vfs_read() fails.
Fix this by adding the missing kvfree().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 0797c6cf3b857cc229ab2bc69552938dcd738d78
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 63d8706a2c09a0c29b8b0e8a44bc7a1339685de9 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < f1305587731886da37a214cda812ade246c653b0 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < bfda5422a16651d0bf864ec468b1c216e1b10d91 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 6fced056d2cc8d01b326e6fcfabaacb9850b71a4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0797c6cf3b857cc229ab2bc69552938dcd738d78",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "63d8706a2c09a0c29b8b0e8a44bc7a1339685de9",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "f1305587731886da37a214cda812ade246c653b0",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "bfda5422a16651d0bf864ec468b1c216e1b10d91",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "6fced056d2cc8d01b326e6fcfabaacb9850b71a4",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix possible memory leak in smb2_read()\n\nMemory leak occurs when ksmbd_vfs_read() fails.\nFix this by adding the missing kvfree()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:44.657Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0797c6cf3b857cc229ab2bc69552938dcd738d78"
},
{
"url": "https://git.kernel.org/stable/c/63d8706a2c09a0c29b8b0e8a44bc7a1339685de9"
},
{
"url": "https://git.kernel.org/stable/c/f1305587731886da37a214cda812ade246c653b0"
},
{
"url": "https://git.kernel.org/stable/c/bfda5422a16651d0bf864ec468b1c216e1b10d91"
},
{
"url": "https://git.kernel.org/stable/c/6fced056d2cc8d01b326e6fcfabaacb9850b71a4"
}
],
"title": "smb/server: fix possible memory leak in smb2_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40286",
"datePublished": "2025-12-06T21:51:12.169Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2026-01-26T16:17:44.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68340 (GCVE-0-2025-68340)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2026-02-06 16:31
VLAI?
EPSS
Title
team: Move team device type change at the end of team_port_add
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: Move team device type change at the end of team_port_add
Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.
In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.
Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.
Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1
Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.
Also make sure to preserve the origial mtu assignment:
- If port_dev is not the same type as dev, dev takes mtu from port_dev
- If port_dev is the same type as dev, port_dev takes mtu from dev
This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.
Testing:
- team device driver in-tree selftests
- Add/remove various devices as slaves of team device
- syzbot
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1d76efe1577b4323609b1bcbfafa8b731eda071a , < c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283
(git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < a74ab1b532ecc5f9106621a8f75b4c3d04466b35 (git) Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e26235840fd961e4ebe5568f11a2a078cf726663 (git) Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 4040b5e8963982a00aa821300cb746efc9f2947e (git) Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e3eed4f038214494af62c7d2d64749e5108ce6ca (git) Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "a74ab1b532ecc5f9106621a8f75b4c3d04466b35",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "e26235840fd961e4ebe5568f11a2a078cf726663",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "4040b5e8963982a00aa821300cb746efc9f2947e",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "e3eed4f038214494af62c7d2d64749e5108ce6ca",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n - If port_dev is not the same type as dev, dev takes mtu from port_dev\n - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n - team device driver in-tree selftests\n - Add/remove various devices as slaves of team device\n - syzbot"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:33.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283"
},
{
"url": "https://git.kernel.org/stable/c/a74ab1b532ecc5f9106621a8f75b4c3d04466b35"
},
{
"url": "https://git.kernel.org/stable/c/e26235840fd961e4ebe5568f11a2a078cf726663"
},
{
"url": "https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e"
},
{
"url": "https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca"
},
{
"url": "https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef"
}
],
"title": "team: Move team device type change at the end of team_port_add",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68340",
"datePublished": "2025-12-23T13:58:25.841Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-06T16:31:33.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39914 (GCVE-0-2025-39914)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
tracing: Silence warning when chunk allocation fails in trace_pid_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Silence warning when chunk allocation fails in trace_pid_write
Syzkaller trigger a fault injection warning:
WARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0
Modules linked in:
CPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0
Tainted: [U]=USER
Hardware name: Google Compute Engine/Google Compute Engine
RIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294
Code: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff
RSP: 0018:ffffc9000414fb48 EFLAGS: 00010283
RAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000
RDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef
R13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0
FS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464
register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]
register_pid_events kernel/trace/trace_events.c:2354 [inline]
event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
We can reproduce the warning by following the steps below:
1. echo 8 >> set_event_notrace_pid. Let tr->filtered_pids owns one pid
and register sched_switch tracepoint.
2. echo ' ' >> set_event_pid, and perform fault injection during chunk
allocation of trace_pid_list_alloc. Let pid_list with no pid and
assign to tr->filtered_pids.
3. echo ' ' >> set_event_pid. Let pid_list is NULL and assign to
tr->filtered_pids.
4. echo 9 >> set_event_pid, will trigger the double register
sched_switch tracepoint warning.
The reason is that syzkaller injects a fault into the chunk allocation
in trace_pid_list_alloc, causing a failure in trace_pid_list_set, which
may trigger double register of the same tracepoint. This only occurs
when the system is about to crash, but to suppress this warning, let's
add failure handling logic to trace_pid_list_set.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8d6e90983ade25ec7925211ac31d9ccaf64b7edf , < 7583a73c53f1d1ae7a39b130eb7190a11f0a902f
(git)
Affected: 8d6e90983ade25ec7925211ac31d9ccaf64b7edf , < 1262bda871dace8c6efae25f3b6a2d34f6f06d54 (git) Affected: 8d6e90983ade25ec7925211ac31d9ccaf64b7edf , < 88525accf16947ab459f8e91c27c8c53e1d612d7 (git) Affected: 8d6e90983ade25ec7925211ac31d9ccaf64b7edf , < 793338906ff57d8c683f44fe48ca99d49c8782a7 (git) Affected: 8d6e90983ade25ec7925211ac31d9ccaf64b7edf , < cd4453c5e983cf1fd5757e9acb915adb1e4602b6 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:37.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7583a73c53f1d1ae7a39b130eb7190a11f0a902f",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "1262bda871dace8c6efae25f3b6a2d34f6f06d54",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "88525accf16947ab459f8e91c27c8c53e1d612d7",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "793338906ff57d8c683f44fe48ca99d49c8782a7",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "cd4453c5e983cf1fd5757e9acb915adb1e4602b6",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Silence warning when chunk allocation fails in trace_pid_write\n\nSyzkaller trigger a fault injection warning:\n\nWARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0\nModules linked in:\nCPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0\nTainted: [U]=USER\nHardware name: Google Compute Engine/Google Compute Engine\nRIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294\nCode: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff\nRSP: 0018:ffffc9000414fb48 EFLAGS: 00010283\nRAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000\nRDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0\nFS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464\n register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]\n register_pid_events kernel/trace/trace_events.c:2354 [inline]\n event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425\n vfs_write+0x24c/0x1150 fs/read_write.c:677\n ksys_write+0x12b/0x250 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe can reproduce the warning by following the steps below:\n1. echo 8 \u003e\u003e set_event_notrace_pid. Let tr-\u003efiltered_pids owns one pid\n and register sched_switch tracepoint.\n2. echo \u0027 \u0027 \u003e\u003e set_event_pid, and perform fault injection during chunk\n allocation of trace_pid_list_alloc. Let pid_list with no pid and\nassign to tr-\u003efiltered_pids.\n3. echo \u0027 \u0027 \u003e\u003e set_event_pid. Let pid_list is NULL and assign to\n tr-\u003efiltered_pids.\n4. echo 9 \u003e\u003e set_event_pid, will trigger the double register\n sched_switch tracepoint warning.\n\nThe reason is that syzkaller injects a fault into the chunk allocation\nin trace_pid_list_alloc, causing a failure in trace_pid_list_set, which\nmay trigger double register of the same tracepoint. This only occurs\nwhen the system is about to crash, but to suppress this warning, let\u0027s\nadd failure handling logic to trace_pid_list_set."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:37.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7583a73c53f1d1ae7a39b130eb7190a11f0a902f"
},
{
"url": "https://git.kernel.org/stable/c/1262bda871dace8c6efae25f3b6a2d34f6f06d54"
},
{
"url": "https://git.kernel.org/stable/c/88525accf16947ab459f8e91c27c8c53e1d612d7"
},
{
"url": "https://git.kernel.org/stable/c/793338906ff57d8c683f44fe48ca99d49c8782a7"
},
{
"url": "https://git.kernel.org/stable/c/cd4453c5e983cf1fd5757e9acb915adb1e4602b6"
}
],
"title": "tracing: Silence warning when chunk allocation fails in trace_pid_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39914",
"datePublished": "2025-10-01T07:44:37.018Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:37.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39913 (GCVE-0-2025-39913)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.
syzbot reported the splat below. [0]
The repro does the following:
1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)
2. Attach the prog to a SOCKMAP
3. Add a socket to the SOCKMAP
4. Activate fault injection
5. Send data less than cork_bytes
At 5., the data is carried over to the next sendmsg() as it is
smaller than the cork_bytes specified by bpf_msg_cork_bytes().
Then, tcp_bpf_send_verdict() tries to allocate psock->cork to hold
the data, but this fails silently due to fault injection + __GFP_NOWARN.
If the allocation fails, we need to revert the sk->sk_forward_alloc
change done by sk_msg_alloc().
Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate
psock->cork.
The "*copied" also needs to be updated such that a proper error can
be returned to the caller, sendmsg. It fails to allocate psock->cork.
Nothing has been corked so far, so this patch simply sets "*copied"
to 0.
[0]:
WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983
Modules linked in:
CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156
Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc
RSP: 0018:ffffc90000a08b48 EFLAGS: 00010246
RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80
RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000
RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4
R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380
R13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872
FS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0
Call Trace:
<IRQ>
__sk_destruct+0x86/0x660 net/core/sock.c:2339
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f738adba30a7cfc006f605707e7aee847ffefa0 , < 08f58d10f5abf11d297cc910754922498c921f91
(git)
Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < 05366527f44cf4b884f3d9462ae8009be9665856 (git) Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < 7429b8b9bfbc276fd304fbaebc405f46b421fedf (git) Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < 9c2a6456bdf9794474460d885c359b6c4522d6e3 (git) Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < 66bcb04a441fbf15d66834b7e3eefb313dd750c8 (git) Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < 539920180c55f5e13a2488a2339f94e6b8cb69e0 (git) Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < de89e58368f8f07df005ecc1c86ad94898a999f2 (git) Affected: 4f738adba30a7cfc006f605707e7aee847ffefa0 , < a3967baad4d533dc254c31e0d221e51c8d223d58 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08f58d10f5abf11d297cc910754922498c921f91",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "05366527f44cf4b884f3d9462ae8009be9665856",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "7429b8b9bfbc276fd304fbaebc405f46b421fedf",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "9c2a6456bdf9794474460d885c359b6c4522d6e3",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "66bcb04a441fbf15d66834b7e3eefb313dd750c8",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "539920180c55f5e13a2488a2339f94e6b8cb69e0",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "de89e58368f8f07df005ecc1c86ad94898a999f2",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "a3967baad4d533dc254c31e0d221e51c8d223d58",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n 2. Attach the prog to a SOCKMAP\n 3. Add a socket to the SOCKMAP\n 4. Activate fault injection\n 5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock-\u003ecork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk-\u003esk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet\u0027s call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock-\u003ecork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock-\u003ecork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 \u003c0f\u003e 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n \u003cIRQ\u003e\n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:46.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08f58d10f5abf11d297cc910754922498c921f91"
},
{
"url": "https://git.kernel.org/stable/c/05366527f44cf4b884f3d9462ae8009be9665856"
},
{
"url": "https://git.kernel.org/stable/c/7429b8b9bfbc276fd304fbaebc405f46b421fedf"
},
{
"url": "https://git.kernel.org/stable/c/9c2a6456bdf9794474460d885c359b6c4522d6e3"
},
{
"url": "https://git.kernel.org/stable/c/66bcb04a441fbf15d66834b7e3eefb313dd750c8"
},
{
"url": "https://git.kernel.org/stable/c/539920180c55f5e13a2488a2339f94e6b8cb69e0"
},
{
"url": "https://git.kernel.org/stable/c/de89e58368f8f07df005ecc1c86ad94898a999f2"
},
{
"url": "https://git.kernel.org/stable/c/a3967baad4d533dc254c31e0d221e51c8d223d58"
}
],
"title": "tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39913",
"datePublished": "2025-10-01T07:44:36.244Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71111 (GCVE-0-2025-71111)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9873964d6eb24bd0205394f9b791de9eddbcb855 , < 3dceb68f6ad33156032ef4da21a93d84059cca6d
(git)
Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < bf5b03227f2e6d4360004886d268f9df8993ef8f (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < f2b579a0c37c0df19603d719894a942a295f634a (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < f94800fbc26ccf7c81eb791707b038a57aa39a18 (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < a9fb6e8835a22f5796c1182ed612daed3fd273af (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < c8cf0c2bdcccc6634b6915ff793b844e12436680 (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/w83791d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3dceb68f6ad33156032ef4da21a93d84059cca6d",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "bf5b03227f2e6d4360004886d268f9df8993ef8f",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "f2b579a0c37c0df19603d719894a942a295f634a",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "f94800fbc26ccf7c81eb791707b038a57aa39a18",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "a9fb6e8835a22f5796c1182ed612daed3fd273af",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "c8cf0c2bdcccc6634b6915ff793b844e12436680",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "670d7ef945d3a84683594429aea6ab2cdfa5ceb4",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/w83791d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83791d) Convert macros to functions to avoid TOCTOU\n\nThe macro FAN_FROM_REG evaluates its arguments multiple times. When used\nin lockless contexts involving shared driver data, this leads to\nTime-of-Check to Time-of-Use (TOCTOU) race conditions, potentially\ncausing divide-by-zero errors.\n\nConvert the macro to a static function. This guarantees that arguments\nare evaluated only once (pass-by-value), preventing the race\nconditions.\n\nAdditionally, in store_fan_div, move the calculation of the minimum\nlimit inside the update lock. This ensures that the read-modify-write\nsequence operates on consistent data.\n\nAdhere to the principle of minimal changes by only converting macros\nthat evaluate arguments multiple times and are used in lockless\ncontexts."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:05.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d"
},
{
"url": "https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f"
},
{
"url": "https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a"
},
{
"url": "https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18"
},
{
"url": "https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af"
},
{
"url": "https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680"
},
{
"url": "https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4"
}
],
"title": "hwmon: (w83791d) Convert macros to functions to avoid TOCTOU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71111",
"datePublished": "2026-01-14T15:05:58.649Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:05.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40244 (GCVE-0-2025-40244)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
The syzbot reported issue in __hfsplus_ext_cache_extent():
[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
[ 70.199771][ T9350] ksys_write+0x23e/0x490
[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.202054][ T9350]
[ 70.202279][ T9350] Uninit was created at:
[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
[ 70.207961][ T9350] ksys_write+0x23e/0x490
[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.210230][ T9350]
[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.212115][ T9350] =====================================================
[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.215999][ T9350] Call Trace:
[ 70.216309][ T9350] <TASK>
[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
[ 70.217025][ T9350] dump_stack+0x1e/0x30
[ 70.217421][ T9350] panic+0x502/0xca0
[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
kernel
:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
set ...
[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c1ec90bed504640a42bb20a5f413be39cd17ad71
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b8a72692aa42b7dcd179a96b90bc2763ac74576a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c135b8dca65526aa5b8814e9954e0ae317d9c598 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d7e313039a8f3a6ee072dc5ff4643234d2d735cf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a5bfb13b4f406aef1a450f99d22d3e48df01528c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 99202d94909d323a30d154ab0261c0a07166daec (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 14c673a2f3ecf650b694a52a88688f1d71849899 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4840ceadef4290c56cc422f0fc697655f3cbf070 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bfind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1ec90bed504640a42bb20a5f413be39cd17ad71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8a72692aa42b7dcd179a96b90bc2763ac74576a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c135b8dca65526aa5b8814e9954e0ae317d9c598",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7e313039a8f3a6ee072dc5ff4643234d2d735cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5bfb13b4f406aef1a450f99d22d3e48df01528c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99202d94909d323a30d154ab0261c0a07166daec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "14c673a2f3ecf650b694a52a88688f1d71849899",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4840ceadef4290c56cc422f0fc697655f3cbf070",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bfind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()\n\nThe syzbot reported issue in __hfsplus_ext_cache_extent():\n\n[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0\n[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.199771][ T9350] ksys_write+0x23e/0x490\n[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.202054][ T9350]\n[ 70.202279][ T9350] Uninit was created at:\n[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80\n[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0\n[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0\n[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.207961][ T9350] ksys_write+0x23e/0x490\n[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.210230][ T9350]\n[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5\n[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.212115][ T9350] =====================================================\n[ 70.212734][ T9350] Disabling lock debugging due to kernel taint\n[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5\n[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE\n[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.215999][ T9350] Call Trace:\n[ 70.216309][ T9350] \u003cTASK\u003e\n[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0\n[ 70.217025][ T9350] dump_stack+0x1e/0x30\n[ 70.217421][ T9350] panic+0x502/0xca0\n[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\n\n[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...\n kernel\n:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\nset ...\n[ 70.221254][ T9350] ? __msan_warning+0x96/0x120\n[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0\n[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0\n[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0\n[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950\n[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130\n[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060\n[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460\n[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0\n[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0\n[ 70.228997][ T9350] ? ksys_write+0x23e/0x490\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:14.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1ec90bed504640a42bb20a5f413be39cd17ad71"
},
{
"url": "https://git.kernel.org/stable/c/b8a72692aa42b7dcd179a96b90bc2763ac74576a"
},
{
"url": "https://git.kernel.org/stable/c/c135b8dca65526aa5b8814e9954e0ae317d9c598"
},
{
"url": "https://git.kernel.org/stable/c/d7e313039a8f3a6ee072dc5ff4643234d2d735cf"
},
{
"url": "https://git.kernel.org/stable/c/a5bfb13b4f406aef1a450f99d22d3e48df01528c"
},
{
"url": "https://git.kernel.org/stable/c/99202d94909d323a30d154ab0261c0a07166daec"
},
{
"url": "https://git.kernel.org/stable/c/14c673a2f3ecf650b694a52a88688f1d71849899"
},
{
"url": "https://git.kernel.org/stable/c/4840ceadef4290c56cc422f0fc697655f3cbf070"
}
],
"title": "hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40244",
"datePublished": "2025-12-04T15:31:33.249Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:14.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40313 (GCVE-0-2025-40313)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
ntfs3: pretend $Extend records as regular files
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: pretend $Extend records as regular files
Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()")
requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/
S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 63eb6730ce0604d3eacf036c2f68ea70b068317c
(git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 78d46f5276ed3589aaaa435580068c5b62efc921 (git) Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 17249b2a65274f73ed68bcd1604e08a60fd8a278 (git) Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 (git) Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 57534db1bbc4ca772393bb7d92e69d5e7b9051cf (git) Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 4e8011ffec79717e5fdac43a7e79faf811a384b7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63eb6730ce0604d3eacf036c2f68ea70b068317c",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "78d46f5276ed3589aaaa435580068c5b62efc921",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "17249b2a65274f73ed68bcd1604e08a60fd8a278",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "57534db1bbc4ca772393bb7d92e69d5e7b9051cf",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: pretend $Extend records as regular files\n\nSince commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\")\nrequires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/\nS_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:02.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63eb6730ce0604d3eacf036c2f68ea70b068317c"
},
{
"url": "https://git.kernel.org/stable/c/78d46f5276ed3589aaaa435580068c5b62efc921"
},
{
"url": "https://git.kernel.org/stable/c/17249b2a65274f73ed68bcd1604e08a60fd8a278"
},
{
"url": "https://git.kernel.org/stable/c/37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7"
},
{
"url": "https://git.kernel.org/stable/c/57534db1bbc4ca772393bb7d92e69d5e7b9051cf"
},
{
"url": "https://git.kernel.org/stable/c/4e8011ffec79717e5fdac43a7e79faf811a384b7"
}
],
"title": "ntfs3: pretend $Extend records as regular files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40313",
"datePublished": "2025-12-08T00:46:39.444Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:02.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40363 (GCVE-0-2025-40363)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:40 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
net: ipv6: fix field-spanning memcpy warning in AH output
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix field-spanning memcpy warning in AH output
Fix field-spanning memcpy warnings in ah6_output() and
ah6_output_done() where extension headers are copied to/from IPv6
address fields, triggering fortify-string warnings about writes beyond
the 16-byte address fields.
memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16)
WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439
The warnings are false positives as the extension headers are
intentionally placed after the IPv6 header in memory. Fix by properly
copying addresses and extension headers separately, and introduce
helper functions to avoid code duplication.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2da805a61ef5272a2773775ce14c3650adb84248
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9bf27de51bd6db5ff827780ec0eba55de230ba45 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0bf756ae1e69fec5e6332c37830488315d6d771b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 75b16b2755e12999ad850756ddfb88ad4bfc7186 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f28dde240160f3c48a50d641d210ed6a3b9596ed (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c14cf41094136691c92ef756872570645d61f4a1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b056f971bd72b373b7ae2025a8f3bd18f69653d3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2327a3d6f65ce2fe2634546dde4a25ef52296fec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ah6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2da805a61ef5272a2773775ce14c3650adb84248",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9bf27de51bd6db5ff827780ec0eba55de230ba45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bf756ae1e69fec5e6332c37830488315d6d771b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "75b16b2755e12999ad850756ddfb88ad4bfc7186",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f28dde240160f3c48a50d641d210ed6a3b9596ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c14cf41094136691c92ef756872570645d61f4a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b056f971bd72b373b7ae2025a8f3bd18f69653d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2327a3d6f65ce2fe2634546dde4a25ef52296fec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ah6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix field-spanning memcpy warning in AH output\n\nFix field-spanning memcpy warnings in ah6_output() and\nah6_output_done() where extension headers are copied to/from IPv6\naddress fields, triggering fortify-string warnings about writes beyond\nthe 16-byte address fields.\n\n memcpy: detected field-spanning write (size 40) of single field \"\u0026top_iph-\u003esaddr\" at net/ipv6/ah6.c:439 (size 16)\n WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439\n\nThe warnings are false positives as the extension headers are\nintentionally placed after the IPv6 header in memory. Fix by properly\ncopying addresses and extension headers separately, and introduce\nhelper functions to avoid code duplication."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:57.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2da805a61ef5272a2773775ce14c3650adb84248"
},
{
"url": "https://git.kernel.org/stable/c/9bf27de51bd6db5ff827780ec0eba55de230ba45"
},
{
"url": "https://git.kernel.org/stable/c/0bf756ae1e69fec5e6332c37830488315d6d771b"
},
{
"url": "https://git.kernel.org/stable/c/75b16b2755e12999ad850756ddfb88ad4bfc7186"
},
{
"url": "https://git.kernel.org/stable/c/f28dde240160f3c48a50d641d210ed6a3b9596ed"
},
{
"url": "https://git.kernel.org/stable/c/c14cf41094136691c92ef756872570645d61f4a1"
},
{
"url": "https://git.kernel.org/stable/c/b056f971bd72b373b7ae2025a8f3bd18f69653d3"
},
{
"url": "https://git.kernel.org/stable/c/2327a3d6f65ce2fe2634546dde4a25ef52296fec"
}
],
"title": "net: ipv6: fix field-spanning memcpy warning in AH output",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40363",
"datePublished": "2025-12-16T13:40:03.265Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:57.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68204 (GCVE-0-2025-68204)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
pmdomain: arm: scmi: Fix genpd leak on provider registration failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: arm: scmi: Fix genpd leak on provider registration failure
If of_genpd_add_provider_onecell() fails during probe, the previously
created generic power domains are not removed, leading to a memory leak
and potential kernel crash later in genpd_debug_add().
Add proper error handling to unwind the initialized domains before
returning from probe to ensure all resources are correctly released on
failure.
Example crash trace observed without this fix:
| Unable to handle kernel paging request at virtual address fffffffffffffc70
| CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : genpd_debug_add+0x2c/0x160
| lr : genpd_debug_init+0x74/0x98
| Call trace:
| genpd_debug_add+0x2c/0x160 (P)
| genpd_debug_init+0x74/0x98
| do_one_initcall+0xd0/0x2d8
| do_initcall_level+0xa0/0x140
| do_initcalls+0x60/0xa8
| do_basic_setup+0x28/0x40
| kernel_init_freeable+0xe8/0x170
| kernel_init+0x2c/0x140
| ret_from_fork+0x10/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
898216c97ed2ebfffda659ce12388da43534de6c , < 18249a167ffd91b4b4fbd92afd4ddcbf3af81f35
(git)
Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 582f48d22eb5676fe7be3589b986ddd29f7bf4d1 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 7f569197f7ad09319af960bd7e43109de5c67c04 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < ad120c08b89a81d41d091490bbe150343473b659 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 921b090841ae7a08b19ab14495bdf8636dc31e21 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 983e91da82ec3e331600108f9be3ea61236f5c75 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 7458f72cc28f9eb0de811effcb5376d0ec19094a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/arm/scmi_pm_domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18249a167ffd91b4b4fbd92afd4ddcbf3af81f35",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "582f48d22eb5676fe7be3589b986ddd29f7bf4d1",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "7f569197f7ad09319af960bd7e43109de5c67c04",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "ad120c08b89a81d41d091490bbe150343473b659",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "921b090841ae7a08b19ab14495bdf8636dc31e21",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "983e91da82ec3e331600108f9be3ea61236f5c75",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "7458f72cc28f9eb0de811effcb5376d0ec19094a",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/arm/scmi_pm_domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: scmi: Fix genpd leak on provider registration failure\n\nIf of_genpd_add_provider_onecell() fails during probe, the previously\ncreated generic power domains are not removed, leading to a memory leak\nand potential kernel crash later in genpd_debug_add().\n\nAdd proper error handling to unwind the initialized domains before\nreturning from probe to ensure all resources are correctly released on\nfailure.\n\nExample crash trace observed without this fix:\n\n | Unable to handle kernel paging request at virtual address fffffffffffffc70\n | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT\n | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform\n | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : genpd_debug_add+0x2c/0x160\n | lr : genpd_debug_init+0x74/0x98\n | Call trace:\n | genpd_debug_add+0x2c/0x160 (P)\n | genpd_debug_init+0x74/0x98\n | do_one_initcall+0xd0/0x2d8\n | do_initcall_level+0xa0/0x140\n | do_initcalls+0x60/0xa8\n | do_basic_setup+0x28/0x40\n | kernel_init_freeable+0xe8/0x170\n | kernel_init+0x2c/0x140\n | ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:31.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18249a167ffd91b4b4fbd92afd4ddcbf3af81f35"
},
{
"url": "https://git.kernel.org/stable/c/c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a"
},
{
"url": "https://git.kernel.org/stable/c/582f48d22eb5676fe7be3589b986ddd29f7bf4d1"
},
{
"url": "https://git.kernel.org/stable/c/7f569197f7ad09319af960bd7e43109de5c67c04"
},
{
"url": "https://git.kernel.org/stable/c/ad120c08b89a81d41d091490bbe150343473b659"
},
{
"url": "https://git.kernel.org/stable/c/921b090841ae7a08b19ab14495bdf8636dc31e21"
},
{
"url": "https://git.kernel.org/stable/c/983e91da82ec3e331600108f9be3ea61236f5c75"
},
{
"url": "https://git.kernel.org/stable/c/7458f72cc28f9eb0de811effcb5376d0ec19094a"
}
],
"title": "pmdomain: arm: scmi: Fix genpd leak on provider registration failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68204",
"datePublished": "2025-12-16T13:48:31.850Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:31.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68329 (GCVE-0-2025-68329)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
EPSS
Title
tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel
calls vm_ops->close on each portion. For trace buffer mappings, this
results in ring_buffer_unmap() being called multiple times while
ring_buffer_map() was only called once.
This causes ring_buffer_unmap() to return -ENODEV on subsequent calls
because user_mapped is already 0, triggering a WARN_ON.
Trace buffer mappings cannot support partial mappings because the ring
buffer structure requires the complete buffer including the meta page.
Fix this by adding a may_split callback that returns -EINVAL to prevent
VMA splits entirely.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 , < 922fdd0b755a84f9933b3ca195f60092b6bb88ee
(git)
Affected: cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 , < 45053c12c45f0fb8ef6ab95118dd928d2fec0255 (git) Affected: cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 , < b042fdf18e89a347177a49e795d8e5184778b5b6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "922fdd0b755a84f9933b3ca195f60092b6bb88ee",
"status": "affected",
"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64",
"versionType": "git"
},
{
"lessThan": "45053c12c45f0fb8ef6ab95118dd928d2fec0255",
"status": "affected",
"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64",
"versionType": "git"
},
{
"lessThan": "b042fdf18e89a347177a49e795d8e5184778b5b6",
"status": "affected",
"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs\n\nWhen a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel\ncalls vm_ops-\u003eclose on each portion. For trace buffer mappings, this\nresults in ring_buffer_unmap() being called multiple times while\nring_buffer_map() was only called once.\n\nThis causes ring_buffer_unmap() to return -ENODEV on subsequent calls\nbecause user_mapped is already 0, triggering a WARN_ON.\n\nTrace buffer mappings cannot support partial mappings because the ring\nbuffer structure requires the complete buffer including the meta page.\n\nFix this by adding a may_split callback that returns -EINVAL to prevent\nVMA splits entirely."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:06.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/922fdd0b755a84f9933b3ca195f60092b6bb88ee"
},
{
"url": "https://git.kernel.org/stable/c/45053c12c45f0fb8ef6ab95118dd928d2fec0255"
},
{
"url": "https://git.kernel.org/stable/c/b042fdf18e89a347177a49e795d8e5184778b5b6"
}
],
"title": "tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68329",
"datePublished": "2025-12-22T16:12:23.133Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:06.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71114 (GCVE-0-2025-71114)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
via_wdt: fix critical boot hang due to unnamed resource allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
via_wdt: fix critical boot hang due to unnamed resource allocation
The VIA watchdog driver uses allocate_resource() to reserve a MMIO
region for the watchdog control register. However, the allocated
resource was not given a name, which causes the kernel resource tree
to contain an entry marked as "<BAD>" under /proc/iomem on x86
platforms.
During boot, this unnamed resource can lead to a critical hang because
subsequent resource lookups and conflict checks fail to handle the
invalid entry properly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < 1d56025a3af50db0f3da2792f41eb9943eee5324
(git)
Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < c7b986adc9e9336066350542ac5a2005d305ae78 (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < 47c910965c936724070d2a8094a4c3ed8f452856 (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < f7b6370d0fbee06a867037d675797a606cb62e57 (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < c6a2dd4f2e4e6cbdfe7a1618160281af897b75db (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < 7aa31ee9ec92915926e74731378c009c9cc04928 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/via_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d56025a3af50db0f3da2792f41eb9943eee5324",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "c7b986adc9e9336066350542ac5a2005d305ae78",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "47c910965c936724070d2a8094a4c3ed8f452856",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "f7b6370d0fbee06a867037d675797a606cb62e57",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "c6a2dd4f2e4e6cbdfe7a1618160281af897b75db",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "7aa31ee9ec92915926e74731378c009c9cc04928",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/via_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvia_wdt: fix critical boot hang due to unnamed resource allocation\n\nThe VIA watchdog driver uses allocate_resource() to reserve a MMIO\nregion for the watchdog control register. However, the allocated\nresource was not given a name, which causes the kernel resource tree\nto contain an entry marked as \"\u003cBAD\u003e\" under /proc/iomem on x86\nplatforms.\n\nDuring boot, this unnamed resource can lead to a critical hang because\nsubsequent resource lookups and conflict checks fail to handle the\ninvalid entry properly."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:08.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324"
},
{
"url": "https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78"
},
{
"url": "https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856"
},
{
"url": "https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d"
},
{
"url": "https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57"
},
{
"url": "https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db"
},
{
"url": "https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928"
}
],
"title": "via_wdt: fix critical boot hang due to unnamed resource allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71114",
"datePublished": "2026-01-14T15:06:00.848Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:08.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40343 (GCVE-0-2025-40343)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:10 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
nvmet-fc: avoid scheduling association deletion twice
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface,
nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and
then nvmet_disable_port(). Both functions will eventually schedule all
remaining associations for deletion.
The current implementation checks whether an association is about to be
removed, but only after the work item has already been scheduled. As a
result, it is possible for the first scheduled work item to free all
resources, and then for the same work item to be scheduled again for
deletion.
Because the association list is an RCU list, it is not possible to take
a lock and remove the list entry directly, so it cannot be looked up
again. Instead, a flag (terminating) must be used to determine whether
the association is already in the process of being deleted.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a07b4970f464f13640e28e16dad6cfa33647cc99 , < 2f4852db87e25d4e226b25cb6f652fef9504360e
(git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 85e2ce1920cb511d57aae59f0df6ff85b28bf04d (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 601ed47b2363c24d948d7bac0c23abc8bd459570 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 04d17540ef51e2c291eb863ca87fd332259b2d40 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < c09ac9a63fc3aaf4670ad7b5e4f5afd764424154 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < f2537be4f8421f6495edfa0bc284d722f253841d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f4852db87e25d4e226b25cb6f652fef9504360e",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "85e2ce1920cb511d57aae59f0df6ff85b28bf04d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "601ed47b2363c24d948d7bac0c23abc8bd459570",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "04d17540ef51e2c291eb863ca87fd332259b2d40",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "c09ac9a63fc3aaf4670ad7b5e4f5afd764424154",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "f2537be4f8421f6495edfa0bc284d722f253841d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid scheduling association deletion twice\n\nWhen forcefully shutting down a port via the configfs interface,\nnvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and\nthen nvmet_disable_port(). Both functions will eventually schedule all\nremaining associations for deletion.\n\nThe current implementation checks whether an association is about to be\nremoved, but only after the work item has already been scheduled. As a\nresult, it is possible for the first scheduled work item to free all\nresources, and then for the same work item to be scheduled again for\ndeletion.\n\nBecause the association list is an RCU list, it is not possible to take\na lock and remove the list entry directly, so it cannot be looked up\nagain. Instead, a flag (terminating) must be used to determine whether\nthe association is already in the process of being deleted."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:13.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e"
},
{
"url": "https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d"
},
{
"url": "https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570"
},
{
"url": "https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40"
},
{
"url": "https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154"
},
{
"url": "https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d"
}
],
"title": "nvmet-fc: avoid scheduling association deletion twice",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40343",
"datePublished": "2025-12-09T04:10:00.973Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:13.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40198 (GCVE-0-2025-40198)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Unlike other strings in the ext4 superblock, we rely on tune2fs to
make sure s_mount_opts is NUL terminated. Harden
parse_apply_sb_mount_options() by treating s_mount_opts as a potential
__nonstring.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 7bf46ff83a0ef11836e38ebd72cdc5107209342d
(git)
Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < b2bac84fde28fb6a88817b8b761abda17a1d300b (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < e651294218d2684302ee5ed95ccf381646f3e5b4 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 01829af7656b56d83682b3491265d583d502e502 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 2a0cf438320cdb783e0378570744c0ef0d83e934 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < a6e94557cd05adc82fae0400f6e17745563e5412 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "e651294218d2684302ee5ed95ccf381646f3e5b4",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "01829af7656b56d83682b3491265d583d502e502",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "2a0cf438320cdb783e0378570744c0ef0d83e934",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "a6e94557cd05adc82fae0400f6e17745563e5412",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n\nUnlike other strings in the ext4 superblock, we rely on tune2fs to\nmake sure s_mount_opts is NUL terminated. Harden\nparse_apply_sb_mount_options() by treating s_mount_opts as a potential\n__nonstring."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:59.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d"
},
{
"url": "https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b"
},
{
"url": "https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4"
},
{
"url": "https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502"
},
{
"url": "https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934"
},
{
"url": "https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412"
},
{
"url": "https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8"
}
],
"title": "ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40198",
"datePublished": "2025-11-12T21:56:33.220Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:59.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40259 (GCVE-0-2025-40259)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
scsi: sg: Do not sleep in atomic context
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Do not sleep in atomic context
sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may
sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead
of disabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97d27b0dd015e980ade63fda111fd1353276e28b , < 11eeee00c94d770d4e45364060b5f1526dfe567b
(git)
Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < db6ac8703ab2b473e1ec845f57f6dd961a388d9f (git) Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < 109afbd88ecc46b6cc7551367222387e97999765 (git) Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < 3dfd520c3b4ffe69e0630c580717d40447ab842f (git) Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < b343cee5df7e750d9033fba33e96fc4399fa88a5 (git) Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f (git) Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < 6983d8375c040bb449d2187f4a57a20de01244fe (git) Affected: 97d27b0dd015e980ade63fda111fd1353276e28b , < 90449f2d1e1f020835cba5417234636937dd657e (git) Affected: 8d1f3b474a89b42f957ba3bae959dd3cd16531ca (git) Affected: fa55ef3f803fc7c20be0ab809e6278c31febd875 (git) Affected: 6af37613289cfd32516ada47e444b48a638829c8 (git) Affected: 4a8e8e0af9a520a685e0ab2d489327d5220d7ce2 (git) Affected: ae9b6ae2e77947534e255903627cc62746ea77e2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11eeee00c94d770d4e45364060b5f1526dfe567b",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "db6ac8703ab2b473e1ec845f57f6dd961a388d9f",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "109afbd88ecc46b6cc7551367222387e97999765",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "3dfd520c3b4ffe69e0630c580717d40447ab842f",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "b343cee5df7e750d9033fba33e96fc4399fa88a5",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "6983d8375c040bb449d2187f4a57a20de01244fe",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "90449f2d1e1f020835cba5417234636937dd657e",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"status": "affected",
"version": "8d1f3b474a89b42f957ba3bae959dd3cd16531ca",
"versionType": "git"
},
{
"status": "affected",
"version": "fa55ef3f803fc7c20be0ab809e6278c31febd875",
"versionType": "git"
},
{
"status": "affected",
"version": "6af37613289cfd32516ada47e444b48a638829c8",
"versionType": "git"
},
{
"status": "affected",
"version": "4a8e8e0af9a520a685e0ab2d489327d5220d7ce2",
"versionType": "git"
},
{
"status": "affected",
"version": "ae9b6ae2e77947534e255903627cc62746ea77e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Do not sleep in atomic context\n\nsg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may\nsleep. Hence, call sg_finish_rem_req() with interrupts enabled instead\nof disabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:58.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11eeee00c94d770d4e45364060b5f1526dfe567b"
},
{
"url": "https://git.kernel.org/stable/c/db6ac8703ab2b473e1ec845f57f6dd961a388d9f"
},
{
"url": "https://git.kernel.org/stable/c/109afbd88ecc46b6cc7551367222387e97999765"
},
{
"url": "https://git.kernel.org/stable/c/3dfd520c3b4ffe69e0630c580717d40447ab842f"
},
{
"url": "https://git.kernel.org/stable/c/b343cee5df7e750d9033fba33e96fc4399fa88a5"
},
{
"url": "https://git.kernel.org/stable/c/b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f"
},
{
"url": "https://git.kernel.org/stable/c/6983d8375c040bb449d2187f4a57a20de01244fe"
},
{
"url": "https://git.kernel.org/stable/c/90449f2d1e1f020835cba5417234636937dd657e"
}
],
"title": "scsi: sg: Do not sleep in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40259",
"datePublished": "2025-12-04T16:08:19.904Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:58.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68290 (GCVE-0-2025-68290)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
most: usb: fix double free on late probe failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: fix double free on late probe failure
The MOST subsystem has a non-standard registration function which frees
the interface on registration failures and on deregistration.
This unsurprisingly leads to bugs in the MOST drivers, and a couple of
recent changes turned a reference underflow and use-after-free in the
USB driver into several double free and a use-after-free on late probe
failures.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154
(git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < a4c4118c2af284835b16431bbfe77e0130c06fef (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 0dece48660be16918ecf2dbdc7193e8be03e1693 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 993bfdc3842893c394de13c8200c338ebb979589 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 2274767dc02b756b25e3db1e31c0ed47c2a78442 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 8d8ffefe3d5d8b7b73efb866db61130107299c5c (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < baadf2a5c26e802a46573eaad331b427b49aaa36 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "a4c4118c2af284835b16431bbfe77e0130c06fef",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "0dece48660be16918ecf2dbdc7193e8be03e1693",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "993bfdc3842893c394de13c8200c338ebb979589",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "2274767dc02b756b25e3db1e31c0ed47c2a78442",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "8d8ffefe3d5d8b7b73efb866db61130107299c5c",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "baadf2a5c26e802a46573eaad331b427b49aaa36",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: fix double free on late probe failure\n\nThe MOST subsystem has a non-standard registration function which frees\nthe interface on registration failures and on deregistration.\n\nThis unsurprisingly leads to bugs in the MOST drivers, and a couple of\nrecent changes turned a reference underflow and use-after-free in the\nUSB driver into several double free and a use-after-free on late probe\nfailures."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:11.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154"
},
{
"url": "https://git.kernel.org/stable/c/a4c4118c2af284835b16431bbfe77e0130c06fef"
},
{
"url": "https://git.kernel.org/stable/c/0dece48660be16918ecf2dbdc7193e8be03e1693"
},
{
"url": "https://git.kernel.org/stable/c/993bfdc3842893c394de13c8200c338ebb979589"
},
{
"url": "https://git.kernel.org/stable/c/2274767dc02b756b25e3db1e31c0ed47c2a78442"
},
{
"url": "https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b73efb866db61130107299c5c"
},
{
"url": "https://git.kernel.org/stable/c/baadf2a5c26e802a46573eaad331b427b49aaa36"
}
],
"title": "most: usb: fix double free on late probe failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68290",
"datePublished": "2025-12-16T15:06:11.202Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:11.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39949 (GCVE-0-2025-39949)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
qed: Don't collect too many protection override GRC elements
Summary
In the Linux kernel, the following vulnerability has been resolved:
qed: Don't collect too many protection override GRC elements
In the protection override dump path, the firmware can return far too
many GRC elements, resulting in attempting to write past the end of the
previously-kmalloc'ed dump buffer.
This will result in a kernel panic with reason:
BUG: unable to handle kernel paging request at ADDRESS
where "ADDRESS" is just past the end of the protection override dump
buffer. The start address of the buffer is:
p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf
and the size of the buffer is buf_size in the same data structure.
The panic can be arrived at from either the qede Ethernet driver path:
[exception RIP: qed_grc_dump_addr_range+0x108]
qed_protection_override_dump at ffffffffc02662ed [qed]
qed_dbg_protection_override_dump at ffffffffc0267792 [qed]
qed_dbg_feature at ffffffffc026aa8f [qed]
qed_dbg_all_data at ffffffffc026b211 [qed]
qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]
devlink_health_do_dump at ffffffff82497f61
devlink_health_report at ffffffff8249cf29
qed_report_fatal_error at ffffffffc0272baf [qed]
qede_sp_task at ffffffffc045ed32 [qede]
process_one_work at ffffffff81d19783
or the qedf storage driver path:
[exception RIP: qed_grc_dump_addr_range+0x108]
qed_protection_override_dump at ffffffffc068b2ed [qed]
qed_dbg_protection_override_dump at ffffffffc068c792 [qed]
qed_dbg_feature at ffffffffc068fa8f [qed]
qed_dbg_all_data at ffffffffc0690211 [qed]
qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]
devlink_health_do_dump at ffffffff8aa95e51
devlink_health_report at ffffffff8aa9ae19
qed_report_fatal_error at ffffffffc0697baf [qed]
qed_hw_err_notify at ffffffffc06d32d7 [qed]
qed_spq_post at ffffffffc06b1011 [qed]
qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]
qedf_cleanup_fcport at ffffffffc05e7597 [qedf]
qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]
fc_rport_work at ffffffffc02da715 [libfc]
process_one_work at ffffffff8a319663
Resolve this by clamping the firmware's return value to the maximum
number of legal elements the firmware should return.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d52c89f120de849575f6b2e5948038f2be12ce6f , < 25672c620421fa2105703a94a29a03487245e6d6
(git)
Affected: d52c89f120de849575f6b2e5948038f2be12ce6f , < e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c (git) Affected: d52c89f120de849575f6b2e5948038f2be12ce6f , < 8141910869596b7a3a5d9b46107da2191d523f82 (git) Affected: d52c89f120de849575f6b2e5948038f2be12ce6f , < ea53e6a47e148b490b1c652fc65d2de5a086df76 (git) Affected: d52c89f120de849575f6b2e5948038f2be12ce6f , < 660b2a8f5a306a28c7efc1b4990ecc4912a68f87 (git) Affected: d52c89f120de849575f6b2e5948038f2be12ce6f , < 70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3 (git) Affected: d52c89f120de849575f6b2e5948038f2be12ce6f , < 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25672c620421fa2105703a94a29a03487245e6d6",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "8141910869596b7a3a5d9b46107da2191d523f82",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "ea53e6a47e148b490b1c652fc65d2de5a086df76",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "660b2a8f5a306a28c7efc1b4990ecc4912a68f87",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: Don\u0027t collect too many protection override GRC elements\n\nIn the protection override dump path, the firmware can return far too\nmany GRC elements, resulting in attempting to write past the end of the\npreviously-kmalloc\u0027ed dump buffer.\n\nThis will result in a kernel panic with reason:\n\n BUG: unable to handle kernel paging request at ADDRESS\n\nwhere \"ADDRESS\" is just past the end of the protection override dump\nbuffer. The start address of the buffer is:\n p_hwfn-\u003ecdev-\u003edbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf\nand the size of the buffer is buf_size in the same data structure.\n\nThe panic can be arrived at from either the qede Ethernet driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc02662ed [qed]\n qed_dbg_protection_override_dump at ffffffffc0267792 [qed]\n qed_dbg_feature at ffffffffc026aa8f [qed]\n qed_dbg_all_data at ffffffffc026b211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]\n devlink_health_do_dump at ffffffff82497f61\n devlink_health_report at ffffffff8249cf29\n qed_report_fatal_error at ffffffffc0272baf [qed]\n qede_sp_task at ffffffffc045ed32 [qede]\n process_one_work at ffffffff81d19783\n\nor the qedf storage driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc068b2ed [qed]\n qed_dbg_protection_override_dump at ffffffffc068c792 [qed]\n qed_dbg_feature at ffffffffc068fa8f [qed]\n qed_dbg_all_data at ffffffffc0690211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]\n devlink_health_do_dump at ffffffff8aa95e51\n devlink_health_report at ffffffff8aa9ae19\n qed_report_fatal_error at ffffffffc0697baf [qed]\n qed_hw_err_notify at ffffffffc06d32d7 [qed]\n qed_spq_post at ffffffffc06b1011 [qed]\n qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]\n qedf_cleanup_fcport at ffffffffc05e7597 [qedf]\n qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]\n fc_rport_work at ffffffffc02da715 [libfc]\n process_one_work at ffffffff8a319663\n\nResolve this by clamping the firmware\u0027s return value to the maximum\nnumber of legal elements the firmware should return."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:05.967Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25672c620421fa2105703a94a29a03487245e6d6"
},
{
"url": "https://git.kernel.org/stable/c/e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c"
},
{
"url": "https://git.kernel.org/stable/c/8141910869596b7a3a5d9b46107da2191d523f82"
},
{
"url": "https://git.kernel.org/stable/c/ea53e6a47e148b490b1c652fc65d2de5a086df76"
},
{
"url": "https://git.kernel.org/stable/c/660b2a8f5a306a28c7efc1b4990ecc4912a68f87"
},
{
"url": "https://git.kernel.org/stable/c/70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3"
},
{
"url": "https://git.kernel.org/stable/c/56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37"
}
],
"title": "qed: Don\u0027t collect too many protection override GRC elements",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39949",
"datePublished": "2025-10-04T07:31:10.164Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:05.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68311 (GCVE-0-2025-68311)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
tty: serial: ip22zilog: Use platform device for probing
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: ip22zilog: Use platform device for probing
After commit 84a9582fd203 ("serial: core: Start managing serial controllers
to enable runtime PM") serial drivers need to provide a device in
struct uart_port.dev otherwise an oops happens. To fix this issue
for ip22zilog driver switch driver to a platform driver and setup
the serial device in sgi-ip22 code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84a9582fd203063cd4d301204971ff2cd8327f1a , < 460e0dc9af2d7790d5194c6743d79f9b77b58836
(git)
Affected: 84a9582fd203063cd4d301204971ff2cd8327f1a , < 77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e (git) Affected: 84a9582fd203063cd4d301204971ff2cd8327f1a , < 3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/sgi-ip22/ip22-platform.c",
"drivers/tty/serial/ip22zilog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "460e0dc9af2d7790d5194c6743d79f9b77b58836",
"status": "affected",
"version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
"versionType": "git"
},
{
"lessThan": "77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e",
"status": "affected",
"version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
"versionType": "git"
},
{
"lessThan": "3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7",
"status": "affected",
"version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/sgi-ip22/ip22-platform.c",
"drivers/tty/serial/ip22zilog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: ip22zilog: Use platform device for probing\n\nAfter commit 84a9582fd203 (\"serial: core: Start managing serial controllers\nto enable runtime PM\") serial drivers need to provide a device in\nstruct uart_port.dev otherwise an oops happens. To fix this issue\nfor ip22zilog driver switch driver to a platform driver and setup\nthe serial device in sgi-ip22 code."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:55.431Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/460e0dc9af2d7790d5194c6743d79f9b77b58836"
},
{
"url": "https://git.kernel.org/stable/c/77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e"
},
{
"url": "https://git.kernel.org/stable/c/3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7"
}
],
"title": "tty: serial: ip22zilog: Use platform device for probing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68311",
"datePublished": "2025-12-16T15:39:42.445Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2026-01-02T15:34:55.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68313 (GCVE-0-2025-68313)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
x86/CPU/AMD: Add RDSEED fix for Zen5
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU/AMD: Add RDSEED fix for Zen5
There's an issue with RDSEED's 16-bit and 32-bit register output
variants on Zen5 which return a random value of 0 "at a rate inconsistent
with randomness while incorrectly signaling success (CF=1)". Search the
web for AMD-SB-7055 for more detail.
Add a fix glue which checks microcode revisions.
[ bp: Add microcode revisions checking, rewrite. ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < e980de2ff109dacb6d9d3a77f01b27c467115ecb
(git)
Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < 36ff93e66d0efc46e39fab536a9feec968daa766 (git) Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < 607b9fb2ce248cc5b633c5949e0153838992c152 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e980de2ff109dacb6d9d3a77f01b27c467115ecb",
"status": "affected",
"version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
"versionType": "git"
},
{
"lessThan": "36ff93e66d0efc46e39fab536a9feec968daa766",
"status": "affected",
"version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
"versionType": "git"
},
{
"lessThan": "607b9fb2ce248cc5b633c5949e0153838992c152",
"status": "affected",
"version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add RDSEED fix for Zen5\n\nThere\u0027s an issue with RDSEED\u0027s 16-bit and 32-bit register output\nvariants on Zen5 which return a random value of 0 \"at a rate inconsistent\nwith randomness while incorrectly signaling success (CF=1)\". Search the\nweb for AMD-SB-7055 for more detail.\n\nAdd a fix glue which checks microcode revisions.\n\n [ bp: Add microcode revisions checking, rewrite. ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:56.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e980de2ff109dacb6d9d3a77f01b27c467115ecb"
},
{
"url": "https://git.kernel.org/stable/c/36ff93e66d0efc46e39fab536a9feec968daa766"
},
{
"url": "https://git.kernel.org/stable/c/607b9fb2ce248cc5b633c5949e0153838992c152"
}
],
"title": "x86/CPU/AMD: Add RDSEED fix for Zen5",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68313",
"datePublished": "2025-12-16T15:39:43.972Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2026-01-02T15:34:56.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40100 (GCVE-0-2025-40100)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
btrfs: do not assert we found block group item when creating free space tree
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not assert we found block group item when creating free space tree
Currently, when building a free space tree at populate_free_space_tree(),
if we are not using the block group tree feature, we always expect to find
block group items (either extent items or a block group item with key type
BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with
btrfs_search_slot_for_read(), so we assert that we found an item. However
this expectation is wrong since we can have a new block group created in
the current transaction which is still empty and for which we still have
not added the block group's item to the extent tree, in which case we do
not have any items in the extent tree associated to the block group.
The insertion of a new block group's block group item in the extent tree
happens at btrfs_create_pending_block_groups() when it calls the helper
insert_block_group_item(). This typically is done when a transaction
handle is released, committed or when running delayed refs (either as
part of a transaction commit or when serving tickets for space reservation
if we are low on free space).
So remove the assertion at populate_free_space_tree() even when the block
group tree feature is not enabled and update the comment to mention this
case.
Syzbot reported this with the following stack trace:
BTRFS info (device loop3 state M): rebuilding free space tree
assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115
------------[ cut here ]------------
kernel BUG at fs/btrfs/free-space-tree.c:1115!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115
Code: ff ff e8 d3 (...)
RSP: 0018:ffffc9000430f780 EFLAGS: 00010246
RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94
R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001
R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0
Call Trace:
<TASK>
btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364
btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062
btrfs_remount_rw fs/btrfs/super.c:1334 [inline]
btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559
reconfigure_super+0x227/0x890 fs/super.c:1076
do_remount fs/namespace.c:3279 [inline]
path_mount+0xd1a/0xfe0 fs/namespace.c:4027
do_mount fs/namespace.c:4048 [inline]
__do_sys_mount fs/namespace.c:4236 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4213
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f424e39066a
Code: d8 64 89 02 (...)
RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a
RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000
RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020
R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380
R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a5ed91828518ab076209266c2bc510adabd078df , < 4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6
(git)
Affected: a5ed91828518ab076209266c2bc510adabd078df , < 289498da343b05c886f19b4269429606f86dd17b (git) Affected: a5ed91828518ab076209266c2bc510adabd078df , < 3fdcfd91b93f930d87843156c7c8cc5fbcf9b144 (git) Affected: a5ed91828518ab076209266c2bc510adabd078df , < eb145463f22d7d32d426b29fe9810de9e792b6ba (git) Affected: a5ed91828518ab076209266c2bc510adabd078df , < a5a51bf4e9b7354ce7cd697e610d72c1b33fd949 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "289498da343b05c886f19b4269429606f86dd17b",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "3fdcfd91b93f930d87843156c7c8cc5fbcf9b144",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "eb145463f22d7d32d426b29fe9810de9e792b6ba",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "a5a51bf4e9b7354ce7cd697e610d72c1b33fd949",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not assert we found block group item when creating free space tree\n\nCurrently, when building a free space tree at populate_free_space_tree(),\nif we are not using the block group tree feature, we always expect to find\nblock group items (either extent items or a block group item with key type\nBTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with\nbtrfs_search_slot_for_read(), so we assert that we found an item. However\nthis expectation is wrong since we can have a new block group created in\nthe current transaction which is still empty and for which we still have\nnot added the block group\u0027s item to the extent tree, in which case we do\nnot have any items in the extent tree associated to the block group.\n\nThe insertion of a new block group\u0027s block group item in the extent tree\nhappens at btrfs_create_pending_block_groups() when it calls the helper\ninsert_block_group_item(). This typically is done when a transaction\nhandle is released, committed or when running delayed refs (either as\npart of a transaction commit or when serving tickets for space reservation\nif we are low on free space).\n\nSo remove the assertion at populate_free_space_tree() even when the block\ngroup tree feature is not enabled and update the comment to mention this\ncase.\n\nSyzbot reported this with the following stack trace:\n\n BTRFS info (device loop3 state M): rebuilding free space tree\n assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/free-space-tree.c:1115!\n Oops: invalid opcode: 0000 [#1] SMP KASAN PTI\n CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115\n Code: ff ff e8 d3 (...)\n RSP: 0018:ffffc9000430f780 EFLAGS: 00010246\n RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000\n RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\n RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94\n R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001\n R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000\n FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0\n Call Trace:\n \u003cTASK\u003e\n btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364\n btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062\n btrfs_remount_rw fs/btrfs/super.c:1334 [inline]\n btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559\n reconfigure_super+0x227/0x890 fs/super.c:1076\n do_remount fs/namespace.c:3279 [inline]\n path_mount+0xd1a/0xfe0 fs/namespace.c:4027\n do_mount fs/namespace.c:4048 [inline]\n __do_sys_mount fs/namespace.c:4236 [inline]\n __se_sys_mount+0x313/0x410 fs/namespace.c:4213\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f424e39066a\n Code: d8 64 89 02 (...)\n RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\n RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a\n RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000\n RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020\n R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380\n R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0\n \u003c/TASK\u003e\n Modules linked in:\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:01.898Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6"
},
{
"url": "https://git.kernel.org/stable/c/289498da343b05c886f19b4269429606f86dd17b"
},
{
"url": "https://git.kernel.org/stable/c/3fdcfd91b93f930d87843156c7c8cc5fbcf9b144"
},
{
"url": "https://git.kernel.org/stable/c/eb145463f22d7d32d426b29fe9810de9e792b6ba"
},
{
"url": "https://git.kernel.org/stable/c/a5a51bf4e9b7354ce7cd697e610d72c1b33fd949"
}
],
"title": "btrfs: do not assert we found block group item when creating free space tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40100",
"datePublished": "2025-10-30T09:48:06.521Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-12-01T06:18:01.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68177 (GCVE-0-2025-68177)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
cpufreq/longhaul: handle NULL policy in longhaul_exit
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq/longhaul: handle NULL policy in longhaul_exit
longhaul_exit() was calling cpufreq_cpu_get(0) without checking
for a NULL policy pointer. On some systems, this could lead to a
NULL dereference and a kernel warning or panic.
This patch adds a check using unlikely() and returns early if the
policy is NULL.
Bugzilla: #219962
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < b02352dd2e6cca98777714cc2a27553191df70db
(git)
Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < 956b56d17a89775e4957bbddefa45cd3c6c71000 (git) Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < 55cf586b9556863e3c2a45460aba71bcb2be5bcd (git) Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < fd93e1d71b3b14443092919be12b1abf08de35eb (git) Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < 8d6791c480f22d6e9a566eaa77336d3d37c5c591 (git) Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < 64adabb6d9d51b7e7c02fe733346a2c4dd738488 (git) Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < 809cf2a7794ca4c14c304b349f4c3ae220701ce4 (git) Affected: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 , < 592532a77b736b5153e0c2e4c74aa50af0a352ab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/longhaul.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b02352dd2e6cca98777714cc2a27553191df70db",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "956b56d17a89775e4957bbddefa45cd3c6c71000",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "55cf586b9556863e3c2a45460aba71bcb2be5bcd",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "fd93e1d71b3b14443092919be12b1abf08de35eb",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "8d6791c480f22d6e9a566eaa77336d3d37c5c591",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "64adabb6d9d51b7e7c02fe733346a2c4dd738488",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "809cf2a7794ca4c14c304b349f4c3ae220701ce4",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "592532a77b736b5153e0c2e4c74aa50af0a352ab",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/longhaul.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq/longhaul: handle NULL policy in longhaul_exit\n\nlonghaul_exit() was calling cpufreq_cpu_get(0) without checking\nfor a NULL policy pointer. On some systems, this could lead to a\nNULL dereference and a kernel warning or panic.\n\nThis patch adds a check using unlikely() and returns early if the\npolicy is NULL.\n\nBugzilla: #219962"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:11.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b02352dd2e6cca98777714cc2a27553191df70db"
},
{
"url": "https://git.kernel.org/stable/c/956b56d17a89775e4957bbddefa45cd3c6c71000"
},
{
"url": "https://git.kernel.org/stable/c/55cf586b9556863e3c2a45460aba71bcb2be5bcd"
},
{
"url": "https://git.kernel.org/stable/c/fd93e1d71b3b14443092919be12b1abf08de35eb"
},
{
"url": "https://git.kernel.org/stable/c/8d6791c480f22d6e9a566eaa77336d3d37c5c591"
},
{
"url": "https://git.kernel.org/stable/c/64adabb6d9d51b7e7c02fe733346a2c4dd738488"
},
{
"url": "https://git.kernel.org/stable/c/809cf2a7794ca4c14c304b349f4c3ae220701ce4"
},
{
"url": "https://git.kernel.org/stable/c/592532a77b736b5153e0c2e4c74aa50af0a352ab"
}
],
"title": "cpufreq/longhaul: handle NULL policy in longhaul_exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68177",
"datePublished": "2025-12-16T13:42:56.336Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:11.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68349 (GCVE-0-2025-68349)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 084bebe82ad86f718a3af84f34761863e63164ed
(git)
Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 104080582ae0aa6dce6c6d75ff89062efe84673b (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < f718f9ea6094843b8c059b073af49ad61e9f49bb (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 59947dff0fb7c19c09ce6dccbcd253fd542b6c25 (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < ca2e7fdad7c683b64821c94a58b9b68733214dad (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 38694f9aae00459ab443a7dc8b3949a6b33b560a (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < e0f8058f2cb56de0b7572f51cd563ca5debce746 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "084bebe82ad86f718a3af84f34761863e63164ed",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "104080582ae0aa6dce6c6d75ff89062efe84673b",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "f718f9ea6094843b8c059b073af49ad61e9f49bb",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "59947dff0fb7c19c09ce6dccbcd253fd542b6c25",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "ca2e7fdad7c683b64821c94a58b9b68733214dad",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "38694f9aae00459ab443a7dc8b3949a6b33b560a",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "e0f8058f2cb56de0b7572f51cd563ca5debce746",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid\n\nFixes a crash when layout is null during this call stack:\n\nwrite_inode\n -\u003e nfs4_write_inode\n -\u003e pnfs_layoutcommit_inode\n\npnfs_set_layoutcommit relies on the lseg refcount to keep the layout\naround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt\nto reference a null layout."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:43.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/084bebe82ad86f718a3af84f34761863e63164ed"
},
{
"url": "https://git.kernel.org/stable/c/b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc"
},
{
"url": "https://git.kernel.org/stable/c/104080582ae0aa6dce6c6d75ff89062efe84673b"
},
{
"url": "https://git.kernel.org/stable/c/f718f9ea6094843b8c059b073af49ad61e9f49bb"
},
{
"url": "https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25"
},
{
"url": "https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad"
},
{
"url": "https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a"
},
{
"url": "https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746"
}
],
"title": "NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68349",
"datePublished": "2025-12-24T10:32:41.253Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:43.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39994 (GCVE-0-2025-39994)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
media: tuner: xc5000: Fix use-after-free in xc5000_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: tuner: xc5000: Fix use-after-free in xc5000_release
The original code uses cancel_delayed_work() in xc5000_release(), which
does not guarantee that the delayed work item timer_sleep has fully
completed if it was already running. This leads to use-after-free scenarios
where xc5000_release() may free the xc5000_priv while timer_sleep is still
active and attempts to dereference the xc5000_priv.
A typical race condition is illustrated below:
CPU 0 (release thread) | CPU 1 (delayed work callback)
xc5000_release() | xc5000_do_timer_sleep()
cancel_delayed_work() |
hybrid_tuner_release_state(priv) |
kfree(priv) |
| priv = container_of() // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the timer_sleep is properly canceled before the xc5000_priv memory
is deallocated.
A deadlock concern was considered: xc5000_release() is called in a process
context and is not holding any locks that the timer_sleep work item might
also need. Therefore, the use of the _sync() variant is safe here.
This bug was initially identified through static analysis.
[hverkuil: fix typo in Subject: tunner -> tuner]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8
(git)
Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < e2f5eaafc0306a76fb1cb760aae804b065b8a341 (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < 3f876cd47ed8bca1e28d68435845949f51f90703 (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < df0303b4839520b84d9367c2fad65b13650a4d42 (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < 71ed8b81a4906cb785966910f39cf7f5ad60a69e (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < effb1c19583bca7022fa641a70766de45c6d41ac (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < 9a00de20ed8ba90888479749b87bc1532cded4ce (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < 4266f012806fc18e46da4a04d130df59a4946f93 (git) Affected: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 , < 40b7a19f321e65789612ebaca966472055dab48c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/xc5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "e2f5eaafc0306a76fb1cb760aae804b065b8a341",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "3f876cd47ed8bca1e28d68435845949f51f90703",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "df0303b4839520b84d9367c2fad65b13650a4d42",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "71ed8b81a4906cb785966910f39cf7f5ad60a69e",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "effb1c19583bca7022fa641a70766de45c6d41ac",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "9a00de20ed8ba90888479749b87bc1532cded4ce",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "4266f012806fc18e46da4a04d130df59a4946f93",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "40b7a19f321e65789612ebaca966472055dab48c",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/xc5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuner: xc5000: Fix use-after-free in xc5000_release\n\nThe original code uses cancel_delayed_work() in xc5000_release(), which\ndoes not guarantee that the delayed work item timer_sleep has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere xc5000_release() may free the xc5000_priv while timer_sleep is still\nactive and attempts to dereference the xc5000_priv.\n\nA typical race condition is illustrated below:\n\nCPU 0 (release thread) | CPU 1 (delayed work callback)\nxc5000_release() | xc5000_do_timer_sleep()\n cancel_delayed_work() |\n hybrid_tuner_release_state(priv) |\n kfree(priv) |\n | priv = container_of() // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the timer_sleep is properly canceled before the xc5000_priv memory\nis deallocated.\n\nA deadlock concern was considered: xc5000_release() is called in a process\ncontext and is not holding any locks that the timer_sleep work item might\nalso need. Therefore, the use of the _sync() variant is safe here.\n\nThis bug was initially identified through static analysis.\n\n[hverkuil: fix typo in Subject: tunner -\u003e tuner]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:04.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8"
},
{
"url": "https://git.kernel.org/stable/c/e2f5eaafc0306a76fb1cb760aae804b065b8a341"
},
{
"url": "https://git.kernel.org/stable/c/3f876cd47ed8bca1e28d68435845949f51f90703"
},
{
"url": "https://git.kernel.org/stable/c/df0303b4839520b84d9367c2fad65b13650a4d42"
},
{
"url": "https://git.kernel.org/stable/c/71ed8b81a4906cb785966910f39cf7f5ad60a69e"
},
{
"url": "https://git.kernel.org/stable/c/effb1c19583bca7022fa641a70766de45c6d41ac"
},
{
"url": "https://git.kernel.org/stable/c/9a00de20ed8ba90888479749b87bc1532cded4ce"
},
{
"url": "https://git.kernel.org/stable/c/4266f012806fc18e46da4a04d130df59a4946f93"
},
{
"url": "https://git.kernel.org/stable/c/40b7a19f321e65789612ebaca966472055dab48c"
}
],
"title": "media: tuner: xc5000: Fix use-after-free in xc5000_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39994",
"datePublished": "2025-10-15T07:58:19.503Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-12-01T06:16:04.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40263 (GCVE-0-2025-40263)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
Input: cros_ec_keyb - fix an invalid memory access
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: cros_ec_keyb - fix an invalid memory access
If cros_ec_keyb_register_matrix() isn't called (due to
`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
NULL. An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.
Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
...
x3 : 0000000000000000 x2 : 0000000000000000
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
input_event
cros_ec_keyb_work
blocking_notifier_call_chain
ec_irq_thread
It's still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn't access `ckdev->idev` and friends if
the driver doesn't intend to initialize them.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < d74864291cb8bd784d44d1d02e87109cf88666bb
(git)
Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 9cf59f4724a9ee06ebb06c76b8678ac322e850b7 (git) Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 6d81068685154535af06163eb585d6d9663ec7ec (git) Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 2d251c15c27e2dd16d6318425d2f7260cbd47d39 (git) Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < e08969c4d65ac31297fcb4d31d4808c789152f68 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/cros_ec_keyb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d74864291cb8bd784d44d1d02e87109cf88666bb",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "9cf59f4724a9ee06ebb06c76b8678ac322e850b7",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "6d81068685154535af06163eb585d6d9663ec7ec",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "2d251c15c27e2dd16d6318425d2f7260cbd47d39",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "e08969c4d65ac31297fcb4d31d4808c789152f68",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/cros_ec_keyb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn\u0027t called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-\u003eidev` remains\nNULL. An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n ...\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n input_event\n cros_ec_keyb_work\n blocking_notifier_call_chain\n ec_irq_thread\n\nIt\u0027s still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn\u0027t access `ckdev-\u003eidev` and friends if\nthe driver doesn\u0027t intend to initialize them."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:17.342Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb"
},
{
"url": "https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7"
},
{
"url": "https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec"
},
{
"url": "https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39"
},
{
"url": "https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68"
}
],
"title": "Input: cros_ec_keyb - fix an invalid memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40263",
"datePublished": "2025-12-04T16:08:23.327Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2026-01-02T15:33:17.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68347 (GCVE-0-2025-68347)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).
Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < 16620f0617400746984362c3d6ac547eeae1d35f
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6275fd726d53a8ec724f20201cf3bd862711e17b (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 161291bac551821bba98eb4ea84c82338578d1b0 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < cdda0d06f8650e33255f79839f188bbece44117c (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16620f0617400746984362c3d6ac547eeae1d35f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6275fd726d53a8ec724f20201cf3bd862711e17b",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "161291bac551821bba98eb4ea84c82338578d1b0",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "cdda0d06f8650e33255f79839f188bbece44117c",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "210d77cca3d0494ed30a5c628b20c1d95fa04fb1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:36.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16620f0617400746984362c3d6ac547eeae1d35f"
},
{
"url": "https://git.kernel.org/stable/c/ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe"
},
{
"url": "https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b"
},
{
"url": "https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0"
},
{
"url": "https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c"
},
{
"url": "https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1"
}
],
"title": "ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68347",
"datePublished": "2025-12-24T10:32:39.804Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:36.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68783 (GCVE-0-2025-68783)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
ALSA: usb-mixer: us16x08: validate meter packet indices
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-mixer: us16x08: validate meter packet indices
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 53461710a95e15ac1f6542450943a492ecf8e550
(git)
Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < cde47f4ccad6751ac36b7471572ddf38ee91870c (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 2f21a7cbaaa93926f5be15bc095b9c57c35748d9 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < a8ad320efb663be30b794e3dd3e829301c0d0ed3 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < eaa95228b8a56c4880a182c0350d67922b22408f (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53461710a95e15ac1f6542450943a492ecf8e550",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2168866396bd28ec4f3c8da0fbc7d08b5bd4f053",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "cde47f4ccad6751ac36b7471572ddf38ee91870c",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2f21a7cbaaa93926f5be15bc095b9c57c35748d9",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "a8ad320efb663be30b794e3dd3e829301c0d0ed3",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "eaa95228b8a56c4880a182c0350d67922b22408f",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-mixer: us16x08: validate meter packet indices\n\nget_meter_levels_from_urb() parses the 64-byte meter packets sent by\nthe device and fills the per-channel arrays meter_level[],\ncomp_level[] and master_level[] in struct snd_us16x08_meter_store.\n\nCurrently the function derives the channel index directly from the\nmeter packet (MUB2(meter_urb, s) - 1) and uses it to index those\narrays without validating the range. If the packet contains a\nnegative or out-of-range channel number, the driver may write past\nthe end of these arrays.\n\nIntroduce a local channel variable and validate it before updating the\narrays. We reject negative indices, limit meter_level[] and\ncomp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]\nupdates with ARRAY_SIZE(master_level)."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:29.694Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550"
},
{
"url": "https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053"
},
{
"url": "https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c"
},
{
"url": "https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9"
},
{
"url": "https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3"
},
{
"url": "https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f"
},
{
"url": "https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e"
}
],
"title": "ALSA: usb-mixer: us16x08: validate meter packet indices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68783",
"datePublished": "2026-01-13T15:28:57.609Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:29.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71127 (GCVE-0-2025-71127)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
wifi: mac80211: Discard Beacon frames to non-broadcast address
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Discard Beacon frames to non-broadcast address
Beacon frames are required to be sent to the broadcast address, see IEEE
Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame
shall be set to the broadcast address"). A unicast Beacon frame might be
used as a targeted attack to get one of the associated STAs to do
something (e.g., using CSA to move it to another channel). As such, it
is better have strict filtering for this on the received side and
discard all Beacon frames that are sent to an unexpected address.
This is even more important for cases where beacon protection is used.
The current implementation in mac80211 is correctly discarding unicast
Beacon frames if the Protected Frame bit in the Frame Control field is
set to 0. However, if that bit is set to 1, the logic used for checking
for configured BIGTK(s) does not actually work. If the driver does not
have logic for dropping unicast Beacon frames with Protected Frame bit
1, these frames would be accepted in mac80211 processing as valid Beacon
frames even though they are not protected. This would allow beacon
protection to be bypassed. While the logic for checking beacon
protection could be extended to cover this corner case, a more generic
check for discard all Beacon frames based on A1=unicast address covers
this without needing additional changes.
Address all these issues by dropping received Beacon frames if they are
sent to a non-broadcast address.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
af2d14b01c32d7cba65f73503586e5b621afb139 , < be0974be5c42584e027883ac2af7dab5e950098c
(git)
Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 0a59a3895f804469276d188effa511c72e752f35 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 88aab153d1528bc559292a12fb5105ee97528e1f (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 6e5bff40bb38741e40c33043ba0816fba5f93661 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 7b240a8935d554ad36a52c2c37c32039f9afaef2 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < a21704df4024708be698fb3fd5830d5b113b70e0 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 193d18f60588e95d62e0f82b6a53893e5f2f19f8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be0974be5c42584e027883ac2af7dab5e950098c",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "0a59a3895f804469276d188effa511c72e752f35",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "88aab153d1528bc559292a12fb5105ee97528e1f",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "6e5bff40bb38741e40c33043ba0816fba5f93661",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "7b240a8935d554ad36a52c2c37c32039f9afaef2",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "a21704df4024708be698fb3fd5830d5b113b70e0",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "193d18f60588e95d62e0f82b6a53893e5f2f19f8",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Discard Beacon frames to non-broadcast address\n\nBeacon frames are required to be sent to the broadcast address, see IEEE\nStd 802.11-2020, 11.1.3.1 (\"The Address 1 field of the Beacon .. frame\nshall be set to the broadcast address\"). A unicast Beacon frame might be\nused as a targeted attack to get one of the associated STAs to do\nsomething (e.g., using CSA to move it to another channel). As such, it\nis better have strict filtering for this on the received side and\ndiscard all Beacon frames that are sent to an unexpected address.\n\nThis is even more important for cases where beacon protection is used.\nThe current implementation in mac80211 is correctly discarding unicast\nBeacon frames if the Protected Frame bit in the Frame Control field is\nset to 0. However, if that bit is set to 1, the logic used for checking\nfor configured BIGTK(s) does not actually work. If the driver does not\nhave logic for dropping unicast Beacon frames with Protected Frame bit\n1, these frames would be accepted in mac80211 processing as valid Beacon\nframes even though they are not protected. This would allow beacon\nprotection to be bypassed. While the logic for checking beacon\nprotection could be extended to cover this corner case, a more generic\ncheck for discard all Beacon frames based on A1=unicast address covers\nthis without needing additional changes.\n\nAddress all these issues by dropping received Beacon frames if they are\nsent to a non-broadcast address."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:22.963Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c"
},
{
"url": "https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35"
},
{
"url": "https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f"
},
{
"url": "https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661"
},
{
"url": "https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2"
},
{
"url": "https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0"
},
{
"url": "https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8"
}
],
"title": "wifi: mac80211: Discard Beacon frames to non-broadcast address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71127",
"datePublished": "2026-01-14T15:07:44.218Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:22.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40268 (GCVE-0-2025-40268)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
cifs: client: fix memory leak in smb3_fs_context_parse_param
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: client: fix memory leak in smb3_fs_context_parse_param
The user calls fsconfig twice, but when the program exits, free() only
frees ctx->source for the second fsconfig, not the first.
Regarding fc->source, there is no code in the fs context related to its
memory reclamation.
To fix this memory leak, release the source memory corresponding to ctx
or fc before each parsing.
syzbot reported:
BUG: memory leak
unreferenced object 0xffff888128afa360 (size 96):
backtrace (crc 79c9c7ba):
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
BUG: memory leak
unreferenced object 0xffff888112c7d900 (size 96):
backtrace (crc 79c9c7ba):
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 868fc62811d3fabcf5685e14f36377a855d5412d
(git)
Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 48c17341577e25a22feb13d694374b61d974edbc (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 4515743cc7a42e1d67468402a6420c195532a6fa (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "868fc62811d3fabcf5685e14f36377a855d5412d",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
},
{
"lessThan": "48c17341577e25a22feb13d694374b61d974edbc",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
},
{
"lessThan": "4515743cc7a42e1d67468402a6420c195532a6fa",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
},
{
"lessThan": "e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: client: fix memory leak in smb3_fs_context_parse_param\n\nThe user calls fsconfig twice, but when the program exits, free() only\nfrees ctx-\u003esource for the second fsconfig, not the first.\nRegarding fc-\u003esource, there is no code in the fs context related to its\nmemory reclamation.\n\nTo fix this memory leak, release the source memory corresponding to ctx\nor fc before each parsing.\n\nsyzbot reported:\nBUG: memory leak\nunreferenced object 0xffff888128afa360 (size 96):\n backtrace (crc 79c9c7ba):\n kstrdup+0x3c/0x80 mm/util.c:84\n smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444\n\nBUG: memory leak\nunreferenced object 0xffff888112c7d900 (size 96):\n backtrace (crc 79c9c7ba):\n smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629\n smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:18.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d"
},
{
"url": "https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc"
},
{
"url": "https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa"
},
{
"url": "https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6"
}
],
"title": "cifs: client: fix memory leak in smb3_fs_context_parse_param",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40268",
"datePublished": "2025-12-06T21:50:48.917Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:18.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68227 (GCVE-0-2025-68227)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
mptcp: Fix proto fallback detection with BPF
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Fix proto fallback detection with BPF
The sockmap feature allows bpf syscall from userspace, or based
on bpf sockops, replacing the sk_prot of sockets during protocol stack
processing with sockmap's custom read/write interfaces.
'''
tcp_rcv_state_process()
syn_recv_sock()/subflow_syn_recv_sock()
tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
bpf_skops_established <== sockops
bpf_sock_map_update(sk) <== call bpf helper
tcp_bpf_update_proto() <== update sk_prot
'''
When the server has MPTCP enabled but the client sends a TCP SYN
without MPTCP, subflow_syn_recv_sock() performs a fallback on the
subflow, replacing the subflow sk's sk_prot with the native sk_prot.
'''
subflow_syn_recv_sock()
subflow_ulp_fallback()
subflow_drop_ctx()
mptcp_subflow_ops_undo_override()
'''
Then, this subflow can be normally used by sockmap, which replaces the
native sk_prot with sockmap's custom sk_prot. The issue occurs when the
user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
Here, it uses sk->sk_prot to compare with the native sk_prot, but this
is incorrect when sockmap is used, as we may incorrectly set
sk->sk_socket->ops.
This fix uses the more generic sk_family for the comparison instead.
Additionally, this also prevents a WARNING from occurring:
result from ./scripts/decode_stacktrace.sh:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
(net/mptcp/protocol.c:4005)
Modules linked in:
...
PKRU: 55555554
Call Trace:
<TASK>
do_accept (net/socket.c:1989)
__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
__x64_sys_accept (net/socket.c:2067)
x64_sys_call (arch/x86/entry/syscall_64.c:41)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f87ac92b83d
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < 92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c
(git)
Affected: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < 7ee8f015eb47907745e2070184a8ab1e442ac3c4 (git) Affected: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < 344974ea1a3ca30e4920687b0091bda4438cebdb (git) Affected: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < 037cc50589643342d69185b663ecf9d26cce91e8 (git) Affected: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < 9b1980b6f23fa30bf12add19f37c7458625099eb (git) Affected: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < 1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00 (git) Affected: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 , < c77b3b79a92e3345aa1ee296180d1af4e7031f8f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "7ee8f015eb47907745e2070184a8ab1e442ac3c4",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "344974ea1a3ca30e4920687b0091bda4438cebdb",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "037cc50589643342d69185b663ecf9d26cce91e8",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "9b1980b6f23fa30bf12add19f37c7458625099eb",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "c77b3b79a92e3345aa1ee296180d1af4e7031f8f",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix proto fallback detection with BPF\n\nThe sockmap feature allows bpf syscall from userspace, or based\non bpf sockops, replacing the sk_prot of sockets during protocol stack\nprocessing with sockmap\u0027s custom read/write interfaces.\n\u0027\u0027\u0027\ntcp_rcv_state_process()\n syn_recv_sock()/subflow_syn_recv_sock()\n tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)\n bpf_skops_established \u003c== sockops\n bpf_sock_map_update(sk) \u003c== call bpf helper\n tcp_bpf_update_proto() \u003c== update sk_prot\n\u0027\u0027\u0027\n\nWhen the server has MPTCP enabled but the client sends a TCP SYN\nwithout MPTCP, subflow_syn_recv_sock() performs a fallback on the\nsubflow, replacing the subflow sk\u0027s sk_prot with the native sk_prot.\n\u0027\u0027\u0027\nsubflow_syn_recv_sock()\n subflow_ulp_fallback()\n subflow_drop_ctx()\n mptcp_subflow_ops_undo_override()\n\u0027\u0027\u0027\n\nThen, this subflow can be normally used by sockmap, which replaces the\nnative sk_prot with sockmap\u0027s custom sk_prot. The issue occurs when the\nuser executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().\nHere, it uses sk-\u003esk_prot to compare with the native sk_prot, but this\nis incorrect when sockmap is used, as we may incorrectly set\nsk-\u003esk_socket-\u003eops.\n\nThis fix uses the more generic sk_family for the comparison instead.\n\nAdditionally, this also prevents a WARNING from occurring:\n\nresult from ./scripts/decode_stacktrace.sh:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \\\n(net/mptcp/protocol.c:4005)\nModules linked in:\n...\n\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\ndo_accept (net/socket.c:1989)\n__sys_accept4 (net/socket.c:2028 net/socket.c:2057)\n__x64_sys_accept (net/socket.c:2067)\nx64_sys_call (arch/x86/entry/syscall_64.c:41)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f87ac92b83d\n\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:20.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c"
},
{
"url": "https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4"
},
{
"url": "https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb"
},
{
"url": "https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8"
},
{
"url": "https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb"
},
{
"url": "https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00"
},
{
"url": "https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f"
}
],
"title": "mptcp: Fix proto fallback detection with BPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68227",
"datePublished": "2025-12-16T13:57:20.027Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:20.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39815 (GCVE-0-2025-39815)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
RISC-V: KVM: fix stack overrun when loading vlenb
Summary
In the Linux kernel, the following vulnerability has been resolved:
RISC-V: KVM: fix stack overrun when loading vlenb
The userspace load can put up to 2048 bits into an xlen bit stack
buffer. We want only xlen bits, so check the size beforehand.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2fa290372dfe7dd248b1c16f943f273a3e674f22 , < c76bf8359188a11f8fd790e5bbd6077894a245cc
(git)
Affected: 2fa290372dfe7dd248b1c16f943f273a3e674f22 , < 6d28659b692a0212f360f8bd8a58712b339f9aac (git) Affected: 2fa290372dfe7dd248b1c16f943f273a3e674f22 , < 799766208f09f95677a9ab111b93872d414fbad7 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:15:40.818434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:55.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kvm/vcpu_vector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c76bf8359188a11f8fd790e5bbd6077894a245cc",
"status": "affected",
"version": "2fa290372dfe7dd248b1c16f943f273a3e674f22",
"versionType": "git"
},
{
"lessThan": "6d28659b692a0212f360f8bd8a58712b339f9aac",
"status": "affected",
"version": "2fa290372dfe7dd248b1c16f943f273a3e674f22",
"versionType": "git"
},
{
"lessThan": "799766208f09f95677a9ab111b93872d414fbad7",
"status": "affected",
"version": "2fa290372dfe7dd248b1c16f943f273a3e674f22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kvm/vcpu_vector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: fix stack overrun when loading vlenb\n\nThe userspace load can put up to 2048 bits into an xlen bit stack\nbuffer. We want only xlen bits, so check the size beforehand."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:59.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c76bf8359188a11f8fd790e5bbd6077894a245cc"
},
{
"url": "https://git.kernel.org/stable/c/6d28659b692a0212f360f8bd8a58712b339f9aac"
},
{
"url": "https://git.kernel.org/stable/c/799766208f09f95677a9ab111b93872d414fbad7"
}
],
"title": "RISC-V: KVM: fix stack overrun when loading vlenb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39815",
"datePublished": "2025-09-16T13:00:16.250Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2026-01-14T18:22:55.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40308 (GCVE-0-2025-40308)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
Bluetooth: bcsp: receive data only if registered
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bcsp: receive data only if registered
Currently, bcsp_recv() can be called even when the BCSP protocol has not
been registered. This leads to a NULL pointer dereference, as shown in
the following stack trace:
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
Call Trace:
<TASK>
hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
To prevent this, ensure that the HCI_UART_REGISTERED flag is set before
processing received data. If the protocol is not registered, return
-EUNATCH.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
48effdb7a798232db945503cf3f51e0be8070cea , < 39a7d40314b6288cfa2d13269275e9247a7a055a
(git)
Affected: 45fa7bd82c6178f4fec0ab94891144a043ec5fe8 , < 164586725b47f9d61912e6bf17dbaffeff11710b (git) Affected: d71a57a34ab6bbc95dc461158403c02e8ff3f912 , < b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9 (git) Affected: 9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf , < 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa (git) Affected: 806464634e7fc6b523160defeeddb1ade2a72f81 , < 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 (git) Affected: 6b7a32fa9bacdebd98c18b2a56994116995ee643 , < b420a4c7f915fc1c94ad1f6ca740acc046d94334 (git) Affected: 366ceff495f902182d42b6f41525c2474caf3f9a , < 55c1519fca830f59a10bbf9aa8209c87b06cf7bc (git) Affected: 366ceff495f902182d42b6f41525c2474caf3f9a , < ca94b2b036c22556c3a66f1b80f490882deef7a6 (git) Affected: 15543b7bbe7b5f744fdbb44f75b14f81a0117813 (git) Affected: a4b89a45b12b69bc82c8137346b150a118e02c26 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_bcsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a7d40314b6288cfa2d13269275e9247a7a055a",
"status": "affected",
"version": "48effdb7a798232db945503cf3f51e0be8070cea",
"versionType": "git"
},
{
"lessThan": "164586725b47f9d61912e6bf17dbaffeff11710b",
"status": "affected",
"version": "45fa7bd82c6178f4fec0ab94891144a043ec5fe8",
"versionType": "git"
},
{
"lessThan": "b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9",
"status": "affected",
"version": "d71a57a34ab6bbc95dc461158403c02e8ff3f912",
"versionType": "git"
},
{
"lessThan": "8b892dbef3887dbe9afdc7176d1a5fd90e1636aa",
"status": "affected",
"version": "9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf",
"versionType": "git"
},
{
"lessThan": "799cd62cbcc3f12ee04b33ef390ff7d41c37d671",
"status": "affected",
"version": "806464634e7fc6b523160defeeddb1ade2a72f81",
"versionType": "git"
},
{
"lessThan": "b420a4c7f915fc1c94ad1f6ca740acc046d94334",
"status": "affected",
"version": "6b7a32fa9bacdebd98c18b2a56994116995ee643",
"versionType": "git"
},
{
"lessThan": "55c1519fca830f59a10bbf9aa8209c87b06cf7bc",
"status": "affected",
"version": "366ceff495f902182d42b6f41525c2474caf3f9a",
"versionType": "git"
},
{
"lessThan": "ca94b2b036c22556c3a66f1b80f490882deef7a6",
"status": "affected",
"version": "366ceff495f902182d42b6f41525c2474caf3f9a",
"versionType": "git"
},
{
"status": "affected",
"version": "15543b7bbe7b5f744fdbb44f75b14f81a0117813",
"versionType": "git"
},
{
"status": "affected",
"version": "a4b89a45b12b69bc82c8137346b150a118e02c26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_bcsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n Call Trace:\n \u003cTASK\u003e\n hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:29.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a"
},
{
"url": "https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b"
},
{
"url": "https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"
},
{
"url": "https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"
},
{
"url": "https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671"
},
{
"url": "https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334"
},
{
"url": "https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc"
},
{
"url": "https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6"
}
],
"title": "Bluetooth: bcsp: receive data only if registered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40308",
"datePublished": "2025-12-08T00:46:33.729Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:29.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40305 (GCVE-0-2025-40305)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN
p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq)
if list_empty(&m->req_list).
However, if the pipe is full, we need to read more data and this used to
work prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer
if the pipe is still full").
p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before
the commit above) triggered the unnecessary wakeup. This wakeup calls
p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux()
will notice EPOLLIN and schedule_work(&m->rq).
This no longer happens after the optimization above, change p9_fd_request()
to use p9_poll_mux() instead of only checking for EPOLLOUT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "242531004d7de8c159f9bfadebe33fe8060b1046",
"status": "affected",
"version": "aaec5a95d59615523db03dd53c2052f0a87beea7",
"versionType": "git"
},
{
"lessThan": "e8fe3f07a357c39d429e02ca34f740692d88967a",
"status": "affected",
"version": "aaec5a95d59615523db03dd53c2052f0a87beea7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN\n\np9_read_work() doesn\u0027t set Rworksched and doesn\u0027t do schedule_work(m-\u003erq)\nif list_empty(\u0026m-\u003ereq_list).\n\nHowever, if the pipe is full, we need to read more data and this used to\nwork prior to commit aaec5a95d59615 (\"pipe_read: don\u0027t wake up the writer\nif the pipe is still full\").\n\np9_read_work() does p9_fd_read() -\u003e ... -\u003e anon_pipe_read() which (before\nthe commit above) triggered the unnecessary wakeup. This wakeup calls\np9_pollwake() which kicks p9_poll_workfn() -\u003e p9_poll_mux(), p9_poll_mux()\nwill notice EPOLLIN and schedule_work(\u0026m-\u003erq).\n\nThis no longer happens after the optimization above, change p9_fd_request()\nto use p9_poll_mux() instead of only checking for EPOLLOUT."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:27.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/242531004d7de8c159f9bfadebe33fe8060b1046"
},
{
"url": "https://git.kernel.org/stable/c/e8fe3f07a357c39d429e02ca34f740692d88967a"
}
],
"title": "9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40305",
"datePublished": "2025-12-08T00:46:30.327Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:27.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40057 (GCVE-0-2025-40057)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ptp: Add a upper bound on max_vclocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptp: Add a upper bound on max_vclocks
syzbot reported WARNING in max_vclocks_store.
This occurs when the argument max is too large for kcalloc to handle.
Extend the guard to guard against values that are too large for
kcalloc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
73f37068d540eba5f93ba3a0019bf479d35ebd76 , < 8dd446056336faa2283d62cefc2f576536845edc
(git)
Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < 35ce5f163889dbce88eda1df661b357a09bbed87 (git) Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < e9f35294e18da82162004a2f35976e7031aaf7f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ptp/ptp_private.h",
"drivers/ptp/ptp_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dd446056336faa2283d62cefc2f576536845edc",
"status": "affected",
"version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
"versionType": "git"
},
{
"lessThan": "35ce5f163889dbce88eda1df661b357a09bbed87",
"status": "affected",
"version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
"versionType": "git"
},
{
"lessThan": "e9f35294e18da82162004a2f35976e7031aaf7f9",
"status": "affected",
"version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ptp/ptp_private.h",
"drivers/ptp/ptp_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: Add a upper bound on max_vclocks\n\nsyzbot reported WARNING in max_vclocks_store.\n\nThis occurs when the argument max is too large for kcalloc to handle.\n\nExtend the guard to guard against values that are too large for\nkcalloc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:05.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dd446056336faa2283d62cefc2f576536845edc"
},
{
"url": "https://git.kernel.org/stable/c/35ce5f163889dbce88eda1df661b357a09bbed87"
},
{
"url": "https://git.kernel.org/stable/c/e9f35294e18da82162004a2f35976e7031aaf7f9"
}
],
"title": "ptp: Add a upper bound on max_vclocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40057",
"datePublished": "2025-10-28T11:48:30.947Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:05.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68254 (GCVE-0-2025-68254)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.
This prevents OOB reads caused by malformed beacon frames.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c03cb111628924827351e19baa5b073e9b0d723d
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < bb5940193d813449540d8d3a82abc045be41f48a (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c173ce97d3f0f0c0fefa39139d6d04ba60b5db22 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 38292407c2bb5b2b3131aaace4ecc7a829b40b76 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < bf323db1d883c209880bd92f3b12503e3531c3fc (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 502ddcc405b69fa92e0add6c1714d654504f6fd7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c03cb111628924827351e19baa5b073e9b0d723d",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "bb5940193d813449540d8d3a82abc045be41f48a",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c173ce97d3f0f0c0fefa39139d6d04ba60b5db22",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d1ab7f9cee22e7b8a528da9ac953e4193b96cda5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "38292407c2bb5b2b3131aaace4ecc7a829b40b76",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "bf323db1d883c209880bd92f3b12503e3531c3fc",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "502ddcc405b69fa92e0add6c1714d654504f6fd7",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing\n\nThe Extended Supported Rates (ESR) IE handling in OnBeacon accessed\n*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these\noffsets lie within the received frame buffer. A malformed beacon with\nan ESR IE positioned at the end of the buffer could cause an\nout-of-bounds read, potentially triggering a kernel panic.\n\nAdd a boundary check to ensure that the ESR IE body and the subsequent\nbytes are within the limits of the frame before attempting to access\nthem.\n\nThis prevents OOB reads caused by malformed beacon frames."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:07.247Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c03cb111628924827351e19baa5b073e9b0d723d"
},
{
"url": "https://git.kernel.org/stable/c/bb5940193d813449540d8d3a82abc045be41f48a"
},
{
"url": "https://git.kernel.org/stable/c/c173ce97d3f0f0c0fefa39139d6d04ba60b5db22"
},
{
"url": "https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5"
},
{
"url": "https://git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76"
},
{
"url": "https://git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fc"
},
{
"url": "https://git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7"
}
],
"title": "staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68254",
"datePublished": "2025-12-16T14:44:57.204Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2026-02-09T08:31:07.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68222 (GCVE-0-2025-68222)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its
fields are initialized. Notably, num_custom_params is used in
pinconf_generic_parse_dt_config(), resulting in intermittent allocation
errors, such as the following splat when probing i2c-imx:
WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300
[...]
Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)
[...]
Call trace:
__alloc_pages_noprof+0x290/0x300 (P)
___kmalloc_large_node+0x84/0x168
__kmalloc_large_node_noprof+0x34/0x120
__kmalloc_noprof+0x2ac/0x378
pinconf_generic_parse_dt_config+0x68/0x1a0
s32_dt_node_to_map+0x104/0x248
dt_to_map_one_config+0x154/0x1d8
pinctrl_dt_to_map+0x12c/0x280
create_pinctrl+0x6c/0x270
pinctrl_get+0xc0/0x170
devm_pinctrl_get+0x50/0xa0
pinctrl_bind_pins+0x60/0x2a0
really_probe+0x60/0x3a0
[...]
__platform_driver_register+0x2c/0x40
i2c_adap_imx_init+0x28/0xff8 [i2c_imx]
[...]
This results in later parse failures that can cause issues in dependent
drivers:
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
[...]
pca953x 0-0022: failed writing register: -6
i2c i2c-0: IMX I2C adapter registered
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
i2c i2c-1: IMX I2C adapter registered
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
i2c i2c-2: IMX I2C adapter registered
Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of
devm_kmalloc() in s32_pinctrl_probe(), which sets the previously
uninitialized fields to zero.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 3b90bd8aaeb21b513ecc4ed03299e80ece44a333
(git)
Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 583ac7f65791ceda38ea1a493a4859f7161dcb03 (git) Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 7bbdd6c30e8fd92f7165b7730b038cfe42102004 (git) Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 97ea34defbb57bfaf71ce487b1b0865ffd186e81 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/nxp/pinctrl-s32cc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b90bd8aaeb21b513ecc4ed03299e80ece44a333",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
},
{
"lessThan": "583ac7f65791ceda38ea1a493a4859f7161dcb03",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
},
{
"lessThan": "7bbdd6c30e8fd92f7165b7730b038cfe42102004",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
},
{
"lessThan": "97ea34defbb57bfaf71ce487b1b0865ffd186e81",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/nxp/pinctrl-s32cc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc\n\ns32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its\nfields are initialized. Notably, num_custom_params is used in\npinconf_generic_parse_dt_config(), resulting in intermittent allocation\nerrors, such as the following splat when probing i2c-imx:\n\n WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300\n [...]\n Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)\n [...]\n Call trace:\n __alloc_pages_noprof+0x290/0x300 (P)\n ___kmalloc_large_node+0x84/0x168\n __kmalloc_large_node_noprof+0x34/0x120\n __kmalloc_noprof+0x2ac/0x378\n pinconf_generic_parse_dt_config+0x68/0x1a0\n s32_dt_node_to_map+0x104/0x248\n dt_to_map_one_config+0x154/0x1d8\n pinctrl_dt_to_map+0x12c/0x280\n create_pinctrl+0x6c/0x270\n pinctrl_get+0xc0/0x170\n devm_pinctrl_get+0x50/0xa0\n pinctrl_bind_pins+0x60/0x2a0\n really_probe+0x60/0x3a0\n [...]\n __platform_driver_register+0x2c/0x40\n i2c_adap_imx_init+0x28/0xff8 [i2c_imx]\n [...]\n\nThis results in later parse failures that can cause issues in dependent\ndrivers:\n\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n [...]\n pca953x 0-0022: failed writing register: -6\n i2c i2c-0: IMX I2C adapter registered\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n i2c i2c-1: IMX I2C adapter registered\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n i2c i2c-2: IMX I2C adapter registered\n\nFix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of\ndevm_kmalloc() in s32_pinctrl_probe(), which sets the previously\nuninitialized fields to zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:15.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b90bd8aaeb21b513ecc4ed03299e80ece44a333"
},
{
"url": "https://git.kernel.org/stable/c/583ac7f65791ceda38ea1a493a4859f7161dcb03"
},
{
"url": "https://git.kernel.org/stable/c/7bbdd6c30e8fd92f7165b7730b038cfe42102004"
},
{
"url": "https://git.kernel.org/stable/c/97ea34defbb57bfaf71ce487b1b0865ffd186e81"
}
],
"title": "pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68222",
"datePublished": "2025-12-16T13:57:15.832Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:15.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68743 (GCVE-0-2025-68743)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
mshv: Fix create memory region overlap check
Summary
In the Linux kernel, the following vulnerability has been resolved:
mshv: Fix create memory region overlap check
The current check is incorrect; it only checks if the beginning or end
of a region is within an existing region. This doesn't account for
userspace specifying a region that begins before and ends after an
existing region.
Change the logic to a range intersection check against gfns and uaddrs
for each region.
Remove mshv_partition_region_by_uaddr() as it is no longer used.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
621191d709b14882270dfd8ea5d7d6cdfebe2c35 , < 2183924dd834e0703f87e17c17e689bcbf55d69d
(git)
Affected: 621191d709b14882270dfd8ea5d7d6cdfebe2c35 , < ab3e7a78d83a61d335458cfe2e4d17eba69ae73d (git) Affected: 621191d709b14882270dfd8ea5d7d6cdfebe2c35 , < ba9eb9b86d232854e983203dc2fb1ba18e316681 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/mshv_root_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2183924dd834e0703f87e17c17e689bcbf55d69d",
"status": "affected",
"version": "621191d709b14882270dfd8ea5d7d6cdfebe2c35",
"versionType": "git"
},
{
"lessThan": "ab3e7a78d83a61d335458cfe2e4d17eba69ae73d",
"status": "affected",
"version": "621191d709b14882270dfd8ea5d7d6cdfebe2c35",
"versionType": "git"
},
{
"lessThan": "ba9eb9b86d232854e983203dc2fb1ba18e316681",
"status": "affected",
"version": "621191d709b14882270dfd8ea5d7d6cdfebe2c35",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/mshv_root_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix create memory region overlap check\n\nThe current check is incorrect; it only checks if the beginning or end\nof a region is within an existing region. This doesn\u0027t account for\nuserspace specifying a region that begins before and ends after an\nexisting region.\n\nChange the logic to a range intersection check against gfns and uaddrs\nfor each region.\n\nRemove mshv_partition_region_by_uaddr() as it is no longer used."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:47.441Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2183924dd834e0703f87e17c17e689bcbf55d69d"
},
{
"url": "https://git.kernel.org/stable/c/ab3e7a78d83a61d335458cfe2e4d17eba69ae73d"
},
{
"url": "https://git.kernel.org/stable/c/ba9eb9b86d232854e983203dc2fb1ba18e316681"
}
],
"title": "mshv: Fix create memory region overlap check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68743",
"datePublished": "2025-12-24T12:09:40.148Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:47.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68378 (GCVE-0-2025-68378)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
contains more stack entries than the stack map bucket can hold,
leading to an out-of-bounds write in the bucket's data array.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < d1f424a77b6bd27b361737ed73df49a0158f1590
(git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 2a008f6de163279deffd488c1deab081bce5667c (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 4669a8db976c8cbd5427fe9945f12c5fa5168ff3 (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 23f852daa4bab4d579110e034e4d513f7d490846 (git) Affected: 90805175a206f784b6a77f16f07b07f6803e286b (git) Affected: 398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e (git) Affected: e750f78c4ed7cefbcefb9769b3b9e08033db39da (git) Affected: 6c4f243b58f5362e983386488b2d563764c567af (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1f424a77b6bd27b361737ed73df49a0158f1590",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "2a008f6de163279deffd488c1deab081bce5667c",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "4669a8db976c8cbd5427fe9945f12c5fa5168ff3",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "23f852daa4bab4d579110e034e4d513f7d490846",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"status": "affected",
"version": "90805175a206f784b6a77f16f07b07f6803e286b",
"versionType": "git"
},
{
"status": "affected",
"version": "398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e",
"versionType": "git"
},
{
"status": "affected",
"version": "e750f78c4ed7cefbcefb9769b3b9e08033db39da",
"versionType": "git"
},
{
"status": "affected",
"version": "6c4f243b58f5362e983386488b2d563764c567af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket\u0027s data array."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:16.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590"
},
{
"url": "https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c"
},
{
"url": "https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3"
},
{
"url": "https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846"
}
],
"title": "bpf: Fix stackmap overflow check in __bpf_get_stackid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68378",
"datePublished": "2025-12-24T10:33:06.859Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-02-09T08:32:16.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71137 (GCVE-0-2025-71137)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 5d8dfa3abb9a845302e021cf9c92d941abbc011a
(git)
Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 4cc4cfe4d23c883120b6f3d41145edbaa281f2ab (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 658caf3b8aad65f8b8e102670ca4f68c7030f655 (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < b23a2e15589466a027c9baa3fb5813c9f6a6c6dc (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < aa743b0d98448282b2cb37356db8db2a48524624 (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 442848e457f5a9f71a4e7e14d24d73dae278ebe3 (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d8dfa3abb9a845302e021cf9c92d941abbc011a",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "4cc4cfe4d23c883120b6f3d41145edbaa281f2ab",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "658caf3b8aad65f8b8e102670ca4f68c7030f655",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "b23a2e15589466a027c9baa3fb5813c9f6a6c6dc",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "aa743b0d98448282b2cb37356db8db2a48524624",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "442848e457f5a9f71a4e7e14d24d73dae278ebe3",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"\n\nThis patch ensures that the RX ring size (rx_pending) is not\nset below the permitted length. This avoids UBSAN\nshift-out-of-bounds errors when users passes small or zero\nring sizes via ethtool -G."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:34.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a"
},
{
"url": "https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab"
},
{
"url": "https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655"
},
{
"url": "https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc"
},
{
"url": "https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624"
},
{
"url": "https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3"
},
{
"url": "https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7"
}
],
"title": "octeontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71137",
"datePublished": "2026-01-14T15:07:51.264Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-02-09T08:35:34.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68259 (GCVE-0-2025-68259)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn
instruction, discard the exception and retry the instruction if the code
stream is changed (e.g. by a different vCPU) between when the CPU
executes the instruction and when KVM decodes the instruction to get the
next RIP.
As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject
INT3/INTO instead of retrying the instruction"), failure to verify that
the correct INTn instruction was decoded can effectively clobber guest
state due to decoding the wrong instruction and thus specifying the
wrong next RIP.
The bug most often manifests as "Oops: int3" panics on static branch
checks in Linux guests. Enabling or disabling a static branch in Linux
uses the kernel's "text poke" code patching mechanism. To modify code
while other CPUs may be executing that code, Linux (temporarily)
replaces the first byte of the original instruction with an int3 (opcode
0xcc), then patches in the new code stream except for the first byte,
and finally replaces the int3 with the first byte of the new code
stream. If a CPU hits the int3, i.e. executes the code while it's being
modified, then the guest kernel must look up the RIP to determine how to
handle the #BP, e.g. by emulating the new instruction. If the RIP is
incorrect, then this lookup fails and the guest kernel panics.
The bug reproduces almost instantly by hacking the guest kernel to
repeatedly check a static branch[1] while running a drgn script[2] on
the host to constantly swap out the memory containing the guest's TSS.
[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a
[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 2e84a018c2895c05abe213eb10db128aa45f6ec6
(git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 152289a51107ef45bbfe9b4aeeaa584a503042b5 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 87cc1622c88a4888959d64fa1fc9ba1e264aa3d4 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 54bcccc2c7805a00af1d7d2faffd6f424c0133aa (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 53903ac9ca1abffa27327e85075ec496fa55ccf3 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 4da3768e1820cf15cced390242d8789aed34f54d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e84a018c2895c05abe213eb10db128aa45f6ec6",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "152289a51107ef45bbfe9b4aeeaa584a503042b5",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "87cc1622c88a4888959d64fa1fc9ba1e264aa3d4",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "54bcccc2c7805a00af1d7d2faffd6f424c0133aa",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "53903ac9ca1abffa27327e85075ec496fa55ccf3",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "4da3768e1820cf15cced390242d8789aed34f54d",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced\n\nWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTn\ninstruction, discard the exception and retry the instruction if the code\nstream is changed (e.g. by a different vCPU) between when the CPU\nexecutes the instruction and when KVM decodes the instruction to get the\nnext RIP.\n\nAs effectively predicted by commit 6ef88d6e36c2 (\"KVM: SVM: Re-inject\nINT3/INTO instead of retrying the instruction\"), failure to verify that\nthe correct INTn instruction was decoded can effectively clobber guest\nstate due to decoding the wrong instruction and thus specifying the\nwrong next RIP.\n\nThe bug most often manifests as \"Oops: int3\" panics on static branch\nchecks in Linux guests. Enabling or disabling a static branch in Linux\nuses the kernel\u0027s \"text poke\" code patching mechanism. To modify code\nwhile other CPUs may be executing that code, Linux (temporarily)\nreplaces the first byte of the original instruction with an int3 (opcode\n0xcc), then patches in the new code stream except for the first byte,\nand finally replaces the int3 with the first byte of the new code\nstream. If a CPU hits the int3, i.e. executes the code while it\u0027s being\nmodified, then the guest kernel must look up the RIP to determine how to\nhandle the #BP, e.g. by emulating the new instruction. If the RIP is\nincorrect, then this lookup fails and the guest kernel panics.\n\nThe bug reproduces almost instantly by hacking the guest kernel to\nrepeatedly check a static branch[1] while running a drgn script[2] on\nthe host to constantly swap out the memory containing the guest\u0027s TSS.\n\n[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a\n[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:17.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e84a018c2895c05abe213eb10db128aa45f6ec6"
},
{
"url": "https://git.kernel.org/stable/c/152289a51107ef45bbfe9b4aeeaa584a503042b5"
},
{
"url": "https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4"
},
{
"url": "https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa"
},
{
"url": "https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3"
},
{
"url": "https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d"
}
],
"title": "KVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68259",
"datePublished": "2025-12-16T14:45:01.753Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:17.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39819 (GCVE-0-2025-39819)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
fs/smb: Fix inconsistent refcnt update
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/smb: Fix inconsistent refcnt update
A possible inconsistent update of refcount was identified in `smb2_compound_op`.
Such inconsistent update could lead to possible resource leaks.
Why it is a possible bug:
1. In the comment section of the function, it clearly states that the
reference to `cfile` should be dropped after calling this function.
2. Every control flow path would check and drop the reference to
`cfile`, except the patched one.
3. Existing callers would not handle refcount update of `cfile` if
-ENOMEM is returned.
To fix the bug, an extra goto label "out" is added, to make sure that the
cleanup logic would always be respected. As the problem is caused by the
allocation failure of `vars`, the cleanup logic between label "finished"
and "out" can be safely ignored. According to the definition of function
`is_replayable_error`, the error code of "-ENOMEM" is not recoverable.
Therefore, the replay logic also gets ignored.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a7d5c294628088781da9e91cbb034d61c3a71f71 , < 3fc11ff13fbc2749871d6ac2141685cf54699997
(git)
Affected: a7d5c294628088781da9e91cbb034d61c3a71f71 , < 4191ea1f0bb3e27d65c5dcde7bd00e709ec67141 (git) Affected: a7d5c294628088781da9e91cbb034d61c3a71f71 , < 4735f5991f51468b85affb8366b7067248457a71 (git) Affected: a7d5c294628088781da9e91cbb034d61c3a71f71 , < cc82c6dff548f0066a51a6e577c7454e7d26a968 (git) Affected: a7d5c294628088781da9e91cbb034d61c3a71f71 , < ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:41.406Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fc11ff13fbc2749871d6ac2141685cf54699997",
"status": "affected",
"version": "a7d5c294628088781da9e91cbb034d61c3a71f71",
"versionType": "git"
},
{
"lessThan": "4191ea1f0bb3e27d65c5dcde7bd00e709ec67141",
"status": "affected",
"version": "a7d5c294628088781da9e91cbb034d61c3a71f71",
"versionType": "git"
},
{
"lessThan": "4735f5991f51468b85affb8366b7067248457a71",
"status": "affected",
"version": "a7d5c294628088781da9e91cbb034d61c3a71f71",
"versionType": "git"
},
{
"lessThan": "cc82c6dff548f0066a51a6e577c7454e7d26a968",
"status": "affected",
"version": "a7d5c294628088781da9e91cbb034d61c3a71f71",
"versionType": "git"
},
{
"lessThan": "ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e",
"status": "affected",
"version": "a7d5c294628088781da9e91cbb034d61c3a71f71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb: Fix inconsistent refcnt update\n\nA possible inconsistent update of refcount was identified in `smb2_compound_op`.\nSuch inconsistent update could lead to possible resource leaks.\n\nWhy it is a possible bug:\n1. In the comment section of the function, it clearly states that the\nreference to `cfile` should be dropped after calling this function.\n2. Every control flow path would check and drop the reference to\n`cfile`, except the patched one.\n3. Existing callers would not handle refcount update of `cfile` if\n-ENOMEM is returned.\n\nTo fix the bug, an extra goto label \"out\" is added, to make sure that the\ncleanup logic would always be respected. As the problem is caused by the\nallocation failure of `vars`, the cleanup logic between label \"finished\"\nand \"out\" can be safely ignored. According to the definition of function\n`is_replayable_error`, the error code of \"-ENOMEM\" is not recoverable.\nTherefore, the replay logic also gets ignored."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:29.503Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fc11ff13fbc2749871d6ac2141685cf54699997"
},
{
"url": "https://git.kernel.org/stable/c/4191ea1f0bb3e27d65c5dcde7bd00e709ec67141"
},
{
"url": "https://git.kernel.org/stable/c/4735f5991f51468b85affb8366b7067248457a71"
},
{
"url": "https://git.kernel.org/stable/c/cc82c6dff548f0066a51a6e577c7454e7d26a968"
},
{
"url": "https://git.kernel.org/stable/c/ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e"
}
],
"title": "fs/smb: Fix inconsistent refcnt update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39819",
"datePublished": "2025-09-16T13:00:19.320Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2026-01-02T15:32:29.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68236 (GCVE-0-2025-68236)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)
According to UFS specifications, the power-off sequence for a UFS device
includes:
- Sending an SSU command with Power_Condition=3 and await a response.
- Asserting RST_N low.
- Turning off REF_CLK.
- Turning off VCC.
- Turning off VCCQ/VCCQ2.
As part of ufs shutdown, after the SSU command completion, asserting
hardware reset (HWRST) triggers the device firmware to wake up and
execute its reset routine. This routine initializes hardware blocks and
takes a few milliseconds to complete. During this time, the ICCQ draws a
large current.
This large ICCQ current may cause issues for the regulator which is
supplying power to UFS, because the turn off request from UFS driver to
the regulator framework will be immediately followed by low power
mode(LPM) request by regulator framework. This is done by framework
because UFS which is the only client is requesting for disable. So if
the rail is still in the process of shutting down while ICCQ exceeds LPM
current thresholds, and LPM mode is activated in hardware during this
state, it may trigger an overcurrent protection (OCP) fault in the
regulator.
To prevent this, a 10ms delay is added after asserting HWRST. This
allows the reset operation to complete while power rails remain active
and in high-power mode.
Currently there is no way for Host to query whether the reset is
completed or not and hence this the delay is based on experiments with
Qualcomm UFS controllers across multiple UFS vendors.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/host/ufs-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b712f234a74c1f5ce70b5d7aec3fc2499c258141",
"status": "affected",
"version": "b61d0414136853fc38898829cde837ce5d691a9a",
"versionType": "git"
},
{
"lessThan": "5127be409c6c3815c4a7d8f6d88043e44f9b9543",
"status": "affected",
"version": "b61d0414136853fc38898829cde837ce5d691a9a",
"versionType": "git"
},
{
"status": "affected",
"version": "82783759e88beee69b710806e45acbb2fc589801",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/host/ufs-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.219",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)\n\nAccording to UFS specifications, the power-off sequence for a UFS device\nincludes:\n\n - Sending an SSU command with Power_Condition=3 and await a response.\n\n - Asserting RST_N low.\n\n - Turning off REF_CLK.\n\n - Turning off VCC.\n\n - Turning off VCCQ/VCCQ2.\n\nAs part of ufs shutdown, after the SSU command completion, asserting\nhardware reset (HWRST) triggers the device firmware to wake up and\nexecute its reset routine. This routine initializes hardware blocks and\ntakes a few milliseconds to complete. During this time, the ICCQ draws a\nlarge current.\n\nThis large ICCQ current may cause issues for the regulator which is\nsupplying power to UFS, because the turn off request from UFS driver to\nthe regulator framework will be immediately followed by low power\nmode(LPM) request by regulator framework. This is done by framework\nbecause UFS which is the only client is requesting for disable. So if\nthe rail is still in the process of shutting down while ICCQ exceeds LPM\ncurrent thresholds, and LPM mode is activated in hardware during this\nstate, it may trigger an overcurrent protection (OCP) fault in the\nregulator.\n\nTo prevent this, a 10ms delay is added after asserting HWRST. This\nallows the reset operation to complete while power rails remain active\nand in high-power mode.\n\nCurrently there is no way for Host to query whether the reset is\ncompleted or not and hence this the delay is based on experiments with\nQualcomm UFS controllers across multiple UFS vendors."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:30.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b712f234a74c1f5ce70b5d7aec3fc2499c258141"
},
{
"url": "https://git.kernel.org/stable/c/5127be409c6c3815c4a7d8f6d88043e44f9b9543"
}
],
"title": "scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68236",
"datePublished": "2025-12-16T14:08:30.224Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-01-02T15:34:30.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68799 (GCVE-0-2025-68799)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
caif: fix integer underflow in cffrml_receive()
Summary
In the Linux kernel, the following vulnerability has been resolved:
caif: fix integer underflow in cffrml_receive()
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691
(git)
Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < c54091eec6fed19e94182aa05dd6846600a642f7 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 785c7be6361630070790f6235b696da156ac71b3 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < f818cd472565f8b0c2c409b040e0121c5cf8592c (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 21fdcc00656a60af3c7aae2dea8dd96abd35519c (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 8a11ff0948b5ad09b71896b7ccc850625f9878d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "c54091eec6fed19e94182aa05dd6846600a642f7",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "785c7be6361630070790f6235b696da156ac71b3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "f818cd472565f8b0c2c409b040e0121c5cf8592c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "21fdcc00656a60af3c7aae2dea8dd96abd35519c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "8a11ff0948b5ad09b71896b7ccc850625f9878d1",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix integer underflow in cffrml_receive()\n\nThe cffrml_receive() function extracts a length field from the packet\nheader and, when FCS is disabled, subtracts 2 from this length without\nvalidating that len \u003e= 2.\n\nIf an attacker sends a malicious packet with a length field of 0 or 1\nto an interface with FCS disabled, the subtraction causes an integer\nunderflow.\n\nThis can lead to memory exhaustion and kernel instability, potential\ninformation disclosure if padding contains uninitialized kernel memory.\n\nFix this by validating that len \u003e= 2 before performing the subtraction."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:47.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691"
},
{
"url": "https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7"
},
{
"url": "https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3"
},
{
"url": "https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c"
},
{
"url": "https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3"
},
{
"url": "https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c"
},
{
"url": "https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1"
}
],
"title": "caif: fix integer underflow in cffrml_receive()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68799",
"datePublished": "2026-01-13T15:29:09.012Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:47.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40323 (GCVE-0-2025-40323)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Recently, we discovered the following issue through syzkaller:
BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0
Read of size 4 at addr ff11000001b3c69c by task syz.xxx
...
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_address_description.constprop.0+0x2c/0x390
print_report+0xb9/0x280
kasan_report+0xb8/0xf0
fb_mode_is_equal+0x285/0x2f0
fbcon_mode_deleted+0x129/0x180
fb_set_var+0xe7f/0x11d0
do_fb_ioctl+0x6a0/0x750
fb_ioctl+0xe0/0x140
__x64_sys_ioctl+0x193/0x210
do_syscall_64+0x5f/0x9c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Based on experimentation and analysis, during framebuffer unregistration,
only the memory of fb_info->modelist is freed, without setting the
corresponding fb_display[i]->mode to NULL for the freed modes. This leads
to UAF issues during subsequent accesses. Here's an example of reproduction
steps:
1. With /dev/fb0 already registered in the system, load a kernel module
to register a new device /dev/fb1;
2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
3. Switch console from fb to VGA (to allow normal rmmod of the ko);
4. Unload the kernel module, at this point fb1's modelist is freed, leaving
a wild pointer in fb_display[];
5. Trigger the bug via system calls through fb0 attempting to delete a mode
from fb0.
Add a check in do_unregister_framebuffer(): if the mode to be freed exists
in fb_display[], set the corresponding mode pointer to NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 468f78276a37f4c6499385a4ce28f4f57be6655d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c079d42f70109512eee49123a843be91d8fa133f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1f3058930745d2b938b6b4f5bd9630dc74b26b7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c",
"drivers/video/fbdev/core/fbmem.c",
"include/linux/fbcon.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "468f78276a37f4c6499385a4ce28f4f57be6655d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c079d42f70109512eee49123a843be91d8fa133f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de89d19f4f30d9a8de87b9d08c1bd35cb70576d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1f3058930745d2b938b6b4f5bd9630dc74b26b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c",
"drivers/video/fbdev/core/fbmem.c",
"include/linux/fbcon.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Set fb_display[i]-\u003emode to NULL when the mode is released\n\nRecently, we discovered the following issue through syzkaller:\n\nBUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0\nRead of size 4 at addr ff11000001b3c69c by task syz.xxx\n...\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xab/0xe0\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb9/0x280\n kasan_report+0xb8/0xf0\n fb_mode_is_equal+0x285/0x2f0\n fbcon_mode_deleted+0x129/0x180\n fb_set_var+0xe7f/0x11d0\n do_fb_ioctl+0x6a0/0x750\n fb_ioctl+0xe0/0x140\n __x64_sys_ioctl+0x193/0x210\n do_syscall_64+0x5f/0x9c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nBased on experimentation and analysis, during framebuffer unregistration,\nonly the memory of fb_info-\u003emodelist is freed, without setting the\ncorresponding fb_display[i]-\u003emode to NULL for the freed modes. This leads\nto UAF issues during subsequent accesses. Here\u0027s an example of reproduction\nsteps:\n1. With /dev/fb0 already registered in the system, load a kernel module\n to register a new device /dev/fb1;\n2. Set fb1\u0027s mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);\n3. Switch console from fb to VGA (to allow normal rmmod of the ko);\n4. Unload the kernel module, at this point fb1\u0027s modelist is freed, leaving\n a wild pointer in fb_display[];\n5. Trigger the bug via system calls through fb0 attempting to delete a mode\n from fb0.\n\nAdd a check in do_unregister_framebuffer(): if the mode to be freed exists\nin fb_display[], set the corresponding mode pointer to NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:36.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb"
},
{
"url": "https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d"
},
{
"url": "https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f"
},
{
"url": "https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8"
},
{
"url": "https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7"
}
],
"title": "fbcon: Set fb_display[i]-\u003emode to NULL when the mode is released",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40323",
"datePublished": "2025-12-08T00:46:50.833Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:36.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40134 (GCVE-0-2025-40134)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
dm: fix NULL pointer dereference in __dm_suspend()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix NULL pointer dereference in __dm_suspend()
There is a race condition between dm device suspend and table load that
can lead to null pointer dereference. The issue occurs when suspend is
invoked before table load completes:
BUG: kernel NULL pointer dereference, address: 0000000000000054
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50
Call Trace:
<TASK>
blk_mq_quiesce_queue+0x2c/0x50
dm_stop_queue+0xd/0x20
__dm_suspend+0x130/0x330
dm_suspend+0x11a/0x180
dev_suspend+0x27e/0x560
ctl_ioctl+0x4cf/0x850
dm_ctl_ioctl+0xd/0x20
vfs_ioctl+0x1d/0x50
__se_sys_ioctl+0x9b/0xc0
__x64_sys_ioctl+0x19/0x30
x64_sys_call+0x2c4a/0x4620
do_syscall_64+0x9e/0x1b0
The issue can be triggered as below:
T1 T2
dm_suspend table_load
__dm_suspend dm_setup_md_queue
dm_mq_init_request_queue
blk_mq_init_allocated_queue
=> q->mq_ops = set->ops; (1)
dm_stop_queue / dm_wait_for_completion
=> q->tag_set NULL pointer! (2)
=> q->tag_set = set; (3)
Fix this by checking if a valid table (map) exists before performing
request-based suspend and waiting for target I/O. When map is NULL,
skip these table-dependent suspend steps.
Even when map is NULL, no I/O can reach any target because there is
no table loaded; I/O submitted in this state will fail early in the
DM layer. Skipping the table-dependent suspend logic in this case
is safe and avoids NULL pointer dereferences.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c4576aed8d85d808cd6443bda58393d525207d01 , < 9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98
(git)
Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 30f95b7eda5966b81cb221bd569c0f095a068cf6 (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < a802901b75e13cc306f1b7ab0f062135c8034e9e (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 19ca4528666990be376ac3eb6fe667b03db5324d (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 331c2dd8ca8bad1a3ac10cce847ffb76158eece4 (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 8d33a030c566e1f105cd5bf27f37940b6367f3be (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "30f95b7eda5966b81cb221bd569c0f095a068cf6",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "a802901b75e13cc306f1b7ab0f062135c8034e9e",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "19ca4528666990be376ac3eb6fe667b03db5324d",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "331c2dd8ca8bad1a3ac10cce847ffb76158eece4",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "8d33a030c566e1f105cd5bf27f37940b6367f3be",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix NULL pointer dereference in __dm_suspend()\n\nThere is a race condition between dm device suspend and table load that\ncan lead to null pointer dereference. The issue occurs when suspend is\ninvoked before table load completes:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000054\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50\nCall Trace:\n \u003cTASK\u003e\n blk_mq_quiesce_queue+0x2c/0x50\n dm_stop_queue+0xd/0x20\n __dm_suspend+0x130/0x330\n dm_suspend+0x11a/0x180\n dev_suspend+0x27e/0x560\n ctl_ioctl+0x4cf/0x850\n dm_ctl_ioctl+0xd/0x20\n vfs_ioctl+0x1d/0x50\n __se_sys_ioctl+0x9b/0xc0\n __x64_sys_ioctl+0x19/0x30\n x64_sys_call+0x2c4a/0x4620\n do_syscall_64+0x9e/0x1b0\n\nThe issue can be triggered as below:\n\nT1 \t\t\t\t\t\tT2\ndm_suspend\t\t\t\t\ttable_load\n__dm_suspend\t\t\t\t\tdm_setup_md_queue\n\t\t\t\t\t\tdm_mq_init_request_queue\n\t\t\t\t\t\tblk_mq_init_allocated_queue\n\t\t\t\t\t\t=\u003e q-\u003emq_ops = set-\u003eops; (1)\ndm_stop_queue / dm_wait_for_completion\n=\u003e q-\u003etag_set NULL pointer!\t(2)\n\t\t\t\t\t\t=\u003e q-\u003etag_set = set; (3)\n\nFix this by checking if a valid table (map) exists before performing\nrequest-based suspend and waiting for target I/O. When map is NULL,\nskip these table-dependent suspend steps.\n\nEven when map is NULL, no I/O can reach any target because there is\nno table loaded; I/O submitted in this state will fail early in the\nDM layer. Skipping the table-dependent suspend logic in this case\nis safe and avoids NULL pointer dereferences."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:40.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98"
},
{
"url": "https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6"
},
{
"url": "https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c"
},
{
"url": "https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e"
},
{
"url": "https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe"
},
{
"url": "https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d"
},
{
"url": "https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4"
},
{
"url": "https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be"
}
],
"title": "dm: fix NULL pointer dereference in __dm_suspend()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40134",
"datePublished": "2025-11-12T10:23:22.771Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:40.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68756 (GCVE-0-2025-68756)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
blk_mq_{add,del}_queue_tag_set() functions add and remove queues from
tagset, the functions make sure that tagset and queues are marked as
shared when two or more queues are attached to the same tagset.
Initially a tagset starts as unshared and when the number of added
queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along
with all the queues attached to it. When the number of attached queues
drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and
the remaining queues as unshared.
Both functions need to freeze current queues in tagset before setting on
unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions
hold set->tag_list_lock mutex, which makes sense as we do not want
queues to be added or deleted in the process. This used to work fine
until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset")
made the nvme driver quiesce tagset instead of quiscing individual
queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in
set->tag_list while holding set->tag_list_lock also.
This results in deadlock between two threads with these stacktraces:
__schedule+0x47c/0xbb0
? timerqueue_add+0x66/0xb0
schedule+0x1c/0xa0
schedule_preempt_disabled+0xa/0x10
__mutex_lock.constprop.0+0x271/0x600
blk_mq_quiesce_tagset+0x25/0xc0
nvme_dev_disable+0x9c/0x250
nvme_timeout+0x1fc/0x520
blk_mq_handle_expired+0x5c/0x90
bt_iter+0x7e/0x90
blk_mq_queue_tag_busy_iter+0x27e/0x550
? __blk_mq_complete_request_remote+0x10/0x10
? __blk_mq_complete_request_remote+0x10/0x10
? __call_rcu_common.constprop.0+0x1c0/0x210
blk_mq_timeout_work+0x12d/0x170
process_one_work+0x12e/0x2d0
worker_thread+0x288/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
__schedule+0x47c/0xbb0
? xas_find+0x161/0x1a0
schedule+0x1c/0xa0
blk_mq_freeze_queue_wait+0x3d/0x70
? destroy_sched_domains_rcu+0x30/0x30
blk_mq_update_tag_set_shared+0x44/0x80
blk_mq_exit_queue+0x141/0x150
del_gendisk+0x25a/0x2d0
nvme_ns_remove+0xc9/0x170
nvme_remove_namespaces+0xc7/0x100
nvme_remove+0x62/0x150
pci_device_remove+0x23/0x60
device_release_driver_internal+0x159/0x200
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x112/0x1e0
vfs_write+0x2b1/0x3d0
ksys_write+0x4e/0xb0
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The top stacktrace is showing nvme_timeout() called to handle nvme
command timeout. timeout handler is trying to disable the controller and
as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not
to call queue callback handlers. The thread is stuck waiting for
set->tag_list_lock as it tries to walk the queues in set->tag_list.
The lock is held by the second thread in the bottom stack which is
waiting for one of queues to be frozen. The queue usage counter will
drop to zero after nvme_timeout() finishes, and this will not happen
because the thread will wait for this mutex forever.
Given that [un]quiescing queue is an operation that does not need to
sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking
set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU
safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list)
in blk_mq_del_queue_tag_set() because we can not re-initialize it while
the list is being traversed under RCU. The deleted queue will not be
added/deleted to/from a tagset and it will be freed in blk_free_queue()
after the end of RCU grace period.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98d81f0df70ce6fc48517d938026e3c684b9051a , < ca8764c0ea1fb825f17f19704af55e9e02c9f768
(git)
Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 3baeec23a82e7ee9691f434c6ab0ab1387326108 (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 6e8d363786765a81e35083e0909e076796468edf (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < ef0cd7b694928573f6569e61c14f5f059253162e (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 59e25ef2b413c72da6686d431e7759302cfccafa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca8764c0ea1fb825f17f19704af55e9e02c9f768",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "3baeec23a82e7ee9691f434c6ab0ab1387326108",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "6e8d363786765a81e35083e0909e076796468edf",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "ef0cd7b694928573f6569e61c14f5f059253162e",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "59e25ef2b413c72da6686d431e7759302cfccafa",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock\n\nblk_mq_{add,del}_queue_tag_set() functions add and remove queues from\ntagset, the functions make sure that tagset and queues are marked as\nshared when two or more queues are attached to the same tagset.\nInitially a tagset starts as unshared and when the number of added\nqueues reaches two, blk_mq_add_queue_tag_set() marks it as shared along\nwith all the queues attached to it. When the number of attached queues\ndrops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and\nthe remaining queues as unshared.\n\nBoth functions need to freeze current queues in tagset before setting on\nunsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions\nhold set-\u003etag_list_lock mutex, which makes sense as we do not want\nqueues to be added or deleted in the process. This used to work fine\nuntil commit 98d81f0df70c (\"nvme: use blk_mq_[un]quiesce_tagset\")\nmade the nvme driver quiesce tagset instead of quiscing individual\nqueues. blk_mq_quiesce_tagset() does the job and quiesce the queues in\nset-\u003etag_list while holding set-\u003etag_list_lock also.\n\nThis results in deadlock between two threads with these stacktraces:\n\n __schedule+0x47c/0xbb0\n ? timerqueue_add+0x66/0xb0\n schedule+0x1c/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.constprop.0+0x271/0x600\n blk_mq_quiesce_tagset+0x25/0xc0\n nvme_dev_disable+0x9c/0x250\n nvme_timeout+0x1fc/0x520\n blk_mq_handle_expired+0x5c/0x90\n bt_iter+0x7e/0x90\n blk_mq_queue_tag_busy_iter+0x27e/0x550\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __call_rcu_common.constprop.0+0x1c0/0x210\n blk_mq_timeout_work+0x12d/0x170\n process_one_work+0x12e/0x2d0\n worker_thread+0x288/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n\n __schedule+0x47c/0xbb0\n ? xas_find+0x161/0x1a0\n schedule+0x1c/0xa0\n blk_mq_freeze_queue_wait+0x3d/0x70\n ? destroy_sched_domains_rcu+0x30/0x30\n blk_mq_update_tag_set_shared+0x44/0x80\n blk_mq_exit_queue+0x141/0x150\n del_gendisk+0x25a/0x2d0\n nvme_ns_remove+0xc9/0x170\n nvme_remove_namespaces+0xc7/0x100\n nvme_remove+0x62/0x150\n pci_device_remove+0x23/0x60\n device_release_driver_internal+0x159/0x200\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x112/0x1e0\n vfs_write+0x2b1/0x3d0\n ksys_write+0x4e/0xb0\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe top stacktrace is showing nvme_timeout() called to handle nvme\ncommand timeout. timeout handler is trying to disable the controller and\nas a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not\nto call queue callback handlers. The thread is stuck waiting for\nset-\u003etag_list_lock as it tries to walk the queues in set-\u003etag_list.\n\nThe lock is held by the second thread in the bottom stack which is\nwaiting for one of queues to be frozen. The queue usage counter will\ndrop to zero after nvme_timeout() finishes, and this will not happen\nbecause the thread will wait for this mutex forever.\n\nGiven that [un]quiescing queue is an operation that does not need to\nsleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking\nset-\u003etag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU\nsafe list operations. Also, delete INIT_LIST_HEAD(\u0026q-\u003etag_set_list)\nin blk_mq_del_queue_tag_set() because we can not re-initialize it while\nthe list is being traversed under RCU. The deleted queue will not be\nadded/deleted to/from a tagset and it will be freed in blk_free_queue()\nafter the end of RCU grace period."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:00.580Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca8764c0ea1fb825f17f19704af55e9e02c9f768"
},
{
"url": "https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108"
},
{
"url": "https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf"
},
{
"url": "https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e"
},
{
"url": "https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa"
}
],
"title": "block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68756",
"datePublished": "2026-01-05T09:32:29.824Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:00.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68238 (GCVE-0-2025-68238)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08
VLAI?
EPSS
Title
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
The DMA device pointer `dma_dev` was being dereferenced before ensuring
that `cdns_ctrl->dmac` is properly initialized.
Move the assignment of `dma_dev` after successfully acquiring the DMA
channel to ensure the pointer is valid before use.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0cae7c285f4771a9927ef592899234d307aea5d4 , < 2178b0255eae108bb10e5e99658b28641bc06f43
(git)
Affected: 099a316518508be7c57de4134ef919b2dea948ce , < 9c58c64ec41290c12490ca7e1df45013fbbb41fd (git) Affected: e630d32162a8aab92d4aaebae0a8d93039257593 , < e282a4fdf3c6ee842a720010a8b5f7d77bedd126 (git) Affected: ad9393467fbd788ac2b8a01e492e45ab1b68a1b1 , < b146e0b085d9d6bfe838e0a15481cba7d093c67f (git) Affected: 0ce5416863965ddd86e066484a306867cf1e01a8 , < 0c635241a62f2f5da1b48bfffae226d1f86a76ef (git) Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 0c2a43cb43786011b48eeab6093db14888258c6b (git) Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 5c56bf214af85ca042bf97f8584aab2151035840 (git) Affected: a33c7492dcdf804b705b6c21018a481414d48038 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2178b0255eae108bb10e5e99658b28641bc06f43",
"status": "affected",
"version": "0cae7c285f4771a9927ef592899234d307aea5d4",
"versionType": "git"
},
{
"lessThan": "9c58c64ec41290c12490ca7e1df45013fbbb41fd",
"status": "affected",
"version": "099a316518508be7c57de4134ef919b2dea948ce",
"versionType": "git"
},
{
"lessThan": "e282a4fdf3c6ee842a720010a8b5f7d77bedd126",
"status": "affected",
"version": "e630d32162a8aab92d4aaebae0a8d93039257593",
"versionType": "git"
},
{
"lessThan": "b146e0b085d9d6bfe838e0a15481cba7d093c67f",
"status": "affected",
"version": "ad9393467fbd788ac2b8a01e492e45ab1b68a1b1",
"versionType": "git"
},
{
"lessThan": "0c635241a62f2f5da1b48bfffae226d1f86a76ef",
"status": "affected",
"version": "0ce5416863965ddd86e066484a306867cf1e01a8",
"versionType": "git"
},
{
"lessThan": "0c2a43cb43786011b48eeab6093db14888258c6b",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"lessThan": "5c56bf214af85ca042bf97f8584aab2151035840",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"status": "affected",
"version": "a33c7492dcdf804b705b6c21018a481414d48038",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.6.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix DMA device NULL pointer dereference\n\nThe DMA device pointer `dma_dev` was being dereferenced before ensuring\nthat `cdns_ctrl-\u003edmac` is properly initialized.\n\nMove the assignment of `dma_dev` after successfully acquiring the DMA\nchannel to ensure the pointer is valid before use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:31.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43"
},
{
"url": "https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd"
},
{
"url": "https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126"
},
{
"url": "https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f"
},
{
"url": "https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef"
},
{
"url": "https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b"
},
{
"url": "https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840"
}
],
"title": "mtd: rawnand: cadence: fix DMA device NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68238",
"datePublished": "2025-12-16T14:08:31.672Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:08:31.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68345 (GCVE-0-2025-68345)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e63f9c81ca28b06eeeac3630faddc50717897351
(git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 7a35a505d76a4b6cd426b59ff2d800d0394cc5d3 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e6ba921b17797ccc545d80e0dbccb5fab91c248c (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c28946b7409b7b68fb0481ec738c8b04578b11c6 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 343fa9800cf9870ec681e21f0a6f2157b74ae520 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c34b04cc6178f33c08331568c7fd25c5b9a39f66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e63f9c81ca28b06eeeac3630faddc50717897351",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "7a35a505d76a4b6cd426b59ff2d800d0394cc5d3",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "e6ba921b17797ccc545d80e0dbccb5fab91c248c",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c28946b7409b7b68fb0481ec738c8b04578b11c6",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "343fa9800cf9870ec681e21f0a6f2157b74ae520",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c34b04cc6178f33c08331568c7fd25c5b9a39f66",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:34.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e63f9c81ca28b06eeeac3630faddc50717897351"
},
{
"url": "https://git.kernel.org/stable/c/7a35a505d76a4b6cd426b59ff2d800d0394cc5d3"
},
{
"url": "https://git.kernel.org/stable/c/e6ba921b17797ccc545d80e0dbccb5fab91c248c"
},
{
"url": "https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6"
},
{
"url": "https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520"
},
{
"url": "https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66"
}
],
"title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68345",
"datePublished": "2025-12-24T10:32:38.378Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:34.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40301 (GCVE-0-2025-40301)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
Bluetooth: hci_event: validate skb length for unknown CC opcode
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: validate skb length for unknown CC opcode
In hci_cmd_complete_evt(), if the command complete event has an unknown
opcode, we assume the first byte of the remaining skb->data contains the
return status. However, parameter data has previously been pulled in
hci_event_func(), which may leave the skb empty. If so, using skb->data[0]
for the return status uses un-init memory.
The fix is to check skb->len before using skb->data.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < fea895de78d3bb2f0c09db9f10b18f8121b15759
(git)
Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 (git) Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < cf2c2acec1cf456c3d11c11a7589e886a0f963a9 (git) Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 (git) Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fea895de78d3bb2f0c09db9f10b18f8121b15759",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "cf2c2acec1cf456c3d11c11a7589e886a0f963a9",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "5c5f1f64681cc889d9b13e4a61285e9e029d6ab5",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: validate skb length for unknown CC opcode\n\nIn hci_cmd_complete_evt(), if the command complete event has an unknown\nopcode, we assume the first byte of the remaining skb-\u003edata contains the\nreturn status. However, parameter data has previously been pulled in\nhci_event_func(), which may leave the skb empty. If so, using skb-\u003edata[0]\nfor the return status uses un-init memory.\n\nThe fix is to check skb-\u003elen before using skb-\u003edata."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:24.863Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fea895de78d3bb2f0c09db9f10b18f8121b15759"
},
{
"url": "https://git.kernel.org/stable/c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8"
},
{
"url": "https://git.kernel.org/stable/c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9"
},
{
"url": "https://git.kernel.org/stable/c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50"
},
{
"url": "https://git.kernel.org/stable/c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5"
}
],
"title": "Bluetooth: hci_event: validate skb length for unknown CC opcode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40301",
"datePublished": "2025-12-08T00:46:24.863Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:24.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71068 (GCVE-0-2025-71068)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
svcrdma: bound check rq_pages index in inline path
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: bound check rq_pages index in inline path
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9
(git)
Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < 7ba826aae1d43212f3baa53a2175ad949e21926e (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < 5f140b525180c628db8fa6c897f138194a2de417 (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < da1ccfc4c452541584a4eae89e337cfa21be6d5a (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < d1bea0ce35b6095544ee82bb54156fc62c067e58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "7ba826aae1d43212f3baa53a2175ad949e21926e",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "5f140b525180c628db8fa6c897f138194a2de417",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "da1ccfc4c452541584a4eae89e337cfa21be6d5a",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "d1bea0ce35b6095544ee82bb54156fc62c067e58",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp-\u003erq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:18.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9"
},
{
"url": "https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e"
},
{
"url": "https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417"
},
{
"url": "https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a"
},
{
"url": "https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58"
}
],
"title": "svcrdma: bound check rq_pages index in inline path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71068",
"datePublished": "2026-01-13T15:31:23.283Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:18.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68320 (GCVE-0-2025-68320)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:44 – Updated: 2025-12-16 15:44
VLAI?
EPSS
Title
lan966x: Fix sleeping in atomic context
Summary
In the Linux kernel, the following vulnerability has been resolved:
lan966x: Fix sleeping in atomic context
The following warning was seen when we try to connect using ssh to the device.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear
preempt_count: 1, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE
Tainted: [W]=WARN
Hardware name: Generic DT based system
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x7c/0xac
dump_stack_lvl from __might_resched+0x16c/0x2b0
__might_resched from __mutex_lock+0x64/0xd34
__mutex_lock from mutex_lock_nested+0x1c/0x24
mutex_lock_nested from lan966x_stats_get+0x5c/0x558
lan966x_stats_get from dev_get_stats+0x40/0x43c
dev_get_stats from dev_seq_printf_stats+0x3c/0x184
dev_seq_printf_stats from dev_seq_show+0x10/0x30
dev_seq_show from seq_read_iter+0x350/0x4ec
seq_read_iter from seq_read+0xfc/0x194
seq_read from proc_reg_read+0xac/0x100
proc_reg_read from vfs_read+0xb0/0x2b0
vfs_read from ksys_read+0x6c/0xec
ksys_read from ret_fast_syscall+0x0/0x1c
Exception stack(0xf0b11fa8 to 0xf0b11ff0)
1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001
1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001
1fe0: 0005404c be9048c0 00018684 b6ec2cd8
It seems that we are using a mutex in a atomic context which is wrong.
Change the mutex with a spinlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < 5a5d2f7727752b64d13263eacd9f8d08a322e662
(git)
Affected: 12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d (git) Affected: 12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < 3ac743c60ec502163c435712d527eeced8d83348 (git) Affected: 12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < 0216721ce71252f60d89af49c8dff613358058d3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.h",
"drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a5d2f7727752b64d13263eacd9f8d08a322e662",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "3ac743c60ec502163c435712d527eeced8d83348",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "0216721ce71252f60d89af49c8dff613358058d3",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.h",
"drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix sleeping in atomic context\n\nThe following warning was seen when we try to connect using ssh to the device.\n\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:575\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE\nTainted: [W]=WARN\nHardware name: Generic DT based system\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x7c/0xac\n dump_stack_lvl from __might_resched+0x16c/0x2b0\n __might_resched from __mutex_lock+0x64/0xd34\n __mutex_lock from mutex_lock_nested+0x1c/0x24\n mutex_lock_nested from lan966x_stats_get+0x5c/0x558\n lan966x_stats_get from dev_get_stats+0x40/0x43c\n dev_get_stats from dev_seq_printf_stats+0x3c/0x184\n dev_seq_printf_stats from dev_seq_show+0x10/0x30\n dev_seq_show from seq_read_iter+0x350/0x4ec\n seq_read_iter from seq_read+0xfc/0x194\n seq_read from proc_reg_read+0xac/0x100\n proc_reg_read from vfs_read+0xb0/0x2b0\n vfs_read from ksys_read+0x6c/0xec\n ksys_read from ret_fast_syscall+0x0/0x1c\nException stack(0xf0b11fa8 to 0xf0b11ff0)\n1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001\n1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001\n1fe0: 0005404c be9048c0 00018684 b6ec2cd8\n\nIt seems that we are using a mutex in a atomic context which is wrong.\nChange the mutex with a spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:18.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a5d2f7727752b64d13263eacd9f8d08a322e662"
},
{
"url": "https://git.kernel.org/stable/c/c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d"
},
{
"url": "https://git.kernel.org/stable/c/3ac743c60ec502163c435712d527eeced8d83348"
},
{
"url": "https://git.kernel.org/stable/c/0216721ce71252f60d89af49c8dff613358058d3"
}
],
"title": "lan966x: Fix sleeping in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68320",
"datePublished": "2025-12-16T15:44:18.217Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:44:18.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40165 (GCVE-0-2025-40165)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
If streamon/streamoff calls are imbalanced, such as when exiting an
application with Ctrl+C when streaming, the m2m usage_count will never
reach zero and the ISI channel won't be freed. Besides from that, if the
input line width is more than 2K, it will trigger a WARN_ON():
[ 59.222120] ------------[ cut here ]------------
[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654
[ 59.238569] Modules linked in: ap1302
[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT
[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)
[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120
[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120
[ 59.275047] sp : ffff8000848c3b40
[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00
[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001
[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780
[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000
[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c
[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30
[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420
[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000
[ 59.349590] Call trace:
[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)
[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c
[ 59.361072] v4l_streamon+0x24/0x30
[ 59.364556] __video_do_ioctl+0x40c/0x4a0
[ 59.368560] video_usercopy+0x2bc/0x690
[ 59.372382] video_ioctl2+0x18/0x24
[ 59.375857] v4l2_ioctl+0x40/0x60
[ 59.379168] __arm64_sys_ioctl+0xac/0x104
[ 59.383172] invoke_syscall+0x48/0x104
[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0
[ 59.391613] do_el0_svc+0x1c/0x28
[ 59.394915] el0_svc+0x34/0xf4
[ 59.397966] el0t_64_sync_handler+0xa0/0xe4
[ 59.402143] el0t_64_sync+0x198/0x19c
[ 59.405801] ---[ end trace 0000000000000000 ]---
Address this issue by moving the streaming preparation and cleanup to
the vb2 .prepare_streaming() and .unprepare_streaming() operations. This
also simplifies the driver by allowing direct usage of the
v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf21f328fcafacf4f96e7a30ef9dceede1076378 , < 50c721be2cff2bf8c9a5f1f4add35c2bbb1df302
(git)
Affected: cf21f328fcafacf4f96e7a30ef9dceede1076378 , < e8b5f4d80775835cf8192d65138e9be1ff202847 (git) Affected: cf21f328fcafacf4f96e7a30ef9dceede1076378 , < b0d438c7b43314f9128e0dda5f83789e593e684a (git) Affected: cf21f328fcafacf4f96e7a30ef9dceede1076378 , < 178aa3360220231dd91e7dbc2eb984525886c9c1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50c721be2cff2bf8c9a5f1f4add35c2bbb1df302",
"status": "affected",
"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378",
"versionType": "git"
},
{
"lessThan": "e8b5f4d80775835cf8192d65138e9be1ff202847",
"status": "affected",
"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378",
"versionType": "git"
},
{
"lessThan": "b0d438c7b43314f9128e0dda5f83789e593e684a",
"status": "affected",
"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378",
"versionType": "git"
},
{
"lessThan": "178aa3360220231dd91e7dbc2eb984525886c9c1",
"status": "affected",
"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nxp: imx8-isi: m2m: Fix streaming cleanup on release\n\nIf streamon/streamoff calls are imbalanced, such as when exiting an\napplication with Ctrl+C when streaming, the m2m usage_count will never\nreach zero and the ISI channel won\u0027t be freed. Besides from that, if the\ninput line width is more than 2K, it will trigger a WARN_ON():\n\n[ 59.222120] ------------[ cut here ]------------\n[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654\n[ 59.238569] Modules linked in: ap1302\n[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT\n[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)\n[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120\n[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120\n[ 59.275047] sp : ffff8000848c3b40\n[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00\n[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001\n[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780\n[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000\n[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c\n[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30\n[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420\n[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000\n[ 59.349590] Call trace:\n[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)\n[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c\n[ 59.361072] v4l_streamon+0x24/0x30\n[ 59.364556] __video_do_ioctl+0x40c/0x4a0\n[ 59.368560] video_usercopy+0x2bc/0x690\n[ 59.372382] video_ioctl2+0x18/0x24\n[ 59.375857] v4l2_ioctl+0x40/0x60\n[ 59.379168] __arm64_sys_ioctl+0xac/0x104\n[ 59.383172] invoke_syscall+0x48/0x104\n[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0\n[ 59.391613] do_el0_svc+0x1c/0x28\n[ 59.394915] el0_svc+0x34/0xf4\n[ 59.397966] el0t_64_sync_handler+0xa0/0xe4\n[ 59.402143] el0t_64_sync+0x198/0x19c\n[ 59.405801] ---[ end trace 0000000000000000 ]---\n\nAddress this issue by moving the streaming preparation and cleanup to\nthe vb2 .prepare_streaming() and .unprepare_streaming() operations. This\nalso simplifies the driver by allowing direct usage of the\nv4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:18.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50c721be2cff2bf8c9a5f1f4add35c2bbb1df302"
},
{
"url": "https://git.kernel.org/stable/c/e8b5f4d80775835cf8192d65138e9be1ff202847"
},
{
"url": "https://git.kernel.org/stable/c/b0d438c7b43314f9128e0dda5f83789e593e684a"
},
{
"url": "https://git.kernel.org/stable/c/178aa3360220231dd91e7dbc2eb984525886c9c1"
}
],
"title": "media: nxp: imx8-isi: m2m: Fix streaming cleanup on release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40165",
"datePublished": "2025-11-12T10:26:23.806Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:18.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68820 (GCVE-0-2025-68820)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: xattr: fix null pointer deref in ext4_raw_inode()
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 , < b72a3476f0c97d02f63a6e9fff127348d55436f6
(git)
Affected: f737418b6de31c962c7192777ee4018906975383 , < 3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 (git) Affected: cf9291a3449b04688b81e32621e88de8f4314b54 , < 190ad0f22ba49f1101182b80e3af50ca2ddfe72f (git) Affected: 362a90cecd36e8a5c415966d0b75b04a0270e4dd , < b5d942922182e82724b7152cb998f540132885ec (git) Affected: eb59cc31b6ea076021d14b04e7faab1636b87d0e , < 5b154e901fda2e98570b8f426a481f5740097dc2 (git) Affected: c8e008b60492cf6fd31ef127aea6d02fd3d314cd , < ce5f54c065a4a7cbb92787f4f140917112350142 (git) Affected: c8e008b60492cf6fd31ef127aea6d02fd3d314cd , < b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 (git) Affected: 6aff941cb0f7d0c897c3698ad2e30672709135e3 (git) Affected: 3bc6317033f365ce578eb6039445fb66162722fd (git) Affected: 836e625b03a666cf93ff5be328c8cb30336db872 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b72a3476f0c97d02f63a6e9fff127348d55436f6",
"status": "affected",
"version": "76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3",
"versionType": "git"
},
{
"lessThan": "3d8d22e75f7edfa0b30ff27330fd6a1285d594c3",
"status": "affected",
"version": "f737418b6de31c962c7192777ee4018906975383",
"versionType": "git"
},
{
"lessThan": "190ad0f22ba49f1101182b80e3af50ca2ddfe72f",
"status": "affected",
"version": "cf9291a3449b04688b81e32621e88de8f4314b54",
"versionType": "git"
},
{
"lessThan": "b5d942922182e82724b7152cb998f540132885ec",
"status": "affected",
"version": "362a90cecd36e8a5c415966d0b75b04a0270e4dd",
"versionType": "git"
},
{
"lessThan": "5b154e901fda2e98570b8f426a481f5740097dc2",
"status": "affected",
"version": "eb59cc31b6ea076021d14b04e7faab1636b87d0e",
"versionType": "git"
},
{
"lessThan": "ce5f54c065a4a7cbb92787f4f140917112350142",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"lessThan": "b97cb7d6a051aa6ebd57906df0e26e9e36c26d14",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"status": "affected",
"version": "6aff941cb0f7d0c897c3698ad2e30672709135e3",
"versionType": "git"
},
{
"status": "affected",
"version": "3bc6317033f365ce578eb6039445fb66162722fd",
"versionType": "git"
},
{
"status": "affected",
"version": "836e625b03a666cf93ff5be328c8cb30336db872",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: xattr: fix null pointer deref in ext4_raw_inode()\n\nIf ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),\niloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()\nlacks error checking, this will lead to a null pointer dereference\nin ext4_raw_inode(), called right after ext4_get_inode_loc().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:10.331Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6"
},
{
"url": "https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3"
},
{
"url": "https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f"
},
{
"url": "https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec"
},
{
"url": "https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2"
},
{
"url": "https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142"
},
{
"url": "https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14"
}
],
"title": "ext4: xattr: fix null pointer deref in ext4_raw_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68820",
"datePublished": "2026-01-13T15:29:23.351Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:10.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71094 (GCVE-0-2025-71094)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net: usb: asix: validate PHY address before use
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: validate PHY address before use
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < fc96018f09f8d30586ca6582c5045a84eafef146
(git)
Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < f5f4f30f3811d37e1aa48667c36add74e5a8d99f (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < 38722e69ee64dbb020028c93898d25d6f4c0e0b2 (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < 98a12c2547a44a5f03f35c108d2022cc652cbc4d (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < bf8a0f3b787ca7c5889bfca12c60c483041fbee3 (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < a1e077a3f76eea0dc671ed6792e7d543946227e8 (git) Affected: 4e4f3cb41d687bd64cd03358862b23c84d82329e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc96018f09f8d30586ca6582c5045a84eafef146",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "f5f4f30f3811d37e1aa48667c36add74e5a8d99f",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "38722e69ee64dbb020028c93898d25d6f4c0e0b2",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "98a12c2547a44a5f03f35c108d2022cc652cbc4d",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "bf8a0f3b787ca7c5889bfca12c60c483041fbee3",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "a1e077a3f76eea0dc671ed6792e7d543946227e8",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"status": "affected",
"version": "4e4f3cb41d687bd64cd03358862b23c84d82329e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: validate PHY address before use\n\nThe ASIX driver reads the PHY address from the USB device via\nasix_read_phy_addr(). A malicious or faulty device can return an\ninvalid address (\u003e= PHY_MAX_ADDR), which causes a warning in\nmdiobus_get_phy():\n\n addr 207 out of range\n WARNING: drivers/net/phy/mdio_bus.c:76\n\nValidate the PHY address in asix_read_phy_addr() and remove the\nnow-redundant check in ax88172a.c."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:46.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146"
},
{
"url": "https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f"
},
{
"url": "https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2"
},
{
"url": "https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d"
},
{
"url": "https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3"
},
{
"url": "https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8"
}
],
"title": "net: usb: asix: validate PHY address before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71094",
"datePublished": "2026-01-13T15:34:54.669Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:46.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68321 (GCVE-0-2025-68321)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:44 – Updated: 2026-01-02 15:35
VLAI?
EPSS
Title
page_pool: always add GFP_NOWARN for ATOMIC allocations
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: always add GFP_NOWARN for ATOMIC allocations
Driver authors often forget to add GFP_NOWARN for page allocation
from the datapath. This is annoying to users as OOMs are a fact
of life, and we pretty much expect network Rx to hit page allocation
failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations
by default.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 0ec2cd5c58793d0c622797cd5fbe26634b357210
(git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 9835a0fd59a1df5ec0740fdab6d50db68e0f10de (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 7613c06ffa89c1e2266fb532e23ef7dfdf269d73 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 3671a0775952026228ae44e096eb144bca75f8dc (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < ab48dc0e23eb714b3f233f8e8f6deed7df2051f5 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < f3b52167a0cb23b27414452fbc1278da2ee884fc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ec2cd5c58793d0c622797cd5fbe26634b357210",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "9835a0fd59a1df5ec0740fdab6d50db68e0f10de",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "7613c06ffa89c1e2266fb532e23ef7dfdf269d73",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "3671a0775952026228ae44e096eb144bca75f8dc",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "ab48dc0e23eb714b3f233f8e8f6deed7df2051f5",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "f3b52167a0cb23b27414452fbc1278da2ee884fc",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: always add GFP_NOWARN for ATOMIC allocations\n\nDriver authors often forget to add GFP_NOWARN for page allocation\nfrom the datapath. This is annoying to users as OOMs are a fact\nof life, and we pretty much expect network Rx to hit page allocation\nfailures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations\nby default."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:06.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ec2cd5c58793d0c622797cd5fbe26634b357210"
},
{
"url": "https://git.kernel.org/stable/c/9835a0fd59a1df5ec0740fdab6d50db68e0f10de"
},
{
"url": "https://git.kernel.org/stable/c/7613c06ffa89c1e2266fb532e23ef7dfdf269d73"
},
{
"url": "https://git.kernel.org/stable/c/3671a0775952026228ae44e096eb144bca75f8dc"
},
{
"url": "https://git.kernel.org/stable/c/ab48dc0e23eb714b3f233f8e8f6deed7df2051f5"
},
{
"url": "https://git.kernel.org/stable/c/f3b52167a0cb23b27414452fbc1278da2ee884fc"
}
],
"title": "page_pool: always add GFP_NOWARN for ATOMIC allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68321",
"datePublished": "2025-12-16T15:44:19.066Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2026-01-02T15:35:06.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40099 (GCVE-0-2025-40099)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
cifs: parse_dfs_referrals: prevent oob on malformed input
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: parse_dfs_referrals: prevent oob on malformed input
Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS
- reply smaller than sizeof(struct get_dfs_referral_rsp)
- reply with number of referrals smaller than NumberOfReferrals in the
header
Processing of such replies will cause oob.
Return -EINVAL error on such replies to prevent oob-s.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4ecce920e13ace16a5ba45efe8909946c28fb2ad , < cfacc7441f760e4a73cc71b6ff1635261d534657
(git)
Affected: 4ecce920e13ace16a5ba45efe8909946c28fb2ad , < 15c73964da9df994302f579ed14ee5fdbce7a332 (git) Affected: 4ecce920e13ace16a5ba45efe8909946c28fb2ad , < 8bc4a8d39bac23d8b044fd3e2dbfd965f1d9b058 (git) Affected: 4ecce920e13ace16a5ba45efe8909946c28fb2ad , < bb0f2e66e1ac043a5b238f5bcab4f26f3c317039 (git) Affected: 4ecce920e13ace16a5ba45efe8909946c28fb2ad , < 6447b0e355562a1ff748c4a2ffb89aae7e84d2c9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfacc7441f760e4a73cc71b6ff1635261d534657",
"status": "affected",
"version": "4ecce920e13ace16a5ba45efe8909946c28fb2ad",
"versionType": "git"
},
{
"lessThan": "15c73964da9df994302f579ed14ee5fdbce7a332",
"status": "affected",
"version": "4ecce920e13ace16a5ba45efe8909946c28fb2ad",
"versionType": "git"
},
{
"lessThan": "8bc4a8d39bac23d8b044fd3e2dbfd965f1d9b058",
"status": "affected",
"version": "4ecce920e13ace16a5ba45efe8909946c28fb2ad",
"versionType": "git"
},
{
"lessThan": "bb0f2e66e1ac043a5b238f5bcab4f26f3c317039",
"status": "affected",
"version": "4ecce920e13ace16a5ba45efe8909946c28fb2ad",
"versionType": "git"
},
{
"lessThan": "6447b0e355562a1ff748c4a2ffb89aae7e84d2c9",
"status": "affected",
"version": "4ecce920e13ace16a5ba45efe8909946c28fb2ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: parse_dfs_referrals: prevent oob on malformed input\n\nMalicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS\n\n- reply smaller than sizeof(struct get_dfs_referral_rsp)\n- reply with number of referrals smaller than NumberOfReferrals in the\nheader\n\nProcessing of such replies will cause oob.\n\nReturn -EINVAL error on such replies to prevent oob-s."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:01.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfacc7441f760e4a73cc71b6ff1635261d534657"
},
{
"url": "https://git.kernel.org/stable/c/15c73964da9df994302f579ed14ee5fdbce7a332"
},
{
"url": "https://git.kernel.org/stable/c/8bc4a8d39bac23d8b044fd3e2dbfd965f1d9b058"
},
{
"url": "https://git.kernel.org/stable/c/bb0f2e66e1ac043a5b238f5bcab4f26f3c317039"
},
{
"url": "https://git.kernel.org/stable/c/6447b0e355562a1ff748c4a2ffb89aae7e84d2c9"
}
],
"title": "cifs: parse_dfs_referrals: prevent oob on malformed input",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40099",
"datePublished": "2025-10-30T09:48:05.859Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2026-01-02T15:33:01.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39943 (GCVE-0-2025-39943)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
If data_offset and data_length of smb_direct_data_transfer struct are
invalid, out of bounds issue could happen.
This patch validate data_offset and data_length field in recv_done.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < 773fddf976d282ef059c36c575ddb81567acd6bc
(git)
Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < bdaab5c6538e250a9654127e688ecbbeb6f771d5 (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < eb0378dde086363046ed3d7db7f126fc3f76fd70 (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < 8be498fcbd5b07272f560b45981d4b9e5a2ad885 (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < 529b121b00a6ee3c88fb3c01b443b2b81f686d48 (git) Affected: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 , < 5282491fc49d5614ac6ddcd012e5743eecb6a67c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "773fddf976d282ef059c36c575ddb81567acd6bc",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "bdaab5c6538e250a9654127e688ecbbeb6f771d5",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "eb0378dde086363046ed3d7db7f126fc3f76fd70",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "8be498fcbd5b07272f560b45981d4b9e5a2ad885",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "529b121b00a6ee3c88fb3c01b443b2b81f686d48",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "5282491fc49d5614ac6ddcd012e5743eecb6a67c",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer\n\nIf data_offset and data_length of smb_direct_data_transfer struct are\ninvalid, out of bounds issue could happen.\nThis patch validate data_offset and data_length field in recv_done."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:03.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/773fddf976d282ef059c36c575ddb81567acd6bc"
},
{
"url": "https://git.kernel.org/stable/c/bdaab5c6538e250a9654127e688ecbbeb6f771d5"
},
{
"url": "https://git.kernel.org/stable/c/eb0378dde086363046ed3d7db7f126fc3f76fd70"
},
{
"url": "https://git.kernel.org/stable/c/8be498fcbd5b07272f560b45981d4b9e5a2ad885"
},
{
"url": "https://git.kernel.org/stable/c/529b121b00a6ee3c88fb3c01b443b2b81f686d48"
},
{
"url": "https://git.kernel.org/stable/c/5282491fc49d5614ac6ddcd012e5743eecb6a67c"
}
],
"title": "ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39943",
"datePublished": "2025-10-04T07:31:05.581Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:03.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40173 (GCVE-0-2025-40173)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
net/ip6_tunnel: Prevent perpetual tunnel growth
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ip6_tunnel: Prevent perpetual tunnel growth
Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.
While ipv4 tunnel headroom adjustment growth was limited in
commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"),
ipv6 tunnel yet increases the headroom without any ceiling.
Reflect ipv4 tunnel headroom adjustment limit on ipv6 version.
Credits to Francesco Ruggeri, who was originally debugging this issue
and wrote local Arista-specific patch and a reproducer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8eb30be0352d09165e94a41fef1c7b994dca0714 , < 566f8d5c8a443f2dd69c5460fdec43ed1c870c65
(git)
Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 11f6066af3bfb8149aa16c42c0b0c5ea5b199a94 (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 402b6985e872b4cf394bbbf33b503947a326a6cb (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 10fe967efe73c610e526ff7460581610633dee9c (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 48294a67863c9cfa367abb66bbf0ef6548ae124f (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < eeb4345488672584db4f8c20a1ae13a212ce31c4 (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < b6eb25d870f1a8ae571fd3da2244b71df547824b (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip_tunnels.h",
"net/ipv4/ip_tunnel.c",
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "566f8d5c8a443f2dd69c5460fdec43ed1c870c65",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "11f6066af3bfb8149aa16c42c0b0c5ea5b199a94",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "402b6985e872b4cf394bbbf33b503947a326a6cb",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "10fe967efe73c610e526ff7460581610633dee9c",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "48294a67863c9cfa367abb66bbf0ef6548ae124f",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "eeb4345488672584db4f8c20a1ae13a212ce31c4",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "b6eb25d870f1a8ae571fd3da2244b71df547824b",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip_tunnels.h",
"net/ipv4/ip_tunnel.c",
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ip6_tunnel: Prevent perpetual tunnel growth\n\nSimilarly to ipv4 tunnel, ipv6 version updates dev-\u003eneeded_headroom, too.\nWhile ipv4 tunnel headroom adjustment growth was limited in\ncommit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"),\nipv6 tunnel yet increases the headroom without any ceiling.\n\nReflect ipv4 tunnel headroom adjustment limit on ipv6 version.\n\nCredits to Francesco Ruggeri, who was originally debugging this issue\nand wrote local Arista-specific patch and a reproducer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:28.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/566f8d5c8a443f2dd69c5460fdec43ed1c870c65"
},
{
"url": "https://git.kernel.org/stable/c/11f6066af3bfb8149aa16c42c0b0c5ea5b199a94"
},
{
"url": "https://git.kernel.org/stable/c/402b6985e872b4cf394bbbf33b503947a326a6cb"
},
{
"url": "https://git.kernel.org/stable/c/10fe967efe73c610e526ff7460581610633dee9c"
},
{
"url": "https://git.kernel.org/stable/c/48294a67863c9cfa367abb66bbf0ef6548ae124f"
},
{
"url": "https://git.kernel.org/stable/c/eeb4345488672584db4f8c20a1ae13a212ce31c4"
},
{
"url": "https://git.kernel.org/stable/c/b6eb25d870f1a8ae571fd3da2244b71df547824b"
},
{
"url": "https://git.kernel.org/stable/c/21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16"
}
],
"title": "net/ip6_tunnel: Prevent perpetual tunnel growth",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40173",
"datePublished": "2025-11-12T10:53:49.571Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:28.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40179 (GCVE-0-2025-40179)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ext4: verify orphan file size is not too big
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: verify orphan file size is not too big
In principle orphan file can be arbitrarily large. However orphan replay
needs to traverse it all and we also pin all its buffers in memory. Thus
filesystems with absurdly large orphan files can lead to big amounts of
memory consumed. Limit orphan file size to a sane value and also use
kvmalloc() for allocating array of block descriptor structures to avoid
large order allocations for sane but large orphan files.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 95a21611b14ae0a401720645245a8db16f040995
(git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 566a1d6084563bd07433025aa23bcea4427de107 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 304fc34ff6fc8261138fd81f119e024ac3a129e9 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < a2d803fab8a6c6a874277cb80156dc114db91921 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 2b9da798ff0f4d026c5f0f815047393ebe7d8859 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 0a6ce20c156442a4ce2a404747bb0fb05d54eeb3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/orphan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95a21611b14ae0a401720645245a8db16f040995",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "566a1d6084563bd07433025aa23bcea4427de107",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "304fc34ff6fc8261138fd81f119e024ac3a129e9",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "a2d803fab8a6c6a874277cb80156dc114db91921",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "2b9da798ff0f4d026c5f0f815047393ebe7d8859",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "0a6ce20c156442a4ce2a404747bb0fb05d54eeb3",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/orphan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: verify orphan file size is not too big\n\nIn principle orphan file can be arbitrarily large. However orphan replay\nneeds to traverse it all and we also pin all its buffers in memory. Thus\nfilesystems with absurdly large orphan files can lead to big amounts of\nmemory consumed. Limit orphan file size to a sane value and also use\nkvmalloc() for allocating array of block descriptor structures to avoid\nlarge order allocations for sane but large orphan files."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:35.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995"
},
{
"url": "https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107"
},
{
"url": "https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9"
},
{
"url": "https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921"
},
{
"url": "https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859"
},
{
"url": "https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3"
}
],
"title": "ext4: verify orphan file size is not too big",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40179",
"datePublished": "2025-11-12T21:56:24.882Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:35.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39851 (GCVE-0-2025-39851)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
VXLAN FDB entries can point to either a remote destination or an FDB
nexthop group. The latter is usually used in EVPN deployments where
learning is disabled.
However, when learning is enabled, an incoming packet might try to
refresh an FDB entry that points to an FDB nexthop group and therefore
does not have a remote. Such packets should be dropped, but they are
only dropped after dereferencing the non-existent remote, resulting in a
NPD [1] which can be reproduced using [2].
Fix by dropping such packets earlier. Remove the misleading comment from
first_remote_rcu().
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:vxlan_snoop+0x98/0x1e0
[...]
Call Trace:
<TASK>
vxlan_encap_bypass+0x209/0x240
encap_bypass_if_local+0xb1/0x100
vxlan_xmit_one+0x1375/0x17e0
vxlan_xmit+0x6b4/0x15f0
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
packet_sendmsg+0x113a/0x1850
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
#!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip address add 192.0.2.2/32 dev lo
ip nexthop add id 1 via 192.0.2.3 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass
ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning
bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020
bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10
mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1274e1cc42264d4e629841e4f182795cb0becfd2 , < 4ff4f3104da6507e0f118c63c4560dfdeb59dce3
(git)
Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 0e8630f24c14d9c655d19eabe2e52a9e9f713307 (git) Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 6ead38147ebb813f08be6ea8ef547a0e4c09559a (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:21:10.346641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:12.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c",
"drivers/net/vxlan/vxlan_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ff4f3104da6507e0f118c63c4560dfdeb59dce3",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "0e8630f24c14d9c655d19eabe2e52a9e9f713307",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "6ead38147ebb813f08be6ea8ef547a0e4c09559a",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c",
"drivers/net/vxlan/vxlan_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD when refreshing an FDB entry with a nexthop object\n\nVXLAN FDB entries can point to either a remote destination or an FDB\nnexthop group. The latter is usually used in EVPN deployments where\nlearning is disabled.\n\nHowever, when learning is enabled, an incoming packet might try to\nrefresh an FDB entry that points to an FDB nexthop group and therefore\ndoes not have a remote. Such packets should be dropped, but they are\nonly dropped after dereferencing the non-existent remote, resulting in a\nNPD [1] which can be reproduced using [2].\n\nFix by dropping such packets earlier. Remove the misleading comment from\nfirst_remote_rcu().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_snoop+0x98/0x1e0\n[...]\nCall Trace:\n \u003cTASK\u003e\n vxlan_encap_bypass+0x209/0x240\n encap_bypass_if_local+0xb1/0x100\n vxlan_xmit_one+0x1375/0x17e0\n vxlan_xmit+0x6b4/0x15f0\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n ip address add 192.0.2.2/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.3 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass\n ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020\n bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10\n\n mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:03.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ff4f3104da6507e0f118c63c4560dfdeb59dce3"
},
{
"url": "https://git.kernel.org/stable/c/0e8630f24c14d9c655d19eabe2e52a9e9f713307"
},
{
"url": "https://git.kernel.org/stable/c/6ead38147ebb813f08be6ea8ef547a0e4c09559a"
}
],
"title": "vxlan: Fix NPD when refreshing an FDB entry with a nexthop object",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39851",
"datePublished": "2025-09-19T15:26:23.576Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2026-01-14T19:23:12.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39998 (GCVE-0-2025-39998)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
scsi: target: target_core_configfs: Add length check to avoid buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: target_core_configfs: Add length check to avoid buffer overflow
A buffer overflow arises from the usage of snprintf to write into the
buffer "buf" in target_lu_gp_members_show function located in
/drivers/target/target_core_configfs.c. This buffer is allocated with
size LU_GROUP_NAME_BUF (256 bytes).
snprintf(...) formats multiple strings into buf with the HBA name
(hba->hba_group.cg_item), a slash character, a devicename (dev->
dev_group.cg_item) and a newline character, the total formatted string
length may exceed the buffer size of 256 bytes.
Since snprintf() returns the total number of bytes that would have been
written (the length of %s/%sn ), this value may exceed the buffer length
(256 bytes) passed to memcpy(), this will ultimately cause function
memcpy reporting a buffer overflow error.
An additional check of the return value of snprintf() can avoid this
buffer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < e6eeee5dc0d9221ff96d1b229b1d0222c8871b84
(git)
Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < 764a91e2fc9639e07aac93bc70e387e6b1e33084 (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < ddc79fba132b807ff775467acceaf48b456e008b (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < e73fe0eefac3e15bf88fb5b4afae4c76215ee4d4 (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < f03aa5e39da7d045615b3951d2a6ca1d7132f881 (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < 53c6351597e6a17ec6619f6f060d54128cb9a187 (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < 4b292286949588bd2818e66ff102db278de8dd26 (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < a150275831b765b0f1de8b8ff52ec5c6933ac15d (git) Affected: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 , < 27e06650a5eafe832a90fd2604f0c5e920857fae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6eeee5dc0d9221ff96d1b229b1d0222c8871b84",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "764a91e2fc9639e07aac93bc70e387e6b1e33084",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "ddc79fba132b807ff775467acceaf48b456e008b",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "e73fe0eefac3e15bf88fb5b4afae4c76215ee4d4",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "f03aa5e39da7d045615b3951d2a6ca1d7132f881",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "53c6351597e6a17ec6619f6f060d54128cb9a187",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "4b292286949588bd2818e66ff102db278de8dd26",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "a150275831b765b0f1de8b8ff52ec5c6933ac15d",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "27e06650a5eafe832a90fd2604f0c5e920857fae",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: target_core_configfs: Add length check to avoid buffer overflow\n\nA buffer overflow arises from the usage of snprintf to write into the\nbuffer \"buf\" in target_lu_gp_members_show function located in\n/drivers/target/target_core_configfs.c. This buffer is allocated with\nsize LU_GROUP_NAME_BUF (256 bytes).\n\nsnprintf(...) formats multiple strings into buf with the HBA name\n(hba-\u003ehba_group.cg_item), a slash character, a devicename (dev-\u003e\ndev_group.cg_item) and a newline character, the total formatted string\nlength may exceed the buffer size of 256 bytes.\n\nSince snprintf() returns the total number of bytes that would have been\nwritten (the length of %s/%sn ), this value may exceed the buffer length\n(256 bytes) passed to memcpy(), this will ultimately cause function\nmemcpy reporting a buffer overflow error.\n\nAn additional check of the return value of snprintf() can avoid this\nbuffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:48.667Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6eeee5dc0d9221ff96d1b229b1d0222c8871b84"
},
{
"url": "https://git.kernel.org/stable/c/764a91e2fc9639e07aac93bc70e387e6b1e33084"
},
{
"url": "https://git.kernel.org/stable/c/ddc79fba132b807ff775467acceaf48b456e008b"
},
{
"url": "https://git.kernel.org/stable/c/e73fe0eefac3e15bf88fb5b4afae4c76215ee4d4"
},
{
"url": "https://git.kernel.org/stable/c/f03aa5e39da7d045615b3951d2a6ca1d7132f881"
},
{
"url": "https://git.kernel.org/stable/c/53c6351597e6a17ec6619f6f060d54128cb9a187"
},
{
"url": "https://git.kernel.org/stable/c/4b292286949588bd2818e66ff102db278de8dd26"
},
{
"url": "https://git.kernel.org/stable/c/a150275831b765b0f1de8b8ff52ec5c6933ac15d"
},
{
"url": "https://git.kernel.org/stable/c/27e06650a5eafe832a90fd2604f0c5e920857fae"
}
],
"title": "scsi: target: target_core_configfs: Add length check to avoid buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39998",
"datePublished": "2025-10-15T07:58:22.354Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2026-01-02T15:32:48.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68264 (GCVE-0-2025-68264)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ext4: refresh inline data size before write operations
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: refresh inline data size before write operations
The cached ei->i_inline_size can become stale between the initial size
check and when ext4_update_inline_data()/ext4_create_inline_data() use
it. Although ext4_get_max_inline_size() reads the correct value at the
time of the check, concurrent xattr operations can modify i_inline_size
before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to
work with stale capacity values, leading to a BUG_ON() crash in
ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331!
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window:
1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
2. Size check passes for 50-byte write
3. [Another thread adds xattr, i_inline_size changes to 40]
4. ext4_write_lock_xattr() acquires lock
5. ext4_update_inline_data() uses stale i_inline_size = 60
6. Attempts to write 50 bytes but only 40 bytes actually available
7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
and ext4_create_inline_data() work with current values that are protected
from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
inline_data file while its xattrs are changing") which fixed i_inline_off
staleness. This patch addresses the related i_inline_size staleness issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
67cf5b09a46f72e048501b84996f2f77bc42e947 , < 54ab81ae5f218452e64470cd8a8139bb5880fe2b
(git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 43bf001f0fe4e59bba47c897505222f959f4a1cc (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 89c2c41f0974e530b2d032c3695095aa0559adb1 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 1687a055a555347b002f406676a1aaae4668f242 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < ca43ea29b4c4d2764aec8a26cffcfb677a871e6e (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 58df743faf21ceb1880f930aa5dd428e2a5e415d (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 892e1cf17555735e9d021ab036c36bc7b58b0e3b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54ab81ae5f218452e64470cd8a8139bb5880fe2b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "43bf001f0fe4e59bba47c897505222f959f4a1cc",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "89c2c41f0974e530b2d032c3695095aa0559adb1",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "1687a055a555347b002f406676a1aaae4668f242",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "ca43ea29b4c4d2764aec8a26cffcfb677a871e6e",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "58df743faf21ceb1880f930aa5dd428e2a5e415d",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "892e1cf17555735e9d021ab036c36bc7b58b0e3b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei-\u003ei_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n kernel BUG at fs/ext4/inline.c:1331!\n BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:23.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54ab81ae5f218452e64470cd8a8139bb5880fe2b"
},
{
"url": "https://git.kernel.org/stable/c/43bf001f0fe4e59bba47c897505222f959f4a1cc"
},
{
"url": "https://git.kernel.org/stable/c/89c2c41f0974e530b2d032c3695095aa0559adb1"
},
{
"url": "https://git.kernel.org/stable/c/1687a055a555347b002f406676a1aaae4668f242"
},
{
"url": "https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b"
},
{
"url": "https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e"
},
{
"url": "https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d"
},
{
"url": "https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b"
}
],
"title": "ext4: refresh inline data size before write operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68264",
"datePublished": "2025-12-16T14:45:06.268Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:23.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68294 (GCVE-0-2025-68294)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
io_uring/net: ensure vectored buffer node import is tied to notification
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: ensure vectored buffer node import is tied to notification
When support for vectored registered buffers was added, the import
itself is using 'req' rather than the notification io_kiocb, sr->notif.
For non-vectored imports, sr->notif is correctly used. This is important
as the lifetime of the two may be different. Use the correct io_kiocb
for the vectored buffer import.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14459281e027f23b70885c1cc1032a71c0efd8d7",
"status": "affected",
"version": "23371eac7d9a9bca5360cfb3eb3aa08648ee7246",
"versionType": "git"
},
{
"lessThan": "f6041803a831266a2a5a5b5af66f7de0845bcbf3",
"status": "affected",
"version": "23371eac7d9a9bca5360cfb3eb3aa08648ee7246",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: ensure vectored buffer node import is tied to notification\n\nWhen support for vectored registered buffers was added, the import\nitself is using \u0027req\u0027 rather than the notification io_kiocb, sr-\u003enotif.\nFor non-vectored imports, sr-\u003enotif is correctly used. This is important\nas the lifetime of the two may be different. Use the correct io_kiocb\nfor the vectored buffer import."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:14.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14459281e027f23b70885c1cc1032a71c0efd8d7"
},
{
"url": "https://git.kernel.org/stable/c/f6041803a831266a2a5a5b5af66f7de0845bcbf3"
}
],
"title": "io_uring/net: ensure vectored buffer node import is tied to notification",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68294",
"datePublished": "2025-12-16T15:06:14.177Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:14.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68762 (GCVE-0-2025-68762)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
net: netpoll: initialize work queue before error checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: netpoll: initialize work queue before error checks
Prevent a kernel warning when netconsole setup fails on devices with
IFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in
__flush_work) occurs because the cleanup path tries to cancel an
uninitialized work queue.
When __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL,
it fails early and calls skb_pool_flush() for cleanup. This function
calls cancel_work_sync(&np->refill_wq), but refill_wq hasn't been
initialized yet, triggering the warning.
Move INIT_WORK() to the beginning of __netpoll_setup(), ensuring the
work queue is properly initialized before any potential failure points.
This allows the cleanup path to safely cancel the work queue regardless
of where the setup fails.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
248f6571fd4c51531f7f8f07f186f7ae98a50afc , < a90d0dc38a10347078cca60e7495ad0648838f18
(git)
Affected: 248f6571fd4c51531f7f8f07f186f7ae98a50afc , < 760bc6ceda8e2c273c0e2018ad2595967c3dd308 (git) Affected: 248f6571fd4c51531f7f8f07f186f7ae98a50afc , < e5235eb6cfe02a51256013a78f7b28779a7740d5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a90d0dc38a10347078cca60e7495ad0648838f18",
"status": "affected",
"version": "248f6571fd4c51531f7f8f07f186f7ae98a50afc",
"versionType": "git"
},
{
"lessThan": "760bc6ceda8e2c273c0e2018ad2595967c3dd308",
"status": "affected",
"version": "248f6571fd4c51531f7f8f07f186f7ae98a50afc",
"versionType": "git"
},
{
"lessThan": "e5235eb6cfe02a51256013a78f7b28779a7740d5",
"status": "affected",
"version": "248f6571fd4c51531f7f8f07f186f7ae98a50afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: initialize work queue before error checks\n\nPrevent a kernel warning when netconsole setup fails on devices with\nIFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in\n__flush_work) occurs because the cleanup path tries to cancel an\nuninitialized work queue.\n\nWhen __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL,\nit fails early and calls skb_pool_flush() for cleanup. This function\ncalls cancel_work_sync(\u0026np-\u003erefill_wq), but refill_wq hasn\u0027t been\ninitialized yet, triggering the warning.\n\nMove INIT_WORK() to the beginning of __netpoll_setup(), ensuring the\nwork queue is properly initialized before any potential failure points.\nThis allows the cleanup path to safely cancel the work queue regardless\nof where the setup fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:06.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a90d0dc38a10347078cca60e7495ad0648838f18"
},
{
"url": "https://git.kernel.org/stable/c/760bc6ceda8e2c273c0e2018ad2595967c3dd308"
},
{
"url": "https://git.kernel.org/stable/c/e5235eb6cfe02a51256013a78f7b28779a7740d5"
}
],
"title": "net: netpoll: initialize work queue before error checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68762",
"datePublished": "2026-01-05T09:32:34.743Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:06.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71120 (GCVE-0-2025-71120)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5866efa8cbfbadf3905072798e96652faf02dbe8 , < a8f1e445ce3545c90d69c9e8ff8f7821825fe810
(git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < f9e53f69ac3bc4ef568b08d3542edac02e83fefd (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 7452d53f293379e2c38cfa8ad0694aa46fc4788b (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a2c6f25ab98b423f99ccd94874d655b8bcb01a19 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 1c8bb965e9b0559ff0f5690615a527c30f651dd8 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < d4b69a6186b215d2dc1ebcab965ed88e8d41768d (git) Affected: 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 (git) Affected: 7be8c165dc81564705e8e0b72d398ef708f67eaa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f1e445ce3545c90d69c9e8ff8f7821825fe810",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "f9e53f69ac3bc4ef568b08d3542edac02e83fefd",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "7452d53f293379e2c38cfa8ad0694aa46fc4788b",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "a2c6f25ab98b423f99ccd94874d655b8bcb01a19",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "1c8bb965e9b0559ff0f5690615a527c30f651dd8",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "d4b69a6186b215d2dc1ebcab965ed88e8d41768d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"status": "affected",
"version": "66ed7b413d31c6ff23901ac4443b1cc1af2f6113",
"versionType": "git"
},
{
"status": "affected",
"version": "7be8c165dc81564705e8e0b72d398ef708f67eaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:15.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810"
},
{
"url": "https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d"
},
{
"url": "https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd"
},
{
"url": "https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b"
},
{
"url": "https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19"
},
{
"url": "https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8"
},
{
"url": "https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d"
}
],
"title": "SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71120",
"datePublished": "2026-01-14T15:06:07.194Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40109 (GCVE-0-2025-40109)
Vulnerability from cvelistv5 – Published: 2025-11-09 04:35 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
crypto: rng - Ensure set_ent is always present
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: rng - Ensure set_ent is always present
Ensure that set_ent is always set since only drbg provides it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 15d6f42da1bb527629d8e1067b1302d58dec9166
(git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < bd903c25b652c331831226cdf56c8179d18e43f4 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 17acbcd44fe8dc17dc1072375e76df2d52da6ac8 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < ab172f4f42626549b02bada05f09e3f2b0cc26ec (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < c5c703b50e91dd4748769f4c5ab50d9ad60be370 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < e247a7d138e514a40edda7c4d72c8bd49bb2cad3 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 915cb75983bc5e8b80f8a2f25a4af463f7b18c14 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < c0d36727bf39bb16ef0a67ed608e279535ebf0da (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d6f42da1bb527629d8e1067b1302d58dec9166",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "bd903c25b652c331831226cdf56c8179d18e43f4",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "17acbcd44fe8dc17dc1072375e76df2d52da6ac8",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "ab172f4f42626549b02bada05f09e3f2b0cc26ec",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "c5c703b50e91dd4748769f4c5ab50d9ad60be370",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "e247a7d138e514a40edda7c4d72c8bd49bb2cad3",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "915cb75983bc5e8b80f8a2f25a4af463f7b18c14",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "c0d36727bf39bb16ef0a67ed608e279535ebf0da",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rng - Ensure set_ent is always present\n\nEnsure that set_ent is always set since only drbg provides it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:12.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d6f42da1bb527629d8e1067b1302d58dec9166"
},
{
"url": "https://git.kernel.org/stable/c/bd903c25b652c331831226cdf56c8179d18e43f4"
},
{
"url": "https://git.kernel.org/stable/c/17acbcd44fe8dc17dc1072375e76df2d52da6ac8"
},
{
"url": "https://git.kernel.org/stable/c/ab172f4f42626549b02bada05f09e3f2b0cc26ec"
},
{
"url": "https://git.kernel.org/stable/c/c5c703b50e91dd4748769f4c5ab50d9ad60be370"
},
{
"url": "https://git.kernel.org/stable/c/e247a7d138e514a40edda7c4d72c8bd49bb2cad3"
},
{
"url": "https://git.kernel.org/stable/c/915cb75983bc5e8b80f8a2f25a4af463f7b18c14"
},
{
"url": "https://git.kernel.org/stable/c/c0d36727bf39bb16ef0a67ed608e279535ebf0da"
}
],
"title": "crypto: rng - Ensure set_ent is always present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40109",
"datePublished": "2025-11-09T04:35:59.979Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:12.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40110 (GCVE-0-2025-40110)
Vulnerability from cvelistv5 – Published: 2025-11-12 01:07 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Check that the resource which is converted to a surface exists before
trying to use the cursor snooper on it.
vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers
because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",
unfortunately functions that accept the actual surfaces as objects might
(and in case of the cursor snooper, do not) be able to handle null
objects. Make sure that we validate not only the identifier (via the
vmw_cmd_res_check) but also check that the actual resource exists before
trying to do something with it.
Fixes unchecked null-ptr reference in the snooping code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 3332212e93d0f6e24f8fe79f975e077c4e68ca39
(git)
Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 86aae7053d2da3fdfde7b2e84d86e4af50490505 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < af9d88cbf0fce52f465978360542ef679713491f (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 299cfb5a7deabdf9ecd30071755672af0aced5eb (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 13c9e4ed125e19484234c960efe5ac9c55119523 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < b6fca0a07989f361ceda27cb2d09c555d4d4a964 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 5ac2c0279053a2c5265d46903432fb26ae2d0da2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3332212e93d0f6e24f8fe79f975e077c4e68ca39",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "86aae7053d2da3fdfde7b2e84d86e4af50490505",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "af9d88cbf0fce52f465978360542ef679713491f",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "299cfb5a7deabdf9ecd30071755672af0aced5eb",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "13c9e4ed125e19484234c960efe5ac9c55119523",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "b6fca0a07989f361ceda27cb2d09c555d4d4a964",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "5ac2c0279053a2c5265d46903432fb26ae2d0da2",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a null-ptr access in the cursor snooper\n\nCheck that the resource which is converted to a surface exists before\ntrying to use the cursor snooper on it.\n\nvmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers\nbecause some svga commands accept SVGA3D_INVALID_ID to mean \"no surface\",\nunfortunately functions that accept the actual surfaces as objects might\n(and in case of the cursor snooper, do not) be able to handle null\nobjects. Make sure that we validate not only the identifier (via the\nvmw_cmd_res_check) but also check that the actual resource exists before\ntrying to do something with it.\n\nFixes unchecked null-ptr reference in the snooping code."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:04.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3332212e93d0f6e24f8fe79f975e077c4e68ca39"
},
{
"url": "https://git.kernel.org/stable/c/86aae7053d2da3fdfde7b2e84d86e4af50490505"
},
{
"url": "https://git.kernel.org/stable/c/af9d88cbf0fce52f465978360542ef679713491f"
},
{
"url": "https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb"
},
{
"url": "https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523"
},
{
"url": "https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964"
},
{
"url": "https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2"
}
],
"title": "drm/vmwgfx: Fix a null-ptr access in the cursor snooper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40110",
"datePublished": "2025-11-12T01:07:24.739Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2026-01-19T12:18:04.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40111 (GCVE-0-2025-40111)
Vulnerability from cvelistv5 – Published: 2025-11-12 01:07 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
drm/vmwgfx: Fix Use-after-free in validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix Use-after-free in validation
Nodes stored in the validation duplicates hashtable come from an arena
allocator that is cleared at the end of vmw_execbuf_process. All nodes
are expected to be cleared in vmw_validation_drop_ht but this node escaped
because its resource was destroyed prematurely.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
64ad2abfe9a628ce79859d072704bd1ef7682044 , < 1822e5287b7dfa59d0af966756ebf1dc652b60ee
(git)
Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < fb7165e5f3b3b10721ff70553583ad12e90e447a (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 4c918f9d1ccccc0e092f43dcb2d8266f54d7340b (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 9a8eaca539708ca532747f606d231f70e684e8ca (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 867bda5d95d36f10da398fd4409e21c7002b2332 (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 655a2f29bfc21105c80bf8a7d7aafa6eca8b4496 (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 65608e991c2d771c13404e5c7ae122ac3c3357a4 (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < dfe1323ab3c8a4dd5625ebfdba44dc47df84512a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_validation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1822e5287b7dfa59d0af966756ebf1dc652b60ee",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "fb7165e5f3b3b10721ff70553583ad12e90e447a",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "4c918f9d1ccccc0e092f43dcb2d8266f54d7340b",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "9a8eaca539708ca532747f606d231f70e684e8ca",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "867bda5d95d36f10da398fd4409e21c7002b2332",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "655a2f29bfc21105c80bf8a7d7aafa6eca8b4496",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "65608e991c2d771c13404e5c7ae122ac3c3357a4",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "dfe1323ab3c8a4dd5625ebfdba44dc47df84512a",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_validation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix Use-after-free in validation\n\nNodes stored in the validation duplicates hashtable come from an arena\nallocator that is cleared at the end of vmw_execbuf_process. All nodes\nare expected to be cleared in vmw_validation_drop_ht but this node escaped\nbecause its resource was destroyed prematurely."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:14.678Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1822e5287b7dfa59d0af966756ebf1dc652b60ee"
},
{
"url": "https://git.kernel.org/stable/c/fb7165e5f3b3b10721ff70553583ad12e90e447a"
},
{
"url": "https://git.kernel.org/stable/c/4c918f9d1ccccc0e092f43dcb2d8266f54d7340b"
},
{
"url": "https://git.kernel.org/stable/c/9a8eaca539708ca532747f606d231f70e684e8ca"
},
{
"url": "https://git.kernel.org/stable/c/867bda5d95d36f10da398fd4409e21c7002b2332"
},
{
"url": "https://git.kernel.org/stable/c/655a2f29bfc21105c80bf8a7d7aafa6eca8b4496"
},
{
"url": "https://git.kernel.org/stable/c/65608e991c2d771c13404e5c7ae122ac3c3357a4"
},
{
"url": "https://git.kernel.org/stable/c/dfe1323ab3c8a4dd5625ebfdba44dc47df84512a"
}
],
"title": "drm/vmwgfx: Fix Use-after-free in validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40111",
"datePublished": "2025-11-12T01:07:25.203Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:14.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39835 (GCVE-0-2025-39835)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:08 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
xfs: do not propagate ENODATA disk errors into xattr code
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: do not propagate ENODATA disk errors into xattr code
ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;
namely, that the requested attribute name could not be found.
However, a medium error from disk may also return ENODATA. At best,
this medium error may escape to userspace as "attribute not found"
when in fact it's an IO (disk) error.
At worst, we may oops in xfs_attr_leaf_get() when we do:
error = xfs_attr_leaf_hasname(args, &bp);
if (error == -ENOATTR) {
xfs_trans_brelse(args->trans, bp);
return error;
}
because an ENODATA/ENOATTR error from disk leaves us with a null bp,
and the xfs_trans_brelse will then null-deref it.
As discussed on the list, we really need to modify the lower level
IO functions to trap all disk errors and ensure that we don't let
unique errors like this leak up into higher xfs functions - many
like this should be remapped to EIO.
However, this patch directly addresses a reported bug in the xattr
code, and should be safe to backport to stable kernels. A larger-scope
patch to handle more unique errors at lower levels can follow later.
(Note, prior to 07120f1abdff we did not oops, but we did return the
wrong error code to userspace.)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
07120f1abdff80f3d1351f733661abe28d609535 , < 157ddfb05961c68ab7d457a462822a698e4e4bf4
(git)
Affected: 07120f1abdff80f3d1351f733661abe28d609535 , < 90bae69c2959c39912f0c2f07a9a7894f3fc49f5 (git) Affected: 07120f1abdff80f3d1351f733661abe28d609535 , < e358d4b6225e4c1eb208686a05e360ef8df59e07 (git) Affected: 07120f1abdff80f3d1351f733661abe28d609535 , < d3cc7476b89fb45b7e00874f4f56f6b928467c60 (git) Affected: 07120f1abdff80f3d1351f733661abe28d609535 , < dcdf36f1b67884c722abce9b8946e34ffb9f67c8 (git) Affected: 07120f1abdff80f3d1351f733661abe28d609535 , < 39fc2742ca14f7fbc621ce9b43bcbd00248cb9a8 (git) Affected: 07120f1abdff80f3d1351f733661abe28d609535 , < ae668cd567a6a7622bc813ee0bb61c42bed61ba7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:51.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/libxfs/xfs_attr_remote.c",
"fs/xfs/libxfs/xfs_da_btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "157ddfb05961c68ab7d457a462822a698e4e4bf4",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "90bae69c2959c39912f0c2f07a9a7894f3fc49f5",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "e358d4b6225e4c1eb208686a05e360ef8df59e07",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "d3cc7476b89fb45b7e00874f4f56f6b928467c60",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "dcdf36f1b67884c722abce9b8946e34ffb9f67c8",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "39fc2742ca14f7fbc621ce9b43bcbd00248cb9a8",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "ae668cd567a6a7622bc813ee0bb61c42bed61ba7",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/libxfs/xfs_attr_remote.c",
"fs/xfs/libxfs/xfs_da_btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: do not propagate ENODATA disk errors into xattr code\n\nENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;\nnamely, that the requested attribute name could not be found.\n\nHowever, a medium error from disk may also return ENODATA. At best,\nthis medium error may escape to userspace as \"attribute not found\"\nwhen in fact it\u0027s an IO (disk) error.\n\nAt worst, we may oops in xfs_attr_leaf_get() when we do:\n\n\terror = xfs_attr_leaf_hasname(args, \u0026bp);\n\tif (error == -ENOATTR) {\n\t\txfs_trans_brelse(args-\u003etrans, bp);\n\t\treturn error;\n\t}\n\nbecause an ENODATA/ENOATTR error from disk leaves us with a null bp,\nand the xfs_trans_brelse will then null-deref it.\n\nAs discussed on the list, we really need to modify the lower level\nIO functions to trap all disk errors and ensure that we don\u0027t let\nunique errors like this leak up into higher xfs functions - many\nlike this should be remapped to EIO.\n\nHowever, this patch directly addresses a reported bug in the xattr\ncode, and should be safe to backport to stable kernels. A larger-scope\npatch to handle more unique errors at lower levels can follow later.\n\n(Note, prior to 07120f1abdff we did not oops, but we did return the\nwrong error code to userspace.)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:39.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/157ddfb05961c68ab7d457a462822a698e4e4bf4"
},
{
"url": "https://git.kernel.org/stable/c/90bae69c2959c39912f0c2f07a9a7894f3fc49f5"
},
{
"url": "https://git.kernel.org/stable/c/e358d4b6225e4c1eb208686a05e360ef8df59e07"
},
{
"url": "https://git.kernel.org/stable/c/d3cc7476b89fb45b7e00874f4f56f6b928467c60"
},
{
"url": "https://git.kernel.org/stable/c/dcdf36f1b67884c722abce9b8946e34ffb9f67c8"
},
{
"url": "https://git.kernel.org/stable/c/39fc2742ca14f7fbc621ce9b43bcbd00248cb9a8"
},
{
"url": "https://git.kernel.org/stable/c/ae668cd567a6a7622bc813ee0bb61c42bed61ba7"
}
],
"title": "xfs: do not propagate ENODATA disk errors into xattr code",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39835",
"datePublished": "2025-09-16T13:08:51.599Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:51.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40288 (GCVE-0-2025-40288)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices
Previously, APU platforms (and other scenarios with uninitialized VRAM managers)
triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root
cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,
but that `man->bdev` (the backing device pointer within the manager) remains
uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully
set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to
acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to
a kernel OOPS.
1. **amdgpu_cs.c**: Extend the existing bandwidth control check in
`amdgpu_cs_get_threshold_for_moves()` to include a check for
`ttm_resource_manager_used()`. If the manager is not used (uninitialized
`bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific
logic that would trigger the NULL dereference.
2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info
reporting to use a conditional: if the manager is used, return the real VRAM
usage; otherwise, return 0. This avoids accessing `man->bdev` when it is
NULL.
3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)
data write path. Use `ttm_resource_manager_used()` to check validity: if the
manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set
`fb_usage` to 0 (APUs have no discrete framebuffer to report).
This approach is more robust than APU-specific checks because it:
- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),
- Aligns with TTM's design by using its native helper function,
- Preserves correct behavior for discrete GPUs (which have fully initialized
`man->bdev` and pass the `ttm_resource_manager_used()` check).
v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < e70113b741ba253886cd71dbadfe3ea444bb2f5c
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 1243e396148a65bb6c42a2b70fe43e50c16c494f (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 43aa61c18a3a45042b098b7a1186ffb29364002c (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 070bdce18fb12a49eb9c421e57df17d2ad29bf5f (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 883f309add55060233bf11c1ea6947140372920f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e70113b741ba253886cd71dbadfe3ea444bb2f5c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "1243e396148a65bb6c42a2b70fe43e50c16c494f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "43aa61c18a3a45042b098b7a1186ffb29364002c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "070bdce18fb12a49eb9c421e57df17d2ad29bf5f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "883f309add55060233bf11c1ea6947140372920f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices\n\nPreviously, APU platforms (and other scenarios with uninitialized VRAM managers)\ntriggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root\ncause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,\nbut that `man-\u003ebdev` (the backing device pointer within the manager) remains\nuninitialized (NULL) on APUs\u2014since APUs lack dedicated VRAM and do not fully\nset up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to\nacquire `man-\u003ebdev-\u003elru_lock`, it dereferences the NULL `man-\u003ebdev`, leading to\na kernel OOPS.\n\n1. **amdgpu_cs.c**: Extend the existing bandwidth control check in\n `amdgpu_cs_get_threshold_for_moves()` to include a check for\n `ttm_resource_manager_used()`. If the manager is not used (uninitialized\n `bdev`), return 0 for migration thresholds immediately\u2014skipping VRAM-specific\n logic that would trigger the NULL dereference.\n\n2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info\n reporting to use a conditional: if the manager is used, return the real VRAM\n usage; otherwise, return 0. This avoids accessing `man-\u003ebdev` when it is\n NULL.\n\n3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)\n data write path. Use `ttm_resource_manager_used()` to check validity: if the\n manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set\n `fb_usage` to 0 (APUs have no discrete framebuffer to report).\n\nThis approach is more robust than APU-specific checks because it:\n- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),\n- Aligns with TTM\u0027s design by using its native helper function,\n- Preserves correct behavior for discrete GPUs (which have fully initialized\n `man-\u003ebdev` and pass the `ttm_resource_manager_used()` check).\n\nv4: use ttm_resource_manager_used(\u0026adev-\u003emman.vram_mgr.manager) instead of checking the adev-\u003egmc.is_app_apu flag (Christian)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:55.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c"
},
{
"url": "https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f"
},
{
"url": "https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c"
},
{
"url": "https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f"
},
{
"url": "https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f"
}
],
"title": "drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40288",
"datePublished": "2025-12-06T21:51:14.440Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-20T08:51:55.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40253 (GCVE-0-2025-40253)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
s390/ctcm: Fix double-kfree
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/ctcm: Fix double-kfree
The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
frees it again.
Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
Bug detected by the clang static analyzer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
467ddbbe7e749d558f13e640f50f546149c930b3 , < 06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2
(git)
Affected: 4d3c6d741816539b57fa1110c3f765a8c176d7b4 , < 6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a (git) Affected: 2bd57101c3ecf3f8c0da1d26c2b6ad511adc6d50 , < 7616e2eee679746d526c7f5befd4eedb995935b5 (git) Affected: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a , < 43096dab8cc60fc39133205fd149a54d3acebea8 (git) Affected: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a , < 3b177b2ded563df16f6d5920671ffcfe5915d472 (git) Affected: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a , < b9dbfb1b5699f9f1e4991f96741bdf9047147589 (git) Affected: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a , < 7ff76f8dc6b550f8d16487bf3cebc278be720b5c (git) Affected: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a , < da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 (git) Affected: 36933de59f67029e5739a98393891f9b94f27e0f (git) Affected: d886b4292a1c5b4facdb2dfdc31f0fecc71df898 (git) Affected: 4c9ba0fed125deba8416b995b0c274b0804c0c24 (git) Affected: ea0053af5dab4d63a9c44563973fb2f3bfd9eb2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ctcm_mpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2",
"status": "affected",
"version": "467ddbbe7e749d558f13e640f50f546149c930b3",
"versionType": "git"
},
{
"lessThan": "6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a",
"status": "affected",
"version": "4d3c6d741816539b57fa1110c3f765a8c176d7b4",
"versionType": "git"
},
{
"lessThan": "7616e2eee679746d526c7f5befd4eedb995935b5",
"status": "affected",
"version": "2bd57101c3ecf3f8c0da1d26c2b6ad511adc6d50",
"versionType": "git"
},
{
"lessThan": "43096dab8cc60fc39133205fd149a54d3acebea8",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "3b177b2ded563df16f6d5920671ffcfe5915d472",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "b9dbfb1b5699f9f1e4991f96741bdf9047147589",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "7ff76f8dc6b550f8d16487bf3cebc278be720b5c",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "da02a1824884d6c84c5e5b5ac373b0c9e3288ec2",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"status": "affected",
"version": "36933de59f67029e5739a98393891f9b94f27e0f",
"versionType": "git"
},
{
"status": "affected",
"version": "d886b4292a1c5b4facdb2dfdc31f0fecc71df898",
"versionType": "git"
},
{
"status": "affected",
"version": "4c9ba0fed125deba8416b995b0c274b0804c0c24",
"versionType": "git"
},
{
"status": "affected",
"version": "ea0053af5dab4d63a9c44563973fb2f3bfd9eb2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ctcm_mpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ctcm: Fix double-kfree\n\nThe function \u0027mpc_rcvd_sweep_req(mpcginfo)\u0027 is called conditionally\nfrom function \u0027ctcmpc_unpack_skb\u0027. It frees passed mpcginfo.\nAfter that a call to function \u0027kfree\u0027 in function \u0027ctcmpc_unpack_skb\u0027\nfrees it again.\n\nRemove \u0027kfree\u0027 call in function \u0027mpc_rcvd_sweep_req(mpcginfo)\u0027.\n\nBug detected by the clang static analyzer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:50.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2"
},
{
"url": "https://git.kernel.org/stable/c/6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a"
},
{
"url": "https://git.kernel.org/stable/c/7616e2eee679746d526c7f5befd4eedb995935b5"
},
{
"url": "https://git.kernel.org/stable/c/43096dab8cc60fc39133205fd149a54d3acebea8"
},
{
"url": "https://git.kernel.org/stable/c/3b177b2ded563df16f6d5920671ffcfe5915d472"
},
{
"url": "https://git.kernel.org/stable/c/b9dbfb1b5699f9f1e4991f96741bdf9047147589"
},
{
"url": "https://git.kernel.org/stable/c/7ff76f8dc6b550f8d16487bf3cebc278be720b5c"
},
{
"url": "https://git.kernel.org/stable/c/da02a1824884d6c84c5e5b5ac373b0c9e3288ec2"
}
],
"title": "s390/ctcm: Fix double-kfree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40253",
"datePublished": "2025-12-04T16:08:15.340Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:50.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39842 (GCVE-0-2025-39842)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
ocfs2: prevent release journal inode after journal shutdown
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: prevent release journal inode after journal shutdown
Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
Therefore, the following calltrace will inevitably fail when it reaches
jbd2_journal_release_jbd_inode().
ocfs2_dismount_volume()->
ocfs2_delete_osb()->
ocfs2_free_slot_info()->
__ocfs2_free_slot_info()->
evict()->
ocfs2_evict_inode()->
ocfs2_clear_inode()->
jbd2_journal_release_jbd_inode(osb->journal->j_journal,
Adding osb->journal checks will prevent null-ptr-deref during the above
execution path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < 42c415c53ad2065088cc411d08925effa5b3d255
(git)
Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < e9188f66e94955431ddbe2cd1cdf8ff2bb486abf (git) Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < f4a917e6cd6c798f7adf39907f117fc754db1283 (git) Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < 85e66331b60601d903cceaf8c10a234db863cd78 (git) Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < f46e8ef8bb7b452584f2e75337b619ac51a7cadf (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:57.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42c415c53ad2065088cc411d08925effa5b3d255",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "e9188f66e94955431ddbe2cd1cdf8ff2bb486abf",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "f4a917e6cd6c798f7adf39907f117fc754db1283",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "85e66331b60601d903cceaf8c10a234db863cd78",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "f46e8ef8bb7b452584f2e75337b619ac51a7cadf",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: prevent release journal inode after journal shutdown\n\nBefore calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already\nbeen executed in ocfs2_dismount_volume(), so osb-\u003ejournal must be NULL. \nTherefore, the following calltrace will inevitably fail when it reaches\njbd2_journal_release_jbd_inode().\n\nocfs2_dismount_volume()-\u003e\n ocfs2_delete_osb()-\u003e\n ocfs2_free_slot_info()-\u003e\n __ocfs2_free_slot_info()-\u003e\n evict()-\u003e\n ocfs2_evict_inode()-\u003e\n ocfs2_clear_inode()-\u003e\n\t jbd2_journal_release_jbd_inode(osb-\u003ejournal-\u003ej_journal,\n\nAdding osb-\u003ejournal checks will prevent null-ptr-deref during the above\nexecution path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:50.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42c415c53ad2065088cc411d08925effa5b3d255"
},
{
"url": "https://git.kernel.org/stable/c/e9188f66e94955431ddbe2cd1cdf8ff2bb486abf"
},
{
"url": "https://git.kernel.org/stable/c/f4a917e6cd6c798f7adf39907f117fc754db1283"
},
{
"url": "https://git.kernel.org/stable/c/85e66331b60601d903cceaf8c10a234db863cd78"
},
{
"url": "https://git.kernel.org/stable/c/f46e8ef8bb7b452584f2e75337b619ac51a7cadf"
}
],
"title": "ocfs2: prevent release journal inode after journal shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39842",
"datePublished": "2025-09-19T15:26:17.075Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:57.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68168 (GCVE-0-2025-68168)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
jfs: fix uninitialized waitqueue in transaction manager
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix uninitialized waitqueue in transaction manager
The transaction manager initialization in txInit() was not properly
initializing TxBlock[0].waitor waitqueue, causing a crash when
txEnd(0) is called on read-only filesystems.
When a filesystem is mounted read-only, txBegin() returns tid=0 to
indicate no transaction. However, txEnd(0) still gets called and
tries to access TxBlock[0].waitor via tid_to_tblock(0), but this
waitqueue was never initialized because the initialization loop
started at index 1 instead of 0.
This causes a 'non-static key' lockdep warning and system crash:
INFO: trying to register non-static key in txEnd
Fix by ensuring all transaction blocks including TxBlock[0] have
their waitqueues properly initialized during txInit().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2a8807f9f511c64de0c7cc9900a1683e3d72a3e5 , < d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64
(git)
Affected: 5c094ca994824e038b6a97835ded4e5d1d808504 , < 8cae9cf23e0bd424ac904e753639a587543ce03a (git) Affected: 2febd5f81e4bfba61d9f374dcca628aff374cc56 , < a2aa97cde9857f881920635a2e3d3b11769619c5 (git) Affected: aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c , < d2dd7ca05a11685c314e62802a55e8d67a90e974 (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < 2a9575a372182ca075070b3cd77490dcf0c951e7 (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < cbf2f527ae4ca7c7dabce42e85e8deb58588a37e (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < 038861414ab383b41dd35abbf9ff0ef715592d53 (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < 300b072df72694ea330c4c673c035253e07827b8 (git) Affected: a88efca805bea93cea9187dfd00835aa7093bf1b (git) Affected: 97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7 (git) Affected: b0ed8ed0428ee96092da6fefa5cfacbe4abed701 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64",
"status": "affected",
"version": "2a8807f9f511c64de0c7cc9900a1683e3d72a3e5",
"versionType": "git"
},
{
"lessThan": "8cae9cf23e0bd424ac904e753639a587543ce03a",
"status": "affected",
"version": "5c094ca994824e038b6a97835ded4e5d1d808504",
"versionType": "git"
},
{
"lessThan": "a2aa97cde9857f881920635a2e3d3b11769619c5",
"status": "affected",
"version": "2febd5f81e4bfba61d9f374dcca628aff374cc56",
"versionType": "git"
},
{
"lessThan": "d2dd7ca05a11685c314e62802a55e8d67a90e974",
"status": "affected",
"version": "aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c",
"versionType": "git"
},
{
"lessThan": "2a9575a372182ca075070b3cd77490dcf0c951e7",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "cbf2f527ae4ca7c7dabce42e85e8deb58588a37e",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "038861414ab383b41dd35abbf9ff0ef715592d53",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "300b072df72694ea330c4c673c035253e07827b8",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"status": "affected",
"version": "a88efca805bea93cea9187dfd00835aa7093bf1b",
"versionType": "git"
},
{
"status": "affected",
"version": "97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7",
"versionType": "git"
},
{
"status": "affected",
"version": "b0ed8ed0428ee96092da6fefa5cfacbe4abed701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uninitialized waitqueue in transaction manager\n\nThe transaction manager initialization in txInit() was not properly\ninitializing TxBlock[0].waitor waitqueue, causing a crash when\ntxEnd(0) is called on read-only filesystems.\n\nWhen a filesystem is mounted read-only, txBegin() returns tid=0 to\nindicate no transaction. However, txEnd(0) still gets called and\ntries to access TxBlock[0].waitor via tid_to_tblock(0), but this\nwaitqueue was never initialized because the initialization loop\nstarted at index 1 instead of 0.\n\nThis causes a \u0027non-static key\u0027 lockdep warning and system crash:\n INFO: trying to register non-static key in txEnd\n\nFix by ensuring all transaction blocks including TxBlock[0] have\ntheir waitqueues properly initialized during txInit()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:58.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64"
},
{
"url": "https://git.kernel.org/stable/c/8cae9cf23e0bd424ac904e753639a587543ce03a"
},
{
"url": "https://git.kernel.org/stable/c/a2aa97cde9857f881920635a2e3d3b11769619c5"
},
{
"url": "https://git.kernel.org/stable/c/d2dd7ca05a11685c314e62802a55e8d67a90e974"
},
{
"url": "https://git.kernel.org/stable/c/2a9575a372182ca075070b3cd77490dcf0c951e7"
},
{
"url": "https://git.kernel.org/stable/c/cbf2f527ae4ca7c7dabce42e85e8deb58588a37e"
},
{
"url": "https://git.kernel.org/stable/c/038861414ab383b41dd35abbf9ff0ef715592d53"
},
{
"url": "https://git.kernel.org/stable/c/300b072df72694ea330c4c673c035253e07827b8"
}
],
"title": "jfs: fix uninitialized waitqueue in transaction manager",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68168",
"datePublished": "2025-12-16T13:42:48.350Z",
"dateReserved": "2025-12-16T13:41:40.250Z",
"dateUpdated": "2026-01-02T15:33:58.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23129 (GCVE-0-2025-23129)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-11-24 09:49
VLAI?
EPSS
Title
wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
If a shared IRQ is used by the driver due to platform limitation, then the
IRQ affinity hint is set right after the allocation of IRQ vectors in
ath11k_pci_alloc_msi(). This does no harm unless one of the functions
requesting the IRQ fails and attempt to free the IRQ. This results in the
below warning:
WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c
Call trace:
free_irq+0x278/0x29c
ath11k_pcic_free_irq+0x70/0x10c [ath11k]
ath11k_pci_probe+0x800/0x820 [ath11k_pci]
local_pci_probe+0x40/0xbc
The warning is due to not clearing the affinity hint before freeing the
IRQs.
So to fix this issue, clear the IRQ affinity hint before calling
ath11k_pcic_free_irq() in the error path. The affinity will be cleared once
again further down the error path due to code organization, but that does
no harm.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
39564b475ac5a589e6c22c43a08cbd283c295d2c , < 80dc5a2ce5b75d648e08549617f5c555d07ae43c
(git)
Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 3fc42cfcc6e336f25dee79b34e57c4a63cd652a5 (git) Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 68410c5bd381a81bcc92b808e7dc4e6b9ed25d11 (git) Affected: e01b3400d641cb290742849331f0d22e1202538a (git) Affected: 5a9f55efa9333e3edb4826d945cfdd8356f6e269 (git) Affected: d412d0ef300f28d698648cc7c19147ab413251fe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80dc5a2ce5b75d648e08549617f5c555d07ae43c",
"status": "affected",
"version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
"versionType": "git"
},
{
"lessThan": "3fc42cfcc6e336f25dee79b34e57c4a63cd652a5",
"status": "affected",
"version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
"versionType": "git"
},
{
"lessThan": "68410c5bd381a81bcc92b808e7dc4e6b9ed25d11",
"status": "affected",
"version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
"versionType": "git"
},
{
"status": "affected",
"version": "e01b3400d641cb290742849331f0d22e1202538a",
"versionType": "git"
},
{
"status": "affected",
"version": "5a9f55efa9333e3edb4826d945cfdd8356f6e269",
"versionType": "git"
},
{
"status": "affected",
"version": "d412d0ef300f28d698648cc7c19147ab413251fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path\n\nIf a shared IRQ is used by the driver due to platform limitation, then the\nIRQ affinity hint is set right after the allocation of IRQ vectors in\nath11k_pci_alloc_msi(). This does no harm unless one of the functions\nrequesting the IRQ fails and attempt to free the IRQ. This results in the\nbelow warning:\n\nWARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c\nCall trace:\n free_irq+0x278/0x29c\n ath11k_pcic_free_irq+0x70/0x10c [ath11k]\n ath11k_pci_probe+0x800/0x820 [ath11k_pci]\n local_pci_probe+0x40/0xbc\n\nThe warning is due to not clearing the affinity hint before freeing the\nIRQs.\n\nSo to fix this issue, clear the IRQ affinity hint before calling\nath11k_pcic_free_irq() in the error path. The affinity will be cleared once\nagain further down the error path due to code organization, but that does\nno harm.\n\nTested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T09:49:46.072Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80dc5a2ce5b75d648e08549617f5c555d07ae43c"
},
{
"url": "https://git.kernel.org/stable/c/3fc42cfcc6e336f25dee79b34e57c4a63cd652a5"
},
{
"url": "https://git.kernel.org/stable/c/68410c5bd381a81bcc92b808e7dc4e6b9ed25d11"
}
],
"title": "wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23129",
"datePublished": "2025-04-16T14:13:11.663Z",
"dateReserved": "2025-01-11T14:28:41.510Z",
"dateUpdated": "2025-11-24T09:49:46.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68780 (GCVE-0-2025-68780)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
sched/deadline: only set free_cpus for online runqueues
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/deadline: only set free_cpus for online runqueues
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9659e1eeee28f7025b6545934d644d19e9c6e603 , < 9019e399684e3cc68c4a3f050e268f74d69c1317
(git)
Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < fb36846cbcc936954f2ad2bffdff13d16c0be08a (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 91e448e69aca4bb0ba2e998eb3e555644db7322b (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < dbc61834b0412435df21c71410562d933e4eba49 (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 382748c05e58a9f1935f5a653c352422375566ea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9019e399684e3cc68c4a3f050e268f74d69c1317",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "fb36846cbcc936954f2ad2bffdff13d16c0be08a",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "91e448e69aca4bb0ba2e998eb3e555644db7322b",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "dbc61834b0412435df21c71410562d933e4eba49",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "382748c05e58a9f1935f5a653c352422375566ea",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: only set free_cpus for online runqueues\n\nCommit 16b269436b72 (\"sched/deadline: Modify cpudl::free_cpus\nto reflect rd-\u003eonline\") introduced the cpudl_set/clear_freecpu\nfunctions to allow the cpu_dl::free_cpus mask to be manipulated\nby the deadline scheduler class rq_on/offline callbacks so the\nmask would also reflect this state.\n\nCommit 9659e1eeee28 (\"sched/deadline: Remove cpu_active_mask\nfrom cpudl_find()\") removed the check of the cpu_active_mask to\nsave some processing on the premise that the cpudl::free_cpus\nmask already reflected the runqueue online state.\n\nUnfortunately, there are cases where it is possible for the\ncpudl_clear function to set the free_cpus bit for a CPU when the\ndeadline runqueue is offline. When this occurs while a CPU is\nconnected to the default root domain the flag may retain the bad\nstate after the CPU has been unplugged. Later, a different CPU\nthat is transitioning through the default root domain may push a\ndeadline task to the powered down CPU when cpudl_find sees its\nfree_cpus bit is set. If this happens the task will not have the\nopportunity to run.\n\nOne example is outlined here:\nhttps://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com\n\nAnother occurs when the last deadline task is migrated from a\nCPU that has an offlined runqueue. The dequeue_task member of\nthe deadline scheduler class will eventually call cpudl_clear\nand set the free_cpus bit for the CPU.\n\nThis commit modifies the cpudl_clear function to be aware of the\nonline state of the deadline runqueue so that the free_cpus mask\ncan be updated appropriately.\n\nIt is no longer necessary to manage the mask outside of the\ncpudl_set/clear functions so the cpudl_set/clear_freecpu\nfunctions are removed. In addition, since the free_cpus mask is\nnow only updated under the cpudl lock the code was changed to\nuse the non-atomic __cpumask functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:26.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317"
},
{
"url": "https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a"
},
{
"url": "https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b"
},
{
"url": "https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49"
},
{
"url": "https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8"
},
{
"url": "https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea"
}
],
"title": "sched/deadline: only set free_cpus for online runqueues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68780",
"datePublished": "2026-01-13T15:28:55.483Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:26.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40061 (GCVE-0-2025-40061)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
RDMA/rxe: Fix race in do_task() when draining
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix race in do_task() when draining
When do_task() exhausts its iteration budget (!ret), it sets the state
to TASK_STATE_IDLE to reschedule, without a secondary check on the
current task->state. This can overwrite the TASK_STATE_DRAINING state
set by a concurrent call to rxe_cleanup_task() or rxe_disable_task().
While state changes are protected by a spinlock, both rxe_cleanup_task()
and rxe_disable_task() release the lock while waiting for the task to
finish draining in the while(!is_done(task)) loop. The race occurs if
do_task() hits its iteration limit and acquires the lock in this window.
The cleanup logic may then proceed while the task incorrectly
reschedules itself, leading to a potential use-after-free.
This bug was introduced during the migration from tasklets to workqueues,
where the special handling for the draining case was lost.
Fix this by restoring the original pre-migration behavior. If the state is
TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to
force a new loop iteration. This allows the task to finish its work, so
that a subsequent iteration can reach the switch statement and correctly
transition the state to TASK_STATE_DRAINED, stopping the task as intended.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9b4b7c1f9f54120940e243251e2b1407767b3381 , < 85288bcf7ffe11e7b036edf91937bc62fd384076
(git)
Affected: 9b4b7c1f9f54120940e243251e2b1407767b3381 , < 52edccfb555142678c836c285bf5b4ec760bd043 (git) Affected: 9b4b7c1f9f54120940e243251e2b1407767b3381 , < 660b6959c4170637f5db2279d1f71af33a49e49b (git) Affected: 9b4b7c1f9f54120940e243251e2b1407767b3381 , < 8ca7eada62fcfabf6ec1dc7468941e791c1d8729 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "85288bcf7ffe11e7b036edf91937bc62fd384076",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
},
{
"lessThan": "52edccfb555142678c836c285bf5b4ec760bd043",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
},
{
"lessThan": "660b6959c4170637f5db2279d1f71af33a49e49b",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
},
{
"lessThan": "8ca7eada62fcfabf6ec1dc7468941e791c1d8729",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race in do_task() when draining\n\nWhen do_task() exhausts its iteration budget (!ret), it sets the state\nto TASK_STATE_IDLE to reschedule, without a secondary check on the\ncurrent task-\u003estate. This can overwrite the TASK_STATE_DRAINING state\nset by a concurrent call to rxe_cleanup_task() or rxe_disable_task().\n\nWhile state changes are protected by a spinlock, both rxe_cleanup_task()\nand rxe_disable_task() release the lock while waiting for the task to\nfinish draining in the while(!is_done(task)) loop. The race occurs if\ndo_task() hits its iteration limit and acquires the lock in this window.\nThe cleanup logic may then proceed while the task incorrectly\nreschedules itself, leading to a potential use-after-free.\n\nThis bug was introduced during the migration from tasklets to workqueues,\nwhere the special handling for the draining case was lost.\n\nFix this by restoring the original pre-migration behavior. If the state is\nTASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to\nforce a new loop iteration. This allows the task to finish its work, so\nthat a subsequent iteration can reach the switch statement and correctly\ntransition the state to TASK_STATE_DRAINED, stopping the task as intended."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:10.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/85288bcf7ffe11e7b036edf91937bc62fd384076"
},
{
"url": "https://git.kernel.org/stable/c/52edccfb555142678c836c285bf5b4ec760bd043"
},
{
"url": "https://git.kernel.org/stable/c/660b6959c4170637f5db2279d1f71af33a49e49b"
},
{
"url": "https://git.kernel.org/stable/c/8ca7eada62fcfabf6ec1dc7468941e791c1d8729"
}
],
"title": "RDMA/rxe: Fix race in do_task() when draining",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40061",
"datePublished": "2025-10-28T11:48:33.361Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:10.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40254 (GCVE-0-2025-40254)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
net: openvswitch: remove never-working support for setting nsh fields
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: remove never-working support for setting nsh fields
The validation of the set(nsh(...)) action is completely wrong.
It runs through the nsh_key_put_from_nlattr() function that is the
same function that validates NSH keys for the flow match and the
push_nsh() action. However, the set(nsh(...)) has a very different
memory layout. Nested attributes in there are doubled in size in
case of the masked set(). That makes proper validation impossible.
There is also confusion in the code between the 'masked' flag, that
says that the nested attributes are doubled in size containing both
the value and the mask, and the 'is_mask' that says that the value
we're parsing is the mask. This is causing kernel crash on trying to
write into mask part of the match with SW_FLOW_KEY_PUT() during
validation, while validate_nsh() doesn't allocate any memory for it:
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
Call Trace:
<TASK>
validate_nsh+0x60/0x90 [openvswitch]
validate_set.constprop.0+0x270/0x3c0 [openvswitch]
__ovs_nla_copy_actions+0x477/0x860 [openvswitch]
ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
genl_family_rcv_msg_doit+0xdb/0x130
genl_family_rcv_msg+0x14b/0x220
genl_rcv_msg+0x47/0xa0
netlink_rcv_skb+0x53/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x280/0x3b0
netlink_sendmsg+0x1f7/0x430
____sys_sendmsg+0x36b/0x3a0
___sys_sendmsg+0x87/0xd0
__sys_sendmsg+0x6d/0xd0
do_syscall_64+0x7b/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The third issue with this process is that while trying to convert
the non-masked set into masked one, validate_set() copies and doubles
the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
attributes. It should be copying each nested attribute and doubling
them in size independently. And the process must be properly reversed
during the conversion back from masked to a non-masked variant during
the flow dump.
In the end, the only two outcomes of trying to use this action are
either validation failure or a kernel crash. And if somehow someone
manages to install a flow with such an action, it will most definitely
not do what it is supposed to, since all the keys and the masks are
mixed up.
Fixing all the issues is a complex task as it requires re-writing
most of the validation code.
Given that and the fact that this functionality never worked since
introduction, let's just remove it altogether. It's better to
re-introduce it later with a proper implementation instead of trying
to fix it in stable releases.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3415faa1fcb4150f29a72c5ecf959339d797feb7
(git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3d2e7d3b28469081ccf08301df07cc411a1cc5e9 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < f95bef5ba0b88d971b02c776f24bd17544930a3a (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 87d2429381ddcf8cbd30c8c36793a4f7916d5f99 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 0b903f33c31c82b1c3591279fd8a23893802b987 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 9c61d8fe1350b7322f4953318165d6719c3b1475 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 4689ba45296dbb3a47e70a1bc2ed0328263e48f3 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < dfe28c4167a9259fc0c372d9f9473e1ac95cff67 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/actions.c",
"net/openvswitch/flow_netlink.c",
"net/openvswitch/flow_netlink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3415faa1fcb4150f29a72c5ecf959339d797feb7",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "3d2e7d3b28469081ccf08301df07cc411a1cc5e9",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "f95bef5ba0b88d971b02c776f24bd17544930a3a",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "87d2429381ddcf8cbd30c8c36793a4f7916d5f99",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "0b903f33c31c82b1c3591279fd8a23893802b987",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "9c61d8fe1350b7322f4953318165d6719c3b1475",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "4689ba45296dbb3a47e70a1bc2ed0328263e48f3",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "dfe28c4167a9259fc0c372d9f9473e1ac95cff67",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/actions.c",
"net/openvswitch/flow_netlink.c",
"net/openvswitch/flow_netlink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: remove never-working support for setting nsh fields\n\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action. However, the set(nsh(...)) has a very different\nmemory layout. Nested attributes in there are doubled in size in\ncase of the masked set(). That makes proper validation impossible.\n\nThere is also confusion in the code between the \u0027masked\u0027 flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the \u0027is_mask\u0027 that says that the value\nwe\u0027re parsing is the mask. This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn\u0027t allocate any memory for it:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\n Call Trace:\n \u003cTASK\u003e\n validate_nsh+0x60/0x90 [openvswitch]\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\n genl_family_rcv_msg_doit+0xdb/0x130\n genl_family_rcv_msg+0x14b/0x220\n genl_rcv_msg+0x47/0xa0\n netlink_rcv_skb+0x53/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x280/0x3b0\n netlink_sendmsg+0x1f7/0x430\n ____sys_sendmsg+0x36b/0x3a0\n ___sys_sendmsg+0x87/0xd0\n __sys_sendmsg+0x6d/0xd0\n do_syscall_64+0x7b/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn\u0027t have any nested\nattributes. It should be copying each nested attribute and doubling\nthem in size independently. And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\n\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash. And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\n\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\n\nGiven that and the fact that this functionality never worked since\nintroduction, let\u0027s just remove it altogether. It\u0027s better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:52.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7"
},
{
"url": "https://git.kernel.org/stable/c/3d2e7d3b28469081ccf08301df07cc411a1cc5e9"
},
{
"url": "https://git.kernel.org/stable/c/f95bef5ba0b88d971b02c776f24bd17544930a3a"
},
{
"url": "https://git.kernel.org/stable/c/87d2429381ddcf8cbd30c8c36793a4f7916d5f99"
},
{
"url": "https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987"
},
{
"url": "https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475"
},
{
"url": "https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3"
},
{
"url": "https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67"
}
],
"title": "net: openvswitch: remove never-working support for setting nsh fields",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40254",
"datePublished": "2025-12-04T16:08:16.305Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:52.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39817 (GCVE-0-2025-39817)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Summary
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Observed on kernel 6.6 (present on master as well):
BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
Call trace:
kasan_check_range+0xe8/0x190
__asan_loadN+0x1c/0x28
memcmp+0x98/0xd0
efivarfs_d_compare+0x68/0xd8
__d_lookup_rcu_op_compare+0x178/0x218
__d_lookup_rcu+0x1f8/0x228
d_alloc_parallel+0x150/0x648
lookup_open.isra.0+0x5f0/0x8d0
open_last_lookups+0x264/0x828
path_openat+0x130/0x3f8
do_filp_open+0x114/0x248
do_sys_openat2+0x340/0x3c0
__arm64_sys_openat+0x120/0x1a0
If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:
T1 T2
lookup_open
->lookup
simple_lookup
d_add
// invalid dentry is added to hash list
lookup_open
d_alloc_parallel
__d_lookup_rcu
__d_lookup_rcu_op_compare
hlist_bl_for_each_entry_rcu
// invalid dentry can be retrieved
->d_compare
efivarfs_d_compare
// oob
Fix it by checking 'guid' before cmp.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6
(git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 794399019301944fd6d2e0d7a51b3327e26c410e (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 568e7761279b99c6daa3002290fd6d8047ddb6d2 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 925599eba46045930b850a98ae594d2e3028ac40 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < c2925cd6207079c3f4d040d082515db78d63afbf (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 71581a82f38e5a4d807d71fc1bb59aead80ccf95 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < a6358f8cf64850f3f27857b8ed8c1b08cfc4685c (git) Affected: 688289c4b745c018b3449b4b4c5a2030083c8eaf (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:40.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "794399019301944fd6d2e0d7a51b3327e26c410e",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "568e7761279b99c6daa3002290fd6d8047ddb6d2",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "925599eba46045930b850a98ae594d2e3028ac40",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "c2925cd6207079c3f4d040d082515db78d63afbf",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "71581a82f38e5a4d807d71fc1bb59aead80ccf95",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "a6358f8cf64850f3f27857b8ed8c1b08cfc4685c",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"status": "affected",
"version": "688289c4b745c018b3449b4b4c5a2030083c8eaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n Call trace:\n kasan_check_range+0xe8/0x190\n __asan_loadN+0x1c/0x28\n memcmp+0x98/0xd0\n efivarfs_d_compare+0x68/0xd8\n __d_lookup_rcu_op_compare+0x178/0x218\n __d_lookup_rcu+0x1f8/0x228\n d_alloc_parallel+0x150/0x648\n lookup_open.isra.0+0x5f0/0x8d0\n open_last_lookups+0x264/0x828\n path_openat+0x130/0x3f8\n do_filp_open+0x114/0x248\n do_sys_openat2+0x340/0x3c0\n __arm64_sys_openat+0x120/0x1a0\n\nIf dentry-\u003ed_name.len \u003c EFI_VARIABLE_GUID_LEN , \u0027guid\u0027 can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n T1\t\t\tT2\n lookup_open\n -\u003elookup\n simple_lookup\n d_add\n // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t __d_lookup_rcu\n\t\t\t __d_lookup_rcu_op_compare\n\t\t\t hlist_bl_for_each_entry_rcu\n\t\t\t // invalid dentry can be retrieved\n\t\t\t -\u003ed_compare\n\t\t\t efivarfs_d_compare\n\t\t\t // oob\n\nFix it by checking \u0027guid\u0027 before cmp."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:15.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6"
},
{
"url": "https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e"
},
{
"url": "https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2"
},
{
"url": "https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7"
},
{
"url": "https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40"
},
{
"url": "https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf"
},
{
"url": "https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95"
},
{
"url": "https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c"
}
],
"title": "efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39817",
"datePublished": "2025-09-16T13:00:17.776Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-11-03T17:43:40.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40266 (GCVE-0-2025-40266)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
KVM: arm64: Check the untrusted offset in FF-A memory share
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Check the untrusted offset in FF-A memory share
Verify the offset to prevent OOB access in the hypervisor
FF-A buffer in case an untrusted large enough value
[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]
is set from the host kernel.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6211753fdfd05af9e08f54c8d0ba3ee516034878 , < fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041
(git)
Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < bc1909ef38788f2ee3d8011d70bf029948433051 (git) Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < f9f1aed6c8a3427900da3121e1868124854569c3 (git) Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < 103e17aac09cdd358133f9e00998b75d6c1f1518 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/hyp/nvhe/ffa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "bc1909ef38788f2ee3d8011d70bf029948433051",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "f9f1aed6c8a3427900da3121e1868124854569c3",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "103e17aac09cdd358133f9e00998b75d6c1f1518",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/hyp/nvhe/ffa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Check the untrusted offset in FF-A memory share\n\nVerify the offset to prevent OOB access in the hypervisor\nFF-A buffer in case an untrusted large enough value\n[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]\nis set from the host kernel."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:50.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041"
},
{
"url": "https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051"
},
{
"url": "https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3"
},
{
"url": "https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518"
}
],
"title": "KVM: arm64: Check the untrusted offset in FF-A memory share",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40266",
"datePublished": "2025-12-04T16:08:25.392Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-20T08:51:50.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68310 (GCVE-0-2025-68310)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
EPSS
Title
s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump
Do not block PCI config accesses through pci_cfg_access_lock() when
executing the s390 variant of PCI error recovery: Acquire just
device_lock() instead of pci_dev_lock() as powerpc's EEH and
generig PCI AER processing do.
During error recovery testing a pair of tasks was reported to be hung:
mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working
INFO: task kmcheck:72 blocked for more than 122 seconds.
Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000
Call Trace:
[<000000065256f030>] __schedule+0x2a0/0x590
[<000000065256f356>] schedule+0x36/0xe0
[<000000065256f572>] schedule_preempt_disabled+0x22/0x30
[<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8
[<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core]
[<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core]
[<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398
[<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0
INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds.
Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000
Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]
Call Trace:
[<000000065256f030>] __schedule+0x2a0/0x590
[<000000065256f356>] schedule+0x36/0xe0
[<0000000652172e28>] pci_wait_cfg+0x80/0xe8
[<0000000652172f94>] pci_cfg_access_lock+0x74/0x88
[<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core]
[<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core]
[<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core]
[<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168
[<0000000652513212>] devlink_health_report+0x19a/0x230
[<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]
No kernel log of the exact same error with an upstream kernel is
available - but the very same deadlock situation can be constructed there,
too:
- task: kmcheck
mlx5_unload_one() tries to acquire devlink lock while the PCI error
recovery code has set pdev->block_cfg_access by way of
pci_cfg_access_lock()
- task: kworker
mlx5_crdump_collect() tries to set block_cfg_access through
pci_cfg_access_lock() while devlink_health_report() had acquired
the devlink lock.
A similar deadlock situation can be reproduced by requesting a
crdump with
> devlink health dump show pci/<BDF> reporter fw_fatal
while PCI error recovery is executed on the same <BDF> physical function
by mlx5_core's pci_error_handlers. On s390 this can be injected with
> zpcictl --reset-fw <BDF>
Tests with this patch failed to reproduce that second deadlock situation,
the devlink command is rejected with "kernel answers: Permission denied" -
and we get a kernel log message of:
mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5
because the config read of VSC_SEMAPHORE is rejected by the underlying
hardware.
Two prior attempts to address this issue have been discussed and
ultimately rejected [see link], with the primary argument that s390's
implementation of PCI error recovery is imposing restrictions that
neither powerpc's EEH nor PCI AER handling need. Tests show that PCI
error recovery on s390 is running to completion even without blocking
access to PCI config space.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4cdf2f4e24ff0d345fc36ef6d6aec059333a261e , < d0df2503bc3c2be385ca2fd96585daad1870c7c5
(git)
Affected: 4cdf2f4e24ff0d345fc36ef6d6aec059333a261e , < b63c061be622b17b495cbf78a6d5f2d4c3147f8e (git) Affected: 4cdf2f4e24ff0d345fc36ef6d6aec059333a261e , < 3591d56ea9bfd3e7fbbe70f749bdeed689d415f9 (git) Affected: 4cdf2f4e24ff0d345fc36ef6d6aec059333a261e , < 54f938d9f5693af8ed586a08db4af5d9da1f0f2d (git) Affected: 4cdf2f4e24ff0d345fc36ef6d6aec059333a261e , < 0fd20f65df6aa430454a0deed8f43efa91c54835 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/pci/pci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0df2503bc3c2be385ca2fd96585daad1870c7c5",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "b63c061be622b17b495cbf78a6d5f2d4c3147f8e",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "3591d56ea9bfd3e7fbbe70f749bdeed689d415f9",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "54f938d9f5693af8ed586a08db4af5d9da1f0f2d",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "0fd20f65df6aa430454a0deed8f43efa91c54835",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/pci/pci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump\n\nDo not block PCI config accesses through pci_cfg_access_lock() when\nexecuting the s390 variant of PCI error recovery: Acquire just\ndevice_lock() instead of pci_dev_lock() as powerpc\u0027s EEH and\ngenerig PCI AER processing do.\n\nDuring error recovery testing a pair of tasks was reported to be hung:\n\nmlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working\nINFO: task kmcheck:72 blocked for more than 122 seconds.\n Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000\nCall Trace:\n [\u003c000000065256f030\u003e] __schedule+0x2a0/0x590\n [\u003c000000065256f356\u003e] schedule+0x36/0xe0\n [\u003c000000065256f572\u003e] schedule_preempt_disabled+0x22/0x30\n [\u003c0000000652570a94\u003e] __mutex_lock.constprop.0+0x484/0x8a8\n [\u003c000003ff800673a4\u003e] mlx5_unload_one+0x34/0x58 [mlx5_core]\n [\u003c000003ff8006745c\u003e] mlx5_pci_err_detected+0x94/0x140 [mlx5_core]\n [\u003c0000000652556c5a\u003e] zpci_event_attempt_error_recovery+0xf2/0x398\n [\u003c0000000651b9184a\u003e] __zpci_event_error+0x23a/0x2c0\nINFO: task kworker/u1664:6:1514 blocked for more than 122 seconds.\n Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000\nWorkqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]\nCall Trace:\n [\u003c000000065256f030\u003e] __schedule+0x2a0/0x590\n [\u003c000000065256f356\u003e] schedule+0x36/0xe0\n [\u003c0000000652172e28\u003e] pci_wait_cfg+0x80/0xe8\n [\u003c0000000652172f94\u003e] pci_cfg_access_lock+0x74/0x88\n [\u003c000003ff800916b6\u003e] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core]\n [\u003c000003ff80098824\u003e] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core]\n [\u003c000003ff80074b62\u003e] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core]\n [\u003c0000000652512242\u003e] devlink_health_do_dump.part.0+0x82/0x168\n [\u003c0000000652513212\u003e] devlink_health_report+0x19a/0x230\n [\u003c000003ff80075a12\u003e] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]\n\nNo kernel log of the exact same error with an upstream kernel is\navailable - but the very same deadlock situation can be constructed there,\ntoo:\n\n- task: kmcheck\n mlx5_unload_one() tries to acquire devlink lock while the PCI error\n recovery code has set pdev-\u003eblock_cfg_access by way of\n pci_cfg_access_lock()\n- task: kworker\n mlx5_crdump_collect() tries to set block_cfg_access through\n pci_cfg_access_lock() while devlink_health_report() had acquired\n the devlink lock.\n\nA similar deadlock situation can be reproduced by requesting a\ncrdump with\n \u003e devlink health dump show pci/\u003cBDF\u003e reporter fw_fatal\n\nwhile PCI error recovery is executed on the same \u003cBDF\u003e physical function\nby mlx5_core\u0027s pci_error_handlers. On s390 this can be injected with\n \u003e zpcictl --reset-fw \u003cBDF\u003e\n\nTests with this patch failed to reproduce that second deadlock situation,\nthe devlink command is rejected with \"kernel answers: Permission denied\" -\nand we get a kernel log message of:\n\nmlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5\n\nbecause the config read of VSC_SEMAPHORE is rejected by the underlying\nhardware.\n\nTwo prior attempts to address this issue have been discussed and\nultimately rejected [see link], with the primary argument that s390\u0027s\nimplementation of PCI error recovery is imposing restrictions that\nneither powerpc\u0027s EEH nor PCI AER handling need. Tests show that PCI\nerror recovery on s390 is running to completion even without blocking\naccess to PCI config space."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:41.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0df2503bc3c2be385ca2fd96585daad1870c7c5"
},
{
"url": "https://git.kernel.org/stable/c/b63c061be622b17b495cbf78a6d5f2d4c3147f8e"
},
{
"url": "https://git.kernel.org/stable/c/3591d56ea9bfd3e7fbbe70f749bdeed689d415f9"
},
{
"url": "https://git.kernel.org/stable/c/54f938d9f5693af8ed586a08db4af5d9da1f0f2d"
},
{
"url": "https://git.kernel.org/stable/c/0fd20f65df6aa430454a0deed8f43efa91c54835"
}
],
"title": "s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68310",
"datePublished": "2025-12-16T15:39:41.652Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:41.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40187 (GCVE-0-2025-40187)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0
and sctp_ulpevent_make_authkey() returns 0, then the variable
ai_ev remains zero and the zero will be dereferenced
in the sctp_ulpevent_free() function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 1014b83778c8677f1d7a57c26dc728baa801ac62
(git)
Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 7f702f85df0266ed7b5bab81ba50394c92f3c928 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < dbceedc0213e75bf3e9f9f9e2f66b10699d004fe (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 025419f4e216a3ae0d0cec622262e98e8078c447 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < c21f45cfa4a9526b34d76b397c9ef080668b6e73 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < d0e8f1445c19b1786759ba72a38267e1449bab7e (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < badbd79313e6591616c1b78e29a9b71efed7f035 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 2f3119686ef50319490ccaec81a575973da98815 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1014b83778c8677f1d7a57c26dc728baa801ac62",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "7f702f85df0266ed7b5bab81ba50394c92f3c928",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "dbceedc0213e75bf3e9f9f9e2f66b10699d004fe",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "025419f4e216a3ae0d0cec622262e98e8078c447",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "c21f45cfa4a9526b34d76b397c9ef080668b6e73",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "d0e8f1445c19b1786759ba72a38267e1449bab7e",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "badbd79313e6591616c1b78e29a9b71efed7f035",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "2f3119686ef50319490ccaec81a575973da98815",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()\n\nIf new_asoc-\u003epeer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0\nand sctp_ulpevent_make_authkey() returns 0, then the variable\nai_ev remains zero and the zero will be dereferenced\nin the sctp_ulpevent_free() function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:45.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1014b83778c8677f1d7a57c26dc728baa801ac62"
},
{
"url": "https://git.kernel.org/stable/c/7f702f85df0266ed7b5bab81ba50394c92f3c928"
},
{
"url": "https://git.kernel.org/stable/c/dbceedc0213e75bf3e9f9f9e2f66b10699d004fe"
},
{
"url": "https://git.kernel.org/stable/c/025419f4e216a3ae0d0cec622262e98e8078c447"
},
{
"url": "https://git.kernel.org/stable/c/c21f45cfa4a9526b34d76b397c9ef080668b6e73"
},
{
"url": "https://git.kernel.org/stable/c/d0e8f1445c19b1786759ba72a38267e1449bab7e"
},
{
"url": "https://git.kernel.org/stable/c/badbd79313e6591616c1b78e29a9b71efed7f035"
},
{
"url": "https://git.kernel.org/stable/c/2f3119686ef50319490ccaec81a575973da98815"
}
],
"title": "net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40187",
"datePublished": "2025-11-12T21:56:29.504Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:45.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40281 (GCVE-0-2025-40281)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
syzbot reported a possible shift-out-of-bounds [1]
Blamed commit added rto_alpha_max and rto_beta_max set to 1000.
It is unclear if some sctp users are setting very large rto_alpha
and/or rto_beta.
In order to prevent user regression, perform the test at run time.
Also add READ_ONCE() annotations as sysctl values can change under us.
[1]
UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41
shift exponent 64 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:233 [inline]
__ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494
sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509
sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502
sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338
sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 0e0413e3315199b23ff4aec295e256034cd0a6e4
(git)
Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 834e65be429c0fa4f9bb5945064bd57f18ed2187 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < d0d858652834dcf531342c82a0428170aa7c2675 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < ed71f801249d2350c77a73dca2c03918a15a62fe (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 1cfa4eac275cc4875755c1303d48a4ddfe507ca8 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 1534ff77757e44bcc4b98d0196bc5c0052fce5fa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e0413e3315199b23ff4aec295e256034cd0a6e4",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "834e65be429c0fa4f9bb5945064bd57f18ed2187",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "d0d858652834dcf531342c82a0428170aa7c2675",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "ed71f801249d2350c77a73dca2c03918a15a62fe",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "1cfa4eac275cc4875755c1303d48a4ddfe507ca8",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "1534ff77757e44bcc4b98d0196bc5c0052fce5fa",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type \u0027unsigned int\u0027\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:233 [inline]\n __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:05.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4"
},
{
"url": "https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187"
},
{
"url": "https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a"
},
{
"url": "https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675"
},
{
"url": "https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe"
},
{
"url": "https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8"
},
{
"url": "https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d"
},
{
"url": "https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa"
}
],
"title": "sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40281",
"datePublished": "2025-12-06T21:51:05.208Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:05.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68333 (GCVE-0-2025-68333)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-01-30 15:35
VLAI?
EPSS
Title
sched_ext: Fix possible deadlock in the deferred_irq_workfn()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix possible deadlock in the deferred_irq_workfn()
For PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in
the per-cpu irq_work/* task context and not disable-irq, if the rq
returned by container_of() is current CPU's rq, the following scenarios
may occur:
lock(&rq->__lock);
<Interrupt>
lock(&rq->__lock);
This commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to
initialize rq->scx.deferred_irq_work, make the deferred_irq_workfn()
is always invoked in hard-irq context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9 , < 541959b2fadb832a7d0ceb95041dc52bdcf6bff7
(git)
Affected: 5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9 , < 600b4379b9a7ba41340d652211fb29699da4c629 (git) Affected: 5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9 , < a257e974210320ede524f340ffe16bf4bf0dda1e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "541959b2fadb832a7d0ceb95041dc52bdcf6bff7",
"status": "affected",
"version": "5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9",
"versionType": "git"
},
{
"lessThan": "600b4379b9a7ba41340d652211fb29699da4c629",
"status": "affected",
"version": "5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9",
"versionType": "git"
},
{
"lessThan": "a257e974210320ede524f340ffe16bf4bf0dda1e",
"status": "affected",
"version": "5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix possible deadlock in the deferred_irq_workfn()\n\nFor PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in\nthe per-cpu irq_work/* task context and not disable-irq, if the rq\nreturned by container_of() is current CPU\u0027s rq, the following scenarios\nmay occur:\n\nlock(\u0026rq-\u003e__lock);\n\u003cInterrupt\u003e\n lock(\u0026rq-\u003e__lock);\n\nThis commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to\ninitialize rq-\u003escx.deferred_irq_work, make the deferred_irq_workfn()\nis always invoked in hard-irq context."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T15:35:35.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/541959b2fadb832a7d0ceb95041dc52bdcf6bff7"
},
{
"url": "https://git.kernel.org/stable/c/600b4379b9a7ba41340d652211fb29699da4c629"
},
{
"url": "https://git.kernel.org/stable/c/a257e974210320ede524f340ffe16bf4bf0dda1e"
}
],
"title": "sched_ext: Fix possible deadlock in the deferred_irq_workfn()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68333",
"datePublished": "2025-12-22T16:14:11.081Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-01-30T15:35:35.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71182 (GCVE-0-2025-71182)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:38 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
can: j1939: make j1939_session_activate() fail if device is no longer registered
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: make j1939_session_activate() fail if device is no longer registered
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.
Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d71dd0c70099914fcd063135da3c580865e924c , < ebb0dfd718dd31c8d3600612ca4b7207ec3d923a
(git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < c3a4316e3c746af415c0fd6c6d489ad13f53714d (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 46ca9dc978923c5e1247a9e9519240ba7ace413c (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 78d87b72cebe2a993fd5b017e9f14fb6278f2eae (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 79dd3f1d9dd310c2af89b09c71f34d93973b200f (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 5d5602236f5db19e8b337a2cd87a90ace5ea776d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebb0dfd718dd31c8d3600612ca4b7207ec3d923a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "c3a4316e3c746af415c0fd6c6d489ad13f53714d",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "46ca9dc978923c5e1247a9e9519240ba7ace413c",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "78d87b72cebe2a993fd5b017e9f14fb6278f2eae",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "79dd3f1d9dd310c2af89b09c71f34d93973b200f",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "5d5602236f5db19e8b337a2cd87a90ace5ea776d",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: make j1939_session_activate() fail if device is no longer registered\n\nsyzbot is still reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\neven after commit 93a27b5891b8 (\"can: j1939: add missing calls in\nNETDEV_UNREGISTER notification handler\") was added. A debug printk() patch\nfound that j1939_session_activate() can succeed even after\nj1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)\nhas completed.\n\nSince j1939_cancel_active_session() is processed with the session list lock\nheld, checking ndev-\u003ereg_state in j1939_session_activate() with the session\nlist lock held can reliably close the race window."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:06.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a"
},
{
"url": "https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d"
},
{
"url": "https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c"
},
{
"url": "https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae"
},
{
"url": "https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536"
},
{
"url": "https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f"
},
{
"url": "https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d"
}
],
"title": "can: j1939: make j1939_session_activate() fail if device is no longer registered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71182",
"datePublished": "2026-01-31T11:38:55.157Z",
"dateReserved": "2026-01-31T11:36:51.185Z",
"dateUpdated": "2026-02-09T08:36:06.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40029 (GCVE-0-2025-40029)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
bus: fsl-mc: Check return value of platform_get_resource()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: fsl-mc: Check return value of platform_get_resource()
platform_get_resource() returns NULL in case of failure, so check its
return value and propagate the error in order to prevent NULL pointer
dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6305166c8771c33a8d5992fb53f93cfecedc14fd , < 58dd05070b57a20f22ff35a34ef9846bdf49a1d0
(git)
Affected: 6305166c8771c33a8d5992fb53f93cfecedc14fd , < 8a4dd74fe413d4a278e649be1d22d028e1667116 (git) Affected: 6305166c8771c33a8d5992fb53f93cfecedc14fd , < e60d55692e6c8e951000343c39f3fc92cab57efc (git) Affected: 6305166c8771c33a8d5992fb53f93cfecedc14fd , < 78e87b8a3cf8a59671ea25c87192d16e8d710e1c (git) Affected: 6305166c8771c33a8d5992fb53f93cfecedc14fd , < 84ec0482ed9c9ed0aee553a5e7e7458ad79c021f (git) Affected: 6305166c8771c33a8d5992fb53f93cfecedc14fd , < 2ead548473f58c7960b6b939b79503c4a0a2c0bd (git) Affected: 6305166c8771c33a8d5992fb53f93cfecedc14fd , < 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58dd05070b57a20f22ff35a34ef9846bdf49a1d0",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "8a4dd74fe413d4a278e649be1d22d028e1667116",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "e60d55692e6c8e951000343c39f3fc92cab57efc",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "78e87b8a3cf8a59671ea25c87192d16e8d710e1c",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "84ec0482ed9c9ed0aee553a5e7e7458ad79c021f",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "2ead548473f58c7960b6b939b79503c4a0a2c0bd",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: Check return value of platform_get_resource()\n\nplatform_get_resource() returns NULL in case of failure, so check its\nreturn value and propagate the error in order to prevent NULL pointer\ndereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:31.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58dd05070b57a20f22ff35a34ef9846bdf49a1d0"
},
{
"url": "https://git.kernel.org/stable/c/8a4dd74fe413d4a278e649be1d22d028e1667116"
},
{
"url": "https://git.kernel.org/stable/c/e60d55692e6c8e951000343c39f3fc92cab57efc"
},
{
"url": "https://git.kernel.org/stable/c/78e87b8a3cf8a59671ea25c87192d16e8d710e1c"
},
{
"url": "https://git.kernel.org/stable/c/84ec0482ed9c9ed0aee553a5e7e7458ad79c021f"
},
{
"url": "https://git.kernel.org/stable/c/2ead548473f58c7960b6b939b79503c4a0a2c0bd"
},
{
"url": "https://git.kernel.org/stable/c/25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae"
}
],
"title": "bus: fsl-mc: Check return value of platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40029",
"datePublished": "2025-10-28T11:48:00.679Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:31.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39891 (GCVE-0-2025-39891)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
wifi: mwifiex: Initialize the chan_stats array to zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Initialize the chan_stats array to zero
The adapter->chan_stats[] array is initialized in
mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
memory. The array is filled in mwifiex_update_chan_statistics()
and then the user can query the data in mwifiex_cfg80211_dump_survey().
There are two potential issues here. What if the user calls
mwifiex_cfg80211_dump_survey() before the data has been filled in.
Also the mwifiex_update_chan_statistics() function doesn't necessarily
initialize the whole array. Since the array was not initialized at
the start that could result in an information leak.
Also this array is pretty small. It's a maximum of 900 bytes so it's
more appropriate to use kcalloc() instead vmalloc().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bf35443314acb43fa8a3f9f8046e14cbe178762b , < 9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65
(git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 05daef0442d28350a1a0d6d0e2cab4a7a91df475 (git) Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < acdf26a912190fc6746e2a890d7d0338190527b4 (git) Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 32c124c9c03aa755cbaf60ef7f76afd918d47659 (git) Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 9df29aa5637d94d24f7c5f054ef4feaa7b766111 (git) Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 06616410a3e5e6cd1de5b7cbc668f1a7edeedad9 (git) Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 5285b7009dc1e09d5bb9e05fae82e1a807882dbc (git) Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 0e20450829ca3c1dbc2db536391537c57a40fe0b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:27.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/cfg80211.c",
"drivers/net/wireless/marvell/mwifiex/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "05daef0442d28350a1a0d6d0e2cab4a7a91df475",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "acdf26a912190fc6746e2a890d7d0338190527b4",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "32c124c9c03aa755cbaf60ef7f76afd918d47659",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "9df29aa5637d94d24f7c5f054ef4feaa7b766111",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "06616410a3e5e6cd1de5b7cbc668f1a7edeedad9",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "5285b7009dc1e09d5bb9e05fae82e1a807882dbc",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "0e20450829ca3c1dbc2db536391537c57a40fe0b",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/cfg80211.c",
"drivers/net/wireless/marvell/mwifiex/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter-\u003echan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn\u0027t zero out\nmemory. The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here. What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn\u0027t necessarily\ninitialize the whole array. Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small. It\u0027s a maximum of 900 bytes so it\u0027s\nmore appropriate to use kcalloc() instead vmalloc()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:40.633Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65"
},
{
"url": "https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475"
},
{
"url": "https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4"
},
{
"url": "https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659"
},
{
"url": "https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111"
},
{
"url": "https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9"
},
{
"url": "https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc"
},
{
"url": "https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b"
}
],
"title": "wifi: mwifiex: Initialize the chan_stats array to zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39891",
"datePublished": "2025-10-01T07:42:40.633Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:27.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40284 (GCVE-0-2025-40284)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
Bluetooth: MGMT: cancel mesh send timer when hdev removed
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: cancel mesh send timer when hdev removed
mesh_send_done timer is not canceled when hdev is removed, which causes
crash if the timer triggers after hdev is gone.
Cancel the timer when MGMT removes the hdev, like other MGMT timers.
Should fix the BUG: sporadically seen by BlueZ test bot
(in "Mesh - Send cancel - 1" test).
Log:
------
BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0
...
Freed by task 36:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x43/0x70
kfree+0x103/0x500
device_release+0x9a/0x210
kobject_put+0x100/0x1e0
vhci_release+0x18b/0x240
------
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 990e6143b0ca0c66f099d67d00c112bf59b30d76
(git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 2927ff643607eddf4f03d10ef80fe10d977154aa (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < fd62ca5ad136dcf6f5aa308423b299a6be6f54ea (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 55fb52ffdd62850d667ebed842815e072d3c9961 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "990e6143b0ca0c66f099d67d00c112bf59b30d76",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "2927ff643607eddf4f03d10ef80fe10d977154aa",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "fd62ca5ad136dcf6f5aa308423b299a6be6f54ea",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "55fb52ffdd62850d667ebed842815e072d3c9961",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: cancel mesh send timer when hdev removed\n\nmesh_send_done timer is not canceled when hdev is removed, which causes\ncrash if the timer triggers after hdev is gone.\n\nCancel the timer when MGMT removes the hdev, like other MGMT timers.\n\nShould fix the BUG: sporadically seen by BlueZ test bot\n(in \"Mesh - Send cancel - 1\" test).\n\nLog:\n------\nBUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0\n...\nFreed by task 36:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x103/0x500\n device_release+0x9a/0x210\n kobject_put+0x100/0x1e0\n vhci_release+0x18b/0x240\n------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:08.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76"
},
{
"url": "https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa"
},
{
"url": "https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b"
},
{
"url": "https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea"
},
{
"url": "https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961"
}
],
"title": "Bluetooth: MGMT: cancel mesh send timer when hdev removed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40284",
"datePublished": "2025-12-06T21:51:08.488Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:08.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68302 (GCVE-0-2025-68302)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
Currently, when skb is null, the driver prints an error and then
dereferences skb on the next line.
To fix this, let's add a 'break' after the error message to switch
to sxgbe_rx_refill(), which is similar to the approach taken by the
other drivers in this particular case, e.g. calxeda with xgmac_rx().
Found during a code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1edb9ca69e8a7988900fc0283e10550b5592164d , < ac171c3c755499c9f87fe30b920602255f8b5648
(git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 18ef3ad1bb57dcf1a9ee61736039aedccf670b21 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 46e5332126596a2ca791140feab18ce1fc1a3c86 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 7fd789d6ea4915034eb6bcb72f6883c8151083e5 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 88f46c0be77bfe45830ac33102c75be7c34ac3f3 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < f5bce28f6b9125502abec4a67d68eabcd24b3b17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac171c3c755499c9f87fe30b920602255f8b5648",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "18ef3ad1bb57dcf1a9ee61736039aedccf670b21",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "46e5332126596a2ca791140feab18ce1fc1a3c86",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "7fd789d6ea4915034eb6bcb72f6883c8151083e5",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "88f46c0be77bfe45830ac33102c75be7c34ac3f3",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "f5bce28f6b9125502abec4a67d68eabcd24b3b17",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sxgbe: fix potential NULL dereference in sxgbe_rx()\n\nCurrently, when skb is null, the driver prints an error and then\ndereferences skb on the next line.\n\nTo fix this, let\u0027s add a \u0027break\u0027 after the error message to switch\nto sxgbe_rx_refill(), which is similar to the approach taken by the\nother drivers in this particular case, e.g. calxeda with xgmac_rx().\n\nFound during a code review."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:20.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648"
},
{
"url": "https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21"
},
{
"url": "https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86"
},
{
"url": "https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5"
},
{
"url": "https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc"
},
{
"url": "https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3"
},
{
"url": "https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17"
}
],
"title": "net: sxgbe: fix potential NULL dereference in sxgbe_rx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68302",
"datePublished": "2025-12-16T15:06:20.420Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:20.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68749 (GCVE-0-2025-68749)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
accel/ivpu: Fix race condition when unbinding BOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix race condition when unbinding BOs
Fix 'Memory manager not clean during takedown' warning that occurs
when ivpu_gem_bo_free() removes the BO from the BOs list before it
gets unmapped. Then file_priv_unbind() triggers a warning in
drm_mm_takedown() during context teardown.
Protect the unmapping sequence with bo_list_lock to ensure the BO is
always fully unmapped when removed from the list. This ensures the BO
is either fully unmapped at context teardown time or present on the
list and unmapped by file_priv_unbind().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 0328bb097bef05a796217c54b3d651cc3782827c
(git)
Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < fb16493ebd8f171bcf0772262619618a131f30f7 (git) Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < d71333ffdd3707d84cfb95acfaf8ba892adc066b (git) Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 00812636df370bedf4e44a0c81b86ea96bca8628 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0328bb097bef05a796217c54b3d651cc3782827c",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "fb16493ebd8f171bcf0772262619618a131f30f7",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "d71333ffdd3707d84cfb95acfaf8ba892adc066b",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "00812636df370bedf4e44a0c81b86ea96bca8628",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix race condition when unbinding BOs\n\nFix \u0027Memory manager not clean during takedown\u0027 warning that occurs\nwhen ivpu_gem_bo_free() removes the BO from the BOs list before it\ngets unmapped. Then file_priv_unbind() triggers a warning in\ndrm_mm_takedown() during context teardown.\n\nProtect the unmapping sequence with bo_list_lock to ensure the BO is\nalways fully unmapped when removed from the list. This ensures the BO\nis either fully unmapped at context teardown time or present on the\nlist and unmapped by file_priv_unbind()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:54.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0328bb097bef05a796217c54b3d651cc3782827c"
},
{
"url": "https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7"
},
{
"url": "https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b"
},
{
"url": "https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628"
}
],
"title": "accel/ivpu: Fix race condition when unbinding BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68749",
"datePublished": "2025-12-24T12:09:44.301Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-02-09T08:32:54.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40036 (GCVE-0-2025-40036)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
misc: fastrpc: fix possible map leak in fastrpc_put_args
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix possible map leak in fastrpc_put_args
copy_to_user() failure would cause an early return without cleaning up
the fdlist, which has been updated by the DSP. This could lead to map
leak. Fix this by redirecting to a cleanup path on failure, ensuring
that all mapped buffers are properly released before returning.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 , < a085658264d0c8d4f795d4631f77d7289a021de9
(git)
Affected: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 , < 3ad42dc66445df6977cf4be0c06f1a655299ce6c (git) Affected: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 , < 78d33a041555db03903e8037fd053ed74fbd88cb (git) Affected: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 , < c000f65f0ac93d9f9cc69a230d372f6ca93e4879 (git) Affected: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 , < da1ba64176e0138f2bfa96f9e43e8c3640d01e1e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a085658264d0c8d4f795d4631f77d7289a021de9",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "3ad42dc66445df6977cf4be0c06f1a655299ce6c",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "78d33a041555db03903e8037fd053ed74fbd88cb",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "c000f65f0ac93d9f9cc69a230d372f6ca93e4879",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "da1ba64176e0138f2bfa96f9e43e8c3640d01e1e",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix possible map leak in fastrpc_put_args\n\ncopy_to_user() failure would cause an early return without cleaning up\nthe fdlist, which has been updated by the DSP. This could lead to map\nleak. Fix this by redirecting to a cleanup path on failure, ensuring\nthat all mapped buffers are properly released before returning."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:39.945Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a085658264d0c8d4f795d4631f77d7289a021de9"
},
{
"url": "https://git.kernel.org/stable/c/3ad42dc66445df6977cf4be0c06f1a655299ce6c"
},
{
"url": "https://git.kernel.org/stable/c/78d33a041555db03903e8037fd053ed74fbd88cb"
},
{
"url": "https://git.kernel.org/stable/c/c000f65f0ac93d9f9cc69a230d372f6ca93e4879"
},
{
"url": "https://git.kernel.org/stable/c/da1ba64176e0138f2bfa96f9e43e8c3640d01e1e"
}
],
"title": "misc: fastrpc: fix possible map leak in fastrpc_put_args",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40036",
"datePublished": "2025-10-28T11:48:17.630Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:39.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40027 (GCVE-0-2025-40027)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
net/9p: fix double req put in p9_fd_cancelled
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/9p: fix double req put in p9_fd_cancelled
Syzkaller reports a KASAN issue as below:
general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__list_del include/linux/list.h:114 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
RIP: 0010:list_del include/linux/list.h:148 [inline]
RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
Call Trace:
<TASK>
p9_client_flush+0x351/0x440 net/9p/client.c:614
p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
p9_client_version net/9p/client.c:920 [inline]
p9_client_create+0xb51/0x1240 net/9p/client.c:1027
v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
legacy_get_tree+0x108/0x220 fs/fs_context.c:632
vfs_get_tree+0x8e/0x300 fs/super.c:1573
do_new_mount fs/namespace.c:3056 [inline]
path_mount+0x6a6/0x1e90 fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
This happens because of a race condition between:
- The 9p client sending an invalid flush request and later cleaning it up;
- The 9p client in p9_read_work() canceled all pending requests.
Thread 1 Thread 2
...
p9_client_create()
...
p9_fd_create()
...
p9_conn_create()
...
// start Thread 2
INIT_WORK(&m->rq, p9_read_work);
p9_read_work()
...
p9_client_rpc()
...
...
p9_conn_cancel()
...
spin_lock(&m->req_lock);
...
p9_fd_cancelled()
...
...
spin_unlock(&m->req_lock);
// status rewrite
p9_client_cb(m->client, req, REQ_STATUS_ERROR)
// first remove
list_del(&req->req_list);
...
spin_lock(&m->req_lock)
...
// second remove
list_del(&req->req_list);
spin_unlock(&m->req_lock)
...
Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
client where the req_list could be deleted simultaneously by both
p9_read_work and p9_fd_cancelled functions, but for the case where req->status
equals REQ_STATUS_RCVD.
Update the check for req->status in p9_fd_cancelled to skip processing not
just received requests, but anything that is not SENT, as whatever
changed the state from SENT also removed the request from its list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
[updated the check from status == RECV || status == ERROR to status != SENT]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
afd8d65411551839b7ab14a539d00075b2793451 , < a5901a0dfb5964525990106706ae8b98db098226
(git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 5c64c0b7b3446f7ed088a13bc8d7487d66534cbb (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < c1db864270eb7fea94a9ef201da0c9dc1cbab7b8 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 0e0097005abc02c9f262370674f855625f4f3fb4 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 284e67a93b8c48952b6fc82129a8d3eb9dc73b06 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 448db01a48e1cdbbc31c995716a5dac1e52ba036 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 94797b84cb9985022eb9cb3275c9497fbc883bb6 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5901a0dfb5964525990106706ae8b98db098226",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "5c64c0b7b3446f7ed088a13bc8d7487d66534cbb",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "c1db864270eb7fea94a9ef201da0c9dc1cbab7b8",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "0e0097005abc02c9f262370674f855625f4f3fb4",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "284e67a93b8c48952b6fc82129a8d3eb9dc73b06",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "448db01a48e1cdbbc31c995716a5dac1e52ba036",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "94797b84cb9985022eb9cb3275c9497fbc883bb6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "674b56aa57f9379854cb6798c3bbcef7e7b51ab7",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \u003cTASK\u003e\n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n Thread 1 Thread 2\n ...\n p9_client_create()\n ...\n p9_fd_create()\n ...\n p9_conn_create()\n ...\n // start Thread 2\n INIT_WORK(\u0026m-\u003erq, p9_read_work);\n p9_read_work()\n ...\n p9_client_rpc()\n ...\n ...\n p9_conn_cancel()\n ...\n spin_lock(\u0026m-\u003ereq_lock);\n ...\n p9_fd_cancelled()\n ...\n ...\n spin_unlock(\u0026m-\u003ereq_lock);\n // status rewrite\n p9_client_cb(m-\u003eclient, req, REQ_STATUS_ERROR)\n // first remove\n list_del(\u0026req-\u003ereq_list);\n ...\n\n spin_lock(\u0026m-\u003ereq_lock)\n ...\n // second remove\n list_del(\u0026req-\u003ereq_list);\n spin_unlock(\u0026m-\u003ereq_lock)\n ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req-\u003estatus\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req-\u003estatus in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:29.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5901a0dfb5964525990106706ae8b98db098226"
},
{
"url": "https://git.kernel.org/stable/c/5c64c0b7b3446f7ed088a13bc8d7487d66534cbb"
},
{
"url": "https://git.kernel.org/stable/c/c1db864270eb7fea94a9ef201da0c9dc1cbab7b8"
},
{
"url": "https://git.kernel.org/stable/c/0e0097005abc02c9f262370674f855625f4f3fb4"
},
{
"url": "https://git.kernel.org/stable/c/284e67a93b8c48952b6fc82129a8d3eb9dc73b06"
},
{
"url": "https://git.kernel.org/stable/c/716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6"
},
{
"url": "https://git.kernel.org/stable/c/448db01a48e1cdbbc31c995716a5dac1e52ba036"
},
{
"url": "https://git.kernel.org/stable/c/94797b84cb9985022eb9cb3275c9497fbc883bb6"
},
{
"url": "https://git.kernel.org/stable/c/674b56aa57f9379854cb6798c3bbcef7e7b51ab7"
}
],
"title": "net/9p: fix double req put in p9_fd_cancelled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40027",
"datePublished": "2025-10-28T09:32:34.162Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:29.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40094 (GCVE-0-2025-40094)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
usb: gadget: f_acm: Refactor bind path to use __free()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_acm: Refactor bind path to use __free()
After an bind/unbind cycle, the acm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
Call trace:
usb_ep_free_request+0x2c/0xec
gs_free_req+0x30/0x44
acm_bind+0x1b8/0x1f4
usb_add_function+0xcc/0x1f0
configfs_composite_bind+0x468/0x588
gadget_bind_driver+0x104/0x270
really_probe+0x190/0x374
__driver_probe_device+0xa0/0x12c
driver_probe_device+0x3c/0x218
__device_attach_driver+0x14c/0x188
bus_for_each_drv+0x10c/0x168
__device_attach+0xfc/0x198
device_initial_probe+0x14/0x24
bus_probe_device+0x94/0x11c
device_add+0x268/0x48c
usb_add_gadget+0x198/0x28c
dwc3_gadget_init+0x700/0x858
__dwc3_set_mode+0x3cc/0x664
process_scheduled_works+0x1d8/0x488
worker_thread+0x244/0x334
kthread+0x114/0x1bc
ret_from_fork+0x10/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1f1ba11b64947051fc32aa15fcccef6463b433f7 , < c5d116862dd3ed162d079738a5ebddf9fceea850
(git)
Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < 2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175 (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < e348d18fb0124b662cfefb3001733b49da428215 (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < 201a66d8e6630762e760e1d78f1d149da1691e7b (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < c4301e4dd6b32faccb744f1c2320e64235b68d3b (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < 47b2116e54b4a854600341487e8b55249e926324 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5d116862dd3ed162d079738a5ebddf9fceea850",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "e348d18fb0124b662cfefb3001733b49da428215",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "201a66d8e6630762e760e1d78f1d149da1691e7b",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "c4301e4dd6b32faccb744f1c2320e64235b68d3b",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "47b2116e54b4a854600341487e8b55249e926324",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_acm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the acm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n gs_free_req+0x30/0x44\n acm_bind+0x1b8/0x1f4\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:53.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5d116862dd3ed162d079738a5ebddf9fceea850"
},
{
"url": "https://git.kernel.org/stable/c/2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175"
},
{
"url": "https://git.kernel.org/stable/c/e348d18fb0124b662cfefb3001733b49da428215"
},
{
"url": "https://git.kernel.org/stable/c/201a66d8e6630762e760e1d78f1d149da1691e7b"
},
{
"url": "https://git.kernel.org/stable/c/c4301e4dd6b32faccb744f1c2320e64235b68d3b"
},
{
"url": "https://git.kernel.org/stable/c/47b2116e54b4a854600341487e8b55249e926324"
}
],
"title": "usb: gadget: f_acm: Refactor bind path to use __free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40094",
"datePublished": "2025-10-30T09:48:02.446Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:53.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68255 (GCVE-0-2025-68255)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 49b7806851f93fd342838c93f4f765e0cc5029b0
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 4445adedae770037078803d1ce41f9e88a1944b6 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 34620eb602aa432f090b2b784ee5c5070fb16cf9 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 61871c83259a511980ec2664964cecc69005398b (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 25411f5fcf5743131158f337c99c2bbf3f8477f5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < e841d8ea722315b781c4fc5bf4f7670fbca88875 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49b7806851f93fd342838c93f4f765e0cc5029b0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "4445adedae770037078803d1ce41f9e88a1944b6",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "34620eb602aa432f090b2b784ee5c5070fb16cf9",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "61871c83259a511980ec2664964cecc69005398b",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "25411f5fcf5743131158f337c99c2bbf3f8477f5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "e841d8ea722315b781c4fc5bf4f7670fbca88875",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "6ef0e1c10455927867cac8f0ed6b49f328f8cf95",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing\n\nThe Supported Rates IE length from an incoming Association Request frame\nwas used directly as the memcpy() length when copying into a fixed-size\n16-byte stack buffer (supportRate). A malicious station can advertise an\nIE length larger than 16 bytes, causing a stack buffer overflow.\n\nClamp ie_len to the buffer size before copying the Supported Rates IE,\nand correct the bounds check when merging Extended Supported Rates to\nprevent a second potential overflow.\n\nThis prevents kernel stack corruption triggered by malformed association\nrequests."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:08.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49b7806851f93fd342838c93f4f765e0cc5029b0"
},
{
"url": "https://git.kernel.org/stable/c/4445adedae770037078803d1ce41f9e88a1944b6"
},
{
"url": "https://git.kernel.org/stable/c/d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0"
},
{
"url": "https://git.kernel.org/stable/c/34620eb602aa432f090b2b784ee5c5070fb16cf9"
},
{
"url": "https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b"
},
{
"url": "https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5"
},
{
"url": "https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875"
},
{
"url": "https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95"
}
],
"title": "staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68255",
"datePublished": "2025-12-16T14:44:58.031Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:08.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38709 (GCVE-0-2025-38709)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
loop: Avoid updating block size under exclusive owner
Summary
In the Linux kernel, the following vulnerability has been resolved:
loop: Avoid updating block size under exclusive owner
Syzbot came up with a reproducer where a loop device block size is
changed underneath a mounted filesystem. This causes a mismatch between
the block device block size and the block size stored in the superblock
causing confusion in various places such as fs/buffer.c. The particular
issue triggered by syzbot was a warning in __getblk_slow() due to
requested buffer size not matching block device block size.
Fix the problem by getting exclusive hold of the loop device to change
its block size. This fails if somebody (such as filesystem) has already
an exclusive ownership of the block device and thus prevents modifying
the loop device under some exclusive owner which doesn't expect it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
89e4fdecb51cf5535867026274bc97de9480ade5 , < 457d2c5e112fd08dc1039b1ae39a83ec1782360d
(git)
Affected: 89e4fdecb51cf5535867026274bc97de9480ade5 , < 139a000d20f2f38ce34296feddd641d730fe1c08 (git) Affected: 89e4fdecb51cf5535867026274bc97de9480ade5 , < b928438cc87c0bf7ae078e4b7b6e14261e84c5c5 (git) Affected: 89e4fdecb51cf5535867026274bc97de9480ade5 , < 5d67b30aefeb7a949040bbb1b4e3b84c5d29a624 (git) Affected: 89e4fdecb51cf5535867026274bc97de9480ade5 , < 7e49538288e523427beedd26993d446afef1a6fb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "457d2c5e112fd08dc1039b1ae39a83ec1782360d",
"status": "affected",
"version": "89e4fdecb51cf5535867026274bc97de9480ade5",
"versionType": "git"
},
{
"lessThan": "139a000d20f2f38ce34296feddd641d730fe1c08",
"status": "affected",
"version": "89e4fdecb51cf5535867026274bc97de9480ade5",
"versionType": "git"
},
{
"lessThan": "b928438cc87c0bf7ae078e4b7b6e14261e84c5c5",
"status": "affected",
"version": "89e4fdecb51cf5535867026274bc97de9480ade5",
"versionType": "git"
},
{
"lessThan": "5d67b30aefeb7a949040bbb1b4e3b84c5d29a624",
"status": "affected",
"version": "89e4fdecb51cf5535867026274bc97de9480ade5",
"versionType": "git"
},
{
"lessThan": "7e49538288e523427beedd26993d446afef1a6fb",
"status": "affected",
"version": "89e4fdecb51cf5535867026274bc97de9480ade5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: Avoid updating block size under exclusive owner\n\nSyzbot came up with a reproducer where a loop device block size is\nchanged underneath a mounted filesystem. This causes a mismatch between\nthe block device block size and the block size stored in the superblock\ncausing confusion in various places such as fs/buffer.c. The particular\nissue triggered by syzbot was a warning in __getblk_slow() due to\nrequested buffer size not matching block device block size.\n\nFix the problem by getting exclusive hold of the loop device to change\nits block size. This fails if somebody (such as filesystem) has already\nan exclusive ownership of the block device and thus prevents modifying\nthe loop device under some exclusive owner which doesn\u0027t expect it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:36.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/457d2c5e112fd08dc1039b1ae39a83ec1782360d"
},
{
"url": "https://git.kernel.org/stable/c/139a000d20f2f38ce34296feddd641d730fe1c08"
},
{
"url": "https://git.kernel.org/stable/c/b928438cc87c0bf7ae078e4b7b6e14261e84c5c5"
},
{
"url": "https://git.kernel.org/stable/c/5d67b30aefeb7a949040bbb1b4e3b84c5d29a624"
},
{
"url": "https://git.kernel.org/stable/c/7e49538288e523427beedd26993d446afef1a6fb"
}
],
"title": "loop: Avoid updating block size under exclusive owner",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38709",
"datePublished": "2025-09-04T15:32:59.818Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2026-01-02T15:31:36.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39895 (GCVE-0-2025-39895)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
sched: Fix sched_numa_find_nth_cpu() if mask offline
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched: Fix sched_numa_find_nth_cpu() if mask offline
sched_numa_find_nth_cpu() uses a bsearch to look for the 'closest'
CPU in sched_domains_numa_masks and given cpus mask. However they
might not intersect if all CPUs in the cpus mask are offline. bsearch
will return NULL in that case, bail out instead of dereferencing a
bogus pointer.
The previous behaviour lead to this bug when using maxcpus=4 on an
rk3399 (LLLLbb) (i.e. booting with all big CPUs offline):
[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000
[ 1.423635] Mem abort info:
[ 1.423889] ESR = 0x0000000096000006
[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits
[ 1.424715] SET = 0, FnV = 0
[ 1.424995] EA = 0, S1PTW = 0
[ 1.425279] FSC = 0x06: level 2 translation fault
[ 1.425735] Data abort info:
[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000
[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000
[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP
[ 1.429525] Modules linked in:
[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT
[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)
[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488
[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488
[ 1.432543] sp : ffffffc084e1b960
[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0
[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378
[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff
[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7
[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372
[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860
[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000
[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68
[ 1.439332] Call trace:
[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)
[ 1.440016] smp_call_function_any+0xc8/0xd0
[ 1.440416] armv8_pmu_init+0x58/0x27c
[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c
[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8
[ 1.441603] armv8_pmu_device_probe+0x1c/0x28
[ 1.442007] platform_probe+0x5c/0xac
[ 1.442347] really_probe+0xbc/0x298
[ 1.442683] __driver_probe_device+0x78/0x12c
[ 1.443087] driver_probe_device+0xdc/0x160
[ 1.443475] __driver_attach+0x94/0x19c
[ 1.443833] bus_for_each_dev+0x74/0xd4
[ 1.444190] driver_attach+0x24/0x30
[ 1.444525] bus_add_driver+0xe4/0x208
[ 1.444874] driver_register+0x60/0x128
[ 1.445233] __platform_driver_register+0x24/0x30
[ 1.445662] armv8_pmu_driver_init+0x28/0x4c
[ 1.446059] do_one_initcall+0x44/0x25c
[ 1.446416] kernel_init_freeable+0x1dc/0x3bc
[ 1.446820] kernel_init+0x20/0x1d8
[ 1.447151] ret_from_fork+0x10/0x20
[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)
[ 1.448040] ---[ end trace 0000000000000000 ]---
[ 1.448483] note: swapper/0[1] exited with preempt_count 1
[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 1.449741] SMP: stopping secondary CPUs
[ 1.450105] Kernel Offset: disabled
[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b
[
---truncated---
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cd7f55359c90a4108e6528e326b8623fce1ad72a , < f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc
(git)
Affected: cd7f55359c90a4108e6528e326b8623fce1ad72a , < b3ec50cc5eb5ca84256ca701d28b137a6036c412 (git) Affected: cd7f55359c90a4108e6528e326b8623fce1ad72a , < b921c288cd8abef9af5b59e056a63cc2c263a9e3 (git) Affected: cd7f55359c90a4108e6528e326b8623fce1ad72a , < 5ebf512f335053a42482ebff91e46c6dc156bf8c (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:28:09.814347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:13.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "b3ec50cc5eb5ca84256ca701d28b137a6036c412",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "b921c288cd8abef9af5b59e056a63cc2c263a9e3",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "5ebf512f335053a42482ebff91e46c6dc156bf8c",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix sched_numa_find_nth_cpu() if mask offline\n\nsched_numa_find_nth_cpu() uses a bsearch to look for the \u0027closest\u0027\nCPU in sched_domains_numa_masks and given cpus mask. However they\nmight not intersect if all CPUs in the cpus mask are offline. bsearch\nwill return NULL in that case, bail out instead of dereferencing a\nbogus pointer.\n\nThe previous behaviour lead to this bug when using maxcpus=4 on an\nrk3399 (LLLLbb) (i.e. booting with all big CPUs offline):\n\n[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000\n[ 1.423635] Mem abort info:\n[ 1.423889] ESR = 0x0000000096000006\n[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1.424715] SET = 0, FnV = 0\n[ 1.424995] EA = 0, S1PTW = 0\n[ 1.425279] FSC = 0x06: level 2 translation fault\n[ 1.425735] Data abort info:\n[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000\n[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000\n[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP\n[ 1.429525] Modules linked in:\n[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT\n[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)\n[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488\n[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488\n[ 1.432543] sp : ffffffc084e1b960\n[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0\n[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378\n[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff\n[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7\n[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372\n[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860\n[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000\n[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68\n[ 1.439332] Call trace:\n[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)\n[ 1.440016] smp_call_function_any+0xc8/0xd0\n[ 1.440416] armv8_pmu_init+0x58/0x27c\n[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c\n[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8\n[ 1.441603] armv8_pmu_device_probe+0x1c/0x28\n[ 1.442007] platform_probe+0x5c/0xac\n[ 1.442347] really_probe+0xbc/0x298\n[ 1.442683] __driver_probe_device+0x78/0x12c\n[ 1.443087] driver_probe_device+0xdc/0x160\n[ 1.443475] __driver_attach+0x94/0x19c\n[ 1.443833] bus_for_each_dev+0x74/0xd4\n[ 1.444190] driver_attach+0x24/0x30\n[ 1.444525] bus_add_driver+0xe4/0x208\n[ 1.444874] driver_register+0x60/0x128\n[ 1.445233] __platform_driver_register+0x24/0x30\n[ 1.445662] armv8_pmu_driver_init+0x28/0x4c\n[ 1.446059] do_one_initcall+0x44/0x25c\n[ 1.446416] kernel_init_freeable+0x1dc/0x3bc\n[ 1.446820] kernel_init+0x20/0x1d8\n[ 1.447151] ret_from_fork+0x10/0x20\n[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)\n[ 1.448040] ---[ end trace 0000000000000000 ]---\n[ 1.448483] note: swapper/0[1] exited with preempt_count 1\n[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 1.449741] SMP: stopping secondary CPUs\n[ 1.450105] Kernel Offset: disabled\n[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b\n[ \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:43.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc"
},
{
"url": "https://git.kernel.org/stable/c/b3ec50cc5eb5ca84256ca701d28b137a6036c412"
},
{
"url": "https://git.kernel.org/stable/c/b921c288cd8abef9af5b59e056a63cc2c263a9e3"
},
{
"url": "https://git.kernel.org/stable/c/5ebf512f335053a42482ebff91e46c6dc156bf8c"
}
],
"title": "sched: Fix sched_numa_find_nth_cpu() if mask offline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39895",
"datePublished": "2025-10-01T07:42:43.920Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2026-01-14T19:33:13.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40265 (GCVE-0-2025-40265)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
vfat: fix missing sb_min_blocksize() return value checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfat: fix missing sb_min_blocksize() return value checks
When emulating an nvme device on qemu with both logical_block_size and
physical_block_size set to 8 KiB, but without format, a kernel panic
was triggered during the early boot stage while attempting to mount a
vfat filesystem.
[95553.682035] EXT4-fs (nvme0n1): unable to set blocksize
[95553.684326] EXT4-fs (nvme0n1): unable to set blocksize
[95553.686501] EXT4-fs (nvme0n1): unable to set blocksize
[95553.696448] ISOFS: unsupported/invalid hardware sector size 8192
[95553.697117] ------------[ cut here ]------------
[95553.697567] kernel BUG at fs/buffer.c:1582!
[95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary)
[95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0
[95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f
[95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246
[95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001
[95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000
[95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000
[95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000
[95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000
[95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0
[95553.708439] PKRU: 55555554
[95553.708734] Call Trace:
[95553.709015] <TASK>
[95553.709266] __getblk_slow+0xd2/0x230
[95553.709641] ? find_get_block_common+0x8b/0x530
[95553.710084] bdev_getblk+0x77/0xa0
[95553.710449] __bread_gfp+0x22/0x140
[95553.710810] fat_fill_super+0x23a/0xfc0
[95553.711216] ? __pfx_setup+0x10/0x10
[95553.711580] ? __pfx_vfat_fill_super+0x10/0x10
[95553.712014] vfat_fill_super+0x15/0x30
[95553.712401] get_tree_bdev_flags+0x141/0x1e0
[95553.712817] get_tree_bdev+0x10/0x20
[95553.713177] vfat_get_tree+0x15/0x20
[95553.713550] vfs_get_tree+0x2a/0x100
[95553.713910] vfs_cmd_create+0x62/0xf0
[95553.714273] __do_sys_fsconfig+0x4e7/0x660
[95553.714669] __x64_sys_fsconfig+0x20/0x40
[95553.715062] x64_sys_call+0x21ee/0x26a0
[95553.715453] do_syscall_64+0x80/0x670
[95553.715816] ? __fs_parse+0x65/0x1e0
[95553.716172] ? fat_parse_param+0x103/0x4b0
[95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0
[95553.717034] ? __do_sys_fsconfig+0x3d9/0x660
[95553.717548] ? __x64_sys_fsconfig+0x20/0x40
[95553.717957] ? x64_sys_call+0x21ee/0x26a0
[95553.718360] ? do_syscall_64+0xb8/0x670
[95553.718734] ? __x64_sys_fsconfig+0x20/0x40
[95553.719141] ? x64_sys_call+0x21ee/0x26a0
[95553.719545] ? do_syscall_64+0xb8/0x670
[95553.719922] ? x64_sys_call+0x1405/0x26a0
[95553.720317] ? do_syscall_64+0xb8/0x670
[95553.720702] ? __x64_sys_close+0x3e/0x90
[95553.721080] ? x64_sys_call+0x1b5e/0x26a0
[95553.721478] ? do_syscall_64+0xb8/0x670
[95553.721841] ? irqentry_exit+0x43/0x50
[95553.722211] ? exc_page_fault+0x90/0x1b0
[95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[95553.723166] RIP: 0033:0x72ee774f3afe
[95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48
[95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[95553.725892] RAX: ffffffffffffffda RBX:
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fat/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee767b99b0045be286cceb8265bd4c9831be671e",
"status": "affected",
"version": "a64e5a596067bddba87fcc2ce37e56c3fca831b7",
"versionType": "git"
},
{
"lessThan": "63b5aa01da0f38cdbd97d021477258e511631497",
"status": "affected",
"version": "a64e5a596067bddba87fcc2ce37e56c3fca831b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fat/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfat: fix missing sb_min_blocksize() return value checks\n\nWhen emulating an nvme device on qemu with both logical_block_size and\nphysical_block_size set to 8 KiB, but without format, a kernel panic\nwas triggered during the early boot stage while attempting to mount a\nvfat filesystem.\n\n[95553.682035] EXT4-fs (nvme0n1): unable to set blocksize\n[95553.684326] EXT4-fs (nvme0n1): unable to set blocksize\n[95553.686501] EXT4-fs (nvme0n1): unable to set blocksize\n[95553.696448] ISOFS: unsupported/invalid hardware sector size 8192\n[95553.697117] ------------[ cut here ]------------\n[95553.697567] kernel BUG at fs/buffer.c:1582!\n[95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary)\n[95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0\n[95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc \u003c0f\u003e 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f\n[95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246\n[95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001\n[95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000\n[95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000\n[95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000\n[95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000\n[95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0\n[95553.708439] PKRU: 55555554\n[95553.708734] Call Trace:\n[95553.709015] \u003cTASK\u003e\n[95553.709266] __getblk_slow+0xd2/0x230\n[95553.709641] ? find_get_block_common+0x8b/0x530\n[95553.710084] bdev_getblk+0x77/0xa0\n[95553.710449] __bread_gfp+0x22/0x140\n[95553.710810] fat_fill_super+0x23a/0xfc0\n[95553.711216] ? __pfx_setup+0x10/0x10\n[95553.711580] ? __pfx_vfat_fill_super+0x10/0x10\n[95553.712014] vfat_fill_super+0x15/0x30\n[95553.712401] get_tree_bdev_flags+0x141/0x1e0\n[95553.712817] get_tree_bdev+0x10/0x20\n[95553.713177] vfat_get_tree+0x15/0x20\n[95553.713550] vfs_get_tree+0x2a/0x100\n[95553.713910] vfs_cmd_create+0x62/0xf0\n[95553.714273] __do_sys_fsconfig+0x4e7/0x660\n[95553.714669] __x64_sys_fsconfig+0x20/0x40\n[95553.715062] x64_sys_call+0x21ee/0x26a0\n[95553.715453] do_syscall_64+0x80/0x670\n[95553.715816] ? __fs_parse+0x65/0x1e0\n[95553.716172] ? fat_parse_param+0x103/0x4b0\n[95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0\n[95553.717034] ? __do_sys_fsconfig+0x3d9/0x660\n[95553.717548] ? __x64_sys_fsconfig+0x20/0x40\n[95553.717957] ? x64_sys_call+0x21ee/0x26a0\n[95553.718360] ? do_syscall_64+0xb8/0x670\n[95553.718734] ? __x64_sys_fsconfig+0x20/0x40\n[95553.719141] ? x64_sys_call+0x21ee/0x26a0\n[95553.719545] ? do_syscall_64+0xb8/0x670\n[95553.719922] ? x64_sys_call+0x1405/0x26a0\n[95553.720317] ? do_syscall_64+0xb8/0x670\n[95553.720702] ? __x64_sys_close+0x3e/0x90\n[95553.721080] ? x64_sys_call+0x1b5e/0x26a0\n[95553.721478] ? do_syscall_64+0xb8/0x670\n[95553.721841] ? irqentry_exit+0x43/0x50\n[95553.722211] ? exc_page_fault+0x90/0x1b0\n[95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[95553.723166] RIP: 0033:0x72ee774f3afe\n[95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48\n[95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af\n[95553.725892] RAX: ffffffffffffffda RBX: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:24.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee767b99b0045be286cceb8265bd4c9831be671e"
},
{
"url": "https://git.kernel.org/stable/c/63b5aa01da0f38cdbd97d021477258e511631497"
}
],
"title": "vfat: fix missing sb_min_blocksize() return value checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40265",
"datePublished": "2025-12-04T16:08:24.708Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-04T16:08:24.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39937 (GCVE-0-2025-39937)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from
device property") rfkill_find_type() gets called with the possibly
uninitialized "const char *type_name;" local variable.
On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752"
acpi_device, the rfkill->type is set based on the ACPI acpi_device_id:
rfkill->type = (unsigned)id->driver_data;
and there is no "type" property so device_property_read_string() will fail
and leave type_name uninitialized, leading to a potential crash.
rfkill_find_type() does accept a NULL pointer, fix the potential crash
by initializing type_name to NULL.
Note likely sofar this has not been caught because:
1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device
2. The stack happened to contain NULL where type_name is stored
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d5e9737efda16535e5b54bd627ef4881d11d31f , < 184f608a68f96794e8fe58cd5535014d53622cde
(git)
Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < 8793e7a8e1b60131a825457174ed6398111daeb7 (git) Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < ada2282259243387e6b6e89239aeb4897e62f051 (git) Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < 47ade5f9d70b23a119ec20b1c6504864b2543a79 (git) Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < 689aee35ce671aab752f159e5c8e66d7685e6887 (git) Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < 21ba85d9d508422ca9e6698463ff9357c928c22d (git) Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < 21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d (git) Affected: 7d5e9737efda16535e5b54bd627ef4881d11d31f , < b6f56a44e4c1014b08859dcf04ed246500e310e5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rfkill/rfkill-gpio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "184f608a68f96794e8fe58cd5535014d53622cde",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "8793e7a8e1b60131a825457174ed6398111daeb7",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "ada2282259243387e6b6e89239aeb4897e62f051",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "47ade5f9d70b23a119ec20b1c6504864b2543a79",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "689aee35ce671aab752f159e5c8e66d7685e6887",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "21ba85d9d508422ca9e6698463ff9357c928c22d",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "b6f56a44e4c1014b08859dcf04ed246500e310e5",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rfkill/rfkill-gpio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer\n\nSince commit 7d5e9737efda (\"net: rfkill: gpio: get the name and type from\ndevice property\") rfkill_find_type() gets called with the possibly\nuninitialized \"const char *type_name;\" local variable.\n\nOn x86 systems when rfkill-gpio binds to a \"BCM4752\" or \"LNV4752\"\nacpi_device, the rfkill-\u003etype is set based on the ACPI acpi_device_id:\n\n rfkill-\u003etype = (unsigned)id-\u003edriver_data;\n\nand there is no \"type\" property so device_property_read_string() will fail\nand leave type_name uninitialized, leading to a potential crash.\n\nrfkill_find_type() does accept a NULL pointer, fix the potential crash\nby initializing type_name to NULL.\n\nNote likely sofar this has not been caught because:\n\n1. Not many x86 machines actually have a \"BCM4752\"/\"LNV4752\" acpi_device\n2. The stack happened to contain NULL where type_name is stored"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:01.924Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/184f608a68f96794e8fe58cd5535014d53622cde"
},
{
"url": "https://git.kernel.org/stable/c/8793e7a8e1b60131a825457174ed6398111daeb7"
},
{
"url": "https://git.kernel.org/stable/c/ada2282259243387e6b6e89239aeb4897e62f051"
},
{
"url": "https://git.kernel.org/stable/c/47ade5f9d70b23a119ec20b1c6504864b2543a79"
},
{
"url": "https://git.kernel.org/stable/c/689aee35ce671aab752f159e5c8e66d7685e6887"
},
{
"url": "https://git.kernel.org/stable/c/21ba85d9d508422ca9e6698463ff9357c928c22d"
},
{
"url": "https://git.kernel.org/stable/c/21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d"
},
{
"url": "https://git.kernel.org/stable/c/b6f56a44e4c1014b08859dcf04ed246500e310e5"
}
],
"title": "net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39937",
"datePublished": "2025-10-04T07:31:00.879Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:01.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39947 (GCVE-0-2025-39947)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
net/mlx5e: Harden uplink netdev access against device unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Harden uplink netdev access against device unbind
The function mlx5_uplink_netdev_get() gets the uplink netdevice
pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can
be removed and its pointer cleared when unbound from the mlx5_core.eth
driver. This results in a NULL pointer, causing a kernel panic.
BUG: unable to handle page fault for address: 0000000000001300
at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]
Call Trace:
<TASK>
mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]
esw_offloads_enable+0x593/0x910 [mlx5_core]
mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]
mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]
devlink_nl_eswitch_set_doit+0x60/0xd0
genl_family_rcv_msg_doit+0xe0/0x130
genl_rcv_msg+0x183/0x290
netlink_rcv_skb+0x4b/0xf0
genl_rcv+0x24/0x40
netlink_unicast+0x255/0x380
netlink_sendmsg+0x1f3/0x420
__sock_sendmsg+0x38/0x60
__sys_sendto+0x119/0x180
do_syscall_64+0x53/0x1d0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Ensure the pointer is valid before use by checking it for NULL. If it
is valid, immediately call netdev_hold() to take a reference, and
preventing the netdevice from being freed while it is in use.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a9fb35e8c3a67145fca262c304de65cb2f83abf , < 2cb17c88edd3a1c7aa6bc880dcdb35a6866fcb2e
(git)
Affected: 7a9fb35e8c3a67145fca262c304de65cb2f83abf , < d1f3db4e7a3be29fc17f01850f162363f919370d (git) Affected: 7a9fb35e8c3a67145fca262c304de65cb2f83abf , < 8df354eb2dd63d111ed5ae2e956e0dbb22bcf93b (git) Affected: 7a9fb35e8c3a67145fca262c304de65cb2f83abf , < 6b4be64fd9fec16418f365c2d8e47a7566e9eba5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c",
"drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h",
"include/linux/mlx5/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cb17c88edd3a1c7aa6bc880dcdb35a6866fcb2e",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
},
{
"lessThan": "d1f3db4e7a3be29fc17f01850f162363f919370d",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
},
{
"lessThan": "8df354eb2dd63d111ed5ae2e956e0dbb22bcf93b",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
},
{
"lessThan": "6b4be64fd9fec16418f365c2d8e47a7566e9eba5",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c",
"drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h",
"include/linux/mlx5/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Harden uplink netdev access against device unbind\n\nThe function mlx5_uplink_netdev_get() gets the uplink netdevice\npointer from mdev-\u003emlx5e_res.uplink_netdev. However, the netdevice can\nbe removed and its pointer cleared when unbound from the mlx5_core.eth\ndriver. This results in a NULL pointer, causing a kernel panic.\n\n BUG: unable to handle page fault for address: 0000000000001300\n at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]\n Call Trace:\n \u003cTASK\u003e\n mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]\n esw_offloads_enable+0x593/0x910 [mlx5_core]\n mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xd0\n genl_family_rcv_msg_doit+0xe0/0x130\n genl_rcv_msg+0x183/0x290\n netlink_rcv_skb+0x4b/0xf0\n genl_rcv+0x24/0x40\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x119/0x180\n do_syscall_64+0x53/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nEnsure the pointer is valid before use by checking it for NULL. If it\nis valid, immediately call netdev_hold() to take a reference, and\npreventing the netdevice from being freed while it is in use."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:08.636Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cb17c88edd3a1c7aa6bc880dcdb35a6866fcb2e"
},
{
"url": "https://git.kernel.org/stable/c/d1f3db4e7a3be29fc17f01850f162363f919370d"
},
{
"url": "https://git.kernel.org/stable/c/8df354eb2dd63d111ed5ae2e956e0dbb22bcf93b"
},
{
"url": "https://git.kernel.org/stable/c/6b4be64fd9fec16418f365c2d8e47a7566e9eba5"
}
],
"title": "net/mlx5e: Harden uplink netdev access against device unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39947",
"datePublished": "2025-10-04T07:31:08.636Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:08.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40242 (GCVE-0-2025-40242)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
gfs2: Fix unlikely race in gdlm_put_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix unlikely race in gdlm_put_lock
In gdlm_put_lock(), there is a small window of time in which the
DFL_UNMOUNT flag has been set but the lockspace hasn't been released,
yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().
To prevent it from dereferencing freed glock objects, only free the
glock if the lockspace has actually been released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d1340f80f0b8066321b499a376780da00560e857 , < 279bde3bbb0ac0bad5c729dfa85983d75a5d7641
(git)
Affected: d1340f80f0b8066321b499a376780da00560e857 , < 64c61b4ac645222fa7b724cef616c1f862a72a40 (git) Affected: d1340f80f0b8066321b499a376780da00560e857 , < 28c4d9bc0708956c1a736a9e49fee71b65deee81 (git) Affected: 6aa628c45875e7b8cca81ed9447a12a0e8f3504a (git) Affected: a97e75203733be0a4263a78fb7b29352be150c1c (git) Affected: 3554b46204e67333e1fb8be0e93936fb08267c80 (git) Affected: 5cff77b9827a956d076168b56775aad23bce87e4 (git) Affected: 8deedce385d220f90e435f534d71d27526273515 (git) Affected: 2225a5cd2fbc2ef0e0f78e585db3844f60416a39 (git) Affected: 02e838963fdaa6ce8570b5389aecdc6cf1fb40b0 (git) Affected: 01eb3106f43335fdc02111358dae80a5c3fd324d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/lock_dlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "279bde3bbb0ac0bad5c729dfa85983d75a5d7641",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "64c61b4ac645222fa7b724cef616c1f862a72a40",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "28c4d9bc0708956c1a736a9e49fee71b65deee81",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"status": "affected",
"version": "6aa628c45875e7b8cca81ed9447a12a0e8f3504a",
"versionType": "git"
},
{
"status": "affected",
"version": "a97e75203733be0a4263a78fb7b29352be150c1c",
"versionType": "git"
},
{
"status": "affected",
"version": "3554b46204e67333e1fb8be0e93936fb08267c80",
"versionType": "git"
},
{
"status": "affected",
"version": "5cff77b9827a956d076168b56775aad23bce87e4",
"versionType": "git"
},
{
"status": "affected",
"version": "8deedce385d220f90e435f534d71d27526273515",
"versionType": "git"
},
{
"status": "affected",
"version": "2225a5cd2fbc2ef0e0f78e585db3844f60416a39",
"versionType": "git"
},
{
"status": "affected",
"version": "02e838963fdaa6ce8570b5389aecdc6cf1fb40b0",
"versionType": "git"
},
{
"status": "affected",
"version": "01eb3106f43335fdc02111358dae80a5c3fd324d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/lock_dlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix unlikely race in gdlm_put_lock\n\nIn gdlm_put_lock(), there is a small window of time in which the\nDFL_UNMOUNT flag has been set but the lockspace hasn\u0027t been released,\nyet. In that window, dlm may still call gdlm_ast() and gdlm_bast().\nTo prevent it from dereferencing freed glock objects, only free the\nglock if the lockspace has actually been released."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:11.131Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641"
},
{
"url": "https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40"
},
{
"url": "https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81"
}
],
"title": "gfs2: Fix unlikely race in gdlm_put_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40242",
"datePublished": "2025-12-04T15:31:31.497Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:11.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39965 (GCVE-0-2025-39965)
Vulnerability from cvelistv5 – Published: 2025-10-13 13:48 – Updated: 2025-10-13 13:48
VLAI?
EPSS
Title
xfrm: xfrm_alloc_spi shouldn't use 0 as SPI
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: xfrm_alloc_spi shouldn't use 0 as SPI
x->id.spi == 0 means "no SPI assigned", but since commit
94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states
and add them to the byspi list with this value.
__xfrm_state_delete doesn't remove those states from the byspi list,
since they shouldn't be there, and this shows up as a UAF the next
time we go through the byspi list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3d8090bb53424432fa788fe9a49e8ceca74f0544 , < 0baf92d0b1590b903c1f4ead75e61715e50e8146
(git)
Affected: 2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38 , < 9fcedabaae0096f712bbb4ccca6a8538af1cd1c8 (git) Affected: 29e9158f91f99057dbd35db5e8674d93b38549fe , < a78e55776522373c446f18d5002a8de4b09e6bf7 (git) Affected: 94f39804d891cffe4ce17737d295f3b195bc7299 , < cd8ae32e4e4652db55bce6b9c79267d8946765a9 (git) Affected: c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0baf92d0b1590b903c1f4ead75e61715e50e8146",
"status": "affected",
"version": "3d8090bb53424432fa788fe9a49e8ceca74f0544",
"versionType": "git"
},
{
"lessThan": "9fcedabaae0096f712bbb4ccca6a8538af1cd1c8",
"status": "affected",
"version": "2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38",
"versionType": "git"
},
{
"lessThan": "a78e55776522373c446f18d5002a8de4b09e6bf7",
"status": "affected",
"version": "29e9158f91f99057dbd35db5e8674d93b38549fe",
"versionType": "git"
},
{
"lessThan": "cd8ae32e4e4652db55bce6b9c79267d8946765a9",
"status": "affected",
"version": "94f39804d891cffe4ce17737d295f3b195bc7299",
"versionType": "git"
},
{
"status": "affected",
"version": "c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.109",
"status": "affected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThan": "6.12.50",
"status": "affected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThan": "6.16.10",
"status": "affected",
"version": "6.16.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: xfrm_alloc_spi shouldn\u0027t use 0 as SPI\n\nx-\u003eid.spi == 0 means \"no SPI assigned\", but since commit\n94f39804d891 (\"xfrm: Duplicate SPI Handling\"), we now create states\nand add them to the byspi list with this value.\n\n__xfrm_state_delete doesn\u0027t remove those states from the byspi list,\nsince they shouldn\u0027t be there, and this shows up as a UAF the next\ntime we go through the byspi list."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T13:48:31.033Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146"
},
{
"url": "https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8"
},
{
"url": "https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7"
},
{
"url": "https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9"
}
],
"title": "xfrm: xfrm_alloc_spi shouldn\u0027t use 0 as SPI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39965",
"datePublished": "2025-10-13T13:48:31.033Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-13T13:48:31.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39811 (GCVE-0-2025-39811)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
drm/xe/vm: Clear the scratch_pt pointer on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/vm: Clear the scratch_pt pointer on error
Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.
(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
06951c2ee72df2f53b71e7cf2b504d4fa6bba453 , < c8277d229c7840e8090d4704e50f2ca014d194c7
(git)
Affected: 06951c2ee72df2f53b71e7cf2b504d4fa6bba453 , < 84603ed1d73ebb8de856dc11f4f5d3541c48f7a2 (git) Affected: 06951c2ee72df2f53b71e7cf2b504d4fa6bba453 , < 2b55ddf36229e0278c956215784ab1feeff510aa (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:15:08.427254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:55.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8277d229c7840e8090d4704e50f2ca014d194c7",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
},
{
"lessThan": "84603ed1d73ebb8de856dc11f4f5d3541c48f7a2",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
},
{
"lessThan": "2b55ddf36229e0278c956215784ab1feeff510aa",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: Clear the scratch_pt pointer on error\n\nAvoid triggering a dereference of an error pointer on cleanup in\nxe_vm_free_scratch() by clearing any scratch_pt error pointer.\n\n(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:54.870Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8277d229c7840e8090d4704e50f2ca014d194c7"
},
{
"url": "https://git.kernel.org/stable/c/84603ed1d73ebb8de856dc11f4f5d3541c48f7a2"
},
{
"url": "https://git.kernel.org/stable/c/2b55ddf36229e0278c956215784ab1feeff510aa"
}
],
"title": "drm/xe/vm: Clear the scratch_pt pointer on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39811",
"datePublished": "2025-09-16T13:00:13.395Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2026-01-14T18:22:55.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68367 (GCVE-0-2025-68367)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
Summary
In the Linux kernel, the following vulnerability has been resolved:
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99b089c3c38a83ebaeb1cc4584ddcde841626467 , < d5f1d40fd342b589420de7508b4c748fcf28122e
(git)
Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 14c209835e47a87e6da94bb9401e570dcc14f31f (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 583d36523f56d8e9ddfa0bec20743a6faefc9b74 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 61abf8c3162d155b4fd0fb251f08557093363a0a (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 230621ffdb361d15cd3ef92d8b4fa8d314f4fad4 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 388391dd1cc567fcf0b372b63d414c119d23e911 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 48a7d427eb65922b3f17fbe00e2bbc7cb9eac381 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5f1d40fd342b589420de7508b4c748fcf28122e",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "14c209835e47a87e6da94bb9401e570dcc14f31f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "583d36523f56d8e9ddfa0bec20743a6faefc9b74",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "61abf8c3162d155b4fd0fb251f08557093363a0a",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "230621ffdb361d15cd3ef92d8b4fa8d314f4fad4",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "388391dd1cc567fcf0b372b63d414c119d23e911",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "48a7d427eb65922b3f17fbe00e2bbc7cb9eac381",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\n\nThe following warning appears when running syzkaller, and this issue also\nexists in the mainline code.\n\n ------------[ cut here ]------------\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\n Modules linked in:\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\n FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 80000000\n Call Trace:\n \u003cTASK\u003e\n input_register_handler+0xb3/0x210\n mac_hid_start_emulation+0x1c5/0x290\n mac_hid_toggle_emumouse+0x20a/0x240\n proc_sys_call_handler+0x4c2/0x6e0\n new_sync_write+0x1b1/0x2d0\n vfs_write+0x709/0x950\n ksys_write+0x12a/0x250\n do_syscall_64+0x5a/0x110\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe WARNING occurs when two processes concurrently write to the mac-hid\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\nBoth processes read old_val=0, then both try to register the input handler,\nleading to a double list_add of the same handler.\n\n CPU0 CPU1\n ------------------------- -------------------------\n vfs_write() //write 1 vfs_write() //write 1\n proc_sys_write() proc_sys_write()\n mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()\n old_val = *valp // old_val=0\n old_val = *valp // old_val=0\n mutex_lock_killable()\n proc_dointvec() // *valp=1\n mac_hid_start_emulation()\n input_register_handler()\n mutex_unlock()\n mutex_lock_killable()\n proc_dointvec()\n mac_hid_start_emulation()\n input_register_handler() //Trigger Warning\n mutex_unlock()\n\nFix this by moving the old_val read inside the mutex lock region."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:03.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5f1d40fd342b589420de7508b4c748fcf28122e"
},
{
"url": "https://git.kernel.org/stable/c/14c209835e47a87e6da94bb9401e570dcc14f31f"
},
{
"url": "https://git.kernel.org/stable/c/583d36523f56d8e9ddfa0bec20743a6faefc9b74"
},
{
"url": "https://git.kernel.org/stable/c/61abf8c3162d155b4fd0fb251f08557093363a0a"
},
{
"url": "https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4"
},
{
"url": "https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911"
},
{
"url": "https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381"
},
{
"url": "https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f"
}
],
"title": "macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68367",
"datePublished": "2025-12-24T10:32:54.084Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:03.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40087 (GCVE-0-2025-40087)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
NFSD: Define a proc_layoutcommit for the FlexFiles layout type
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Define a proc_layoutcommit for the FlexFiles layout type
Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT
operation on a FlexFiles layout.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9b9960a0ca4773e21c4b153ed355583946346b25 , < a75994dd879401c3e24ff51c2536559f1a53ea27
(git)
Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < 34d187e020cbda112a6c6f094f0ca5e6a8672b75 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < ba88a53d7f5df4191583abf214214efe0cda91d2 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < da9129ef77786839a3ccd1d7afeeab790bceaa1d (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < f7353208c91ab004e0179c5fb6c365b0f132f9f0 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < 785ec512afa80d0540f2ca797c0e56de747a6083 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < 4b47a8601b71ad98833b447d465592d847b4dc77 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/flexfilelayout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a75994dd879401c3e24ff51c2536559f1a53ea27",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "34d187e020cbda112a6c6f094f0ca5e6a8672b75",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "ba88a53d7f5df4191583abf214214efe0cda91d2",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "da9129ef77786839a3ccd1d7afeeab790bceaa1d",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "f7353208c91ab004e0179c5fb6c365b0f132f9f0",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "785ec512afa80d0540f2ca797c0e56de747a6083",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "4b47a8601b71ad98833b447d465592d847b4dc77",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/flexfilelayout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define a proc_layoutcommit for the FlexFiles layout type\n\nAvoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT\noperation on a FlexFiles layout."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:45.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a75994dd879401c3e24ff51c2536559f1a53ea27"
},
{
"url": "https://git.kernel.org/stable/c/34d187e020cbda112a6c6f094f0ca5e6a8672b75"
},
{
"url": "https://git.kernel.org/stable/c/ba88a53d7f5df4191583abf214214efe0cda91d2"
},
{
"url": "https://git.kernel.org/stable/c/da9129ef77786839a3ccd1d7afeeab790bceaa1d"
},
{
"url": "https://git.kernel.org/stable/c/f7353208c91ab004e0179c5fb6c365b0f132f9f0"
},
{
"url": "https://git.kernel.org/stable/c/a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4"
},
{
"url": "https://git.kernel.org/stable/c/785ec512afa80d0540f2ca797c0e56de747a6083"
},
{
"url": "https://git.kernel.org/stable/c/4b47a8601b71ad98833b447d465592d847b4dc77"
}
],
"title": "NFSD: Define a proc_layoutcommit for the FlexFiles layout type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40087",
"datePublished": "2025-10-30T09:47:56.675Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2025-12-01T06:17:45.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40120 (GCVE-0-2025-40120)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
Prevent USB runtime PM (autosuspend) for AX88772* in bind.
usbnet enables runtime PM (autosuspend) by default, so disabling it via
the usb_driver flag is ineffective. On AX88772B, autosuspend shows no
measurable power saving with current driver (no link partner, admin
up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering
the PHY off on admin-down, not from USB autosuspend.
The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)
may synchronously trigger autoresume (usb_autopm_get_interface()) into
asix_resume() while the USB PM lock is held. Resume paths then invoke
phylink/phylib and MDIO, which also expect RTNL, leading to possible
deadlocks or PM lock vs MDIO wake issues.
To avoid this, keep the device runtime-PM active by taking a usage
reference in ax88772_bind() and dropping it in unbind(). A non-zero PM
usage count blocks runtime suspend regardless of userspace policy
(.../power/control - pm_runtime_allow/forbid), making this approach
robust against sysfs overrides.
Holding a runtime-PM usage ref does not affect system-wide suspend;
system sleep/resume callbacks continue to run as before.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 71a0ba7fdaf8d035426912a4ed7bf1738a81010c
(git)
Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 3e96cd27ff1a004d84908c1b6cc68ac60913874e (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 724a9db84188f80ef60b1f21cc7b4e9c84e0cb64 (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 1534517300e12f2930b6ff477b8820ff658afd11 (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4 (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71a0ba7fdaf8d035426912a4ed7bf1738a81010c",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "3e96cd27ff1a004d84908c1b6cc68ac60913874e",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "724a9db84188f80ef60b1f21cc7b4e9c84e0cb64",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "1534517300e12f2930b6ff477b8820ff658afd11",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "3d3c4cd5c62f24bb3cb4511b7a95df707635e00a",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock\n\nPrevent USB runtime PM (autosuspend) for AX88772* in bind.\n\nusbnet enables runtime PM (autosuspend) by default, so disabling it via\nthe usb_driver flag is ineffective. On AX88772B, autosuspend shows no\nmeasurable power saving with current driver (no link partner, admin\nup/down). The ~0.453 W -\u003e ~0.248 W drop on v6.1 comes from phylib powering\nthe PHY off on admin-down, not from USB autosuspend.\n\nThe real hazard is that with runtime PM enabled, ndo_open() (under RTNL)\nmay synchronously trigger autoresume (usb_autopm_get_interface()) into\nasix_resume() while the USB PM lock is held. Resume paths then invoke\nphylink/phylib and MDIO, which also expect RTNL, leading to possible\ndeadlocks or PM lock vs MDIO wake issues.\n\nTo avoid this, keep the device runtime-PM active by taking a usage\nreference in ax88772_bind() and dropping it in unbind(). A non-zero PM\nusage count blocks runtime suspend regardless of userspace policy\n(.../power/control - pm_runtime_allow/forbid), making this approach\nrobust against sysfs overrides.\n\nHolding a runtime-PM usage ref does not affect system-wide suspend;\nsystem sleep/resume callbacks continue to run as before."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:24.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71a0ba7fdaf8d035426912a4ed7bf1738a81010c"
},
{
"url": "https://git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874e"
},
{
"url": "https://git.kernel.org/stable/c/724a9db84188f80ef60b1f21cc7b4e9c84e0cb64"
},
{
"url": "https://git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11"
},
{
"url": "https://git.kernel.org/stable/c/9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4"
},
{
"url": "https://git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00a"
}
],
"title": "net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40120",
"datePublished": "2025-11-12T10:23:18.726Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:24.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71132 (GCVE-0-2025-71132)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
smc91x: fix broken irq-context in PREEMPT_RT
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc91x: fix broken irq-context in PREEMPT_RT
When smc91x.c is built with PREEMPT_RT, the following splat occurs
in FVP_RevC:
[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
[ 13.062266] C
** replaying previous printk message **
[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
[ 13.062353] Hardware name: , BIOS
[ 13.062382] Workqueue: mld mld_ifc_work
[ 13.062469] Call trace:
[ 13.062494] show_stack+0x24/0x40 (C)
[ 13.062602] __dump_stack+0x28/0x48
[ 13.062710] dump_stack_lvl+0x7c/0xb0
[ 13.062818] dump_stack+0x18/0x34
[ 13.062926] process_scheduled_works+0x294/0x450
[ 13.063043] worker_thread+0x260/0x3d8
[ 13.063124] kthread+0x1c4/0x228
[ 13.063235] ret_from_fork+0x10/0x20
This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
342a93247e0837101f27bbcca26f402902df98dc , < 1c4cb705e733250d13243f6a69b8b5a92e39b9f6
(git)
Affected: 342a93247e0837101f27bbcca26f402902df98dc , < 9d222141b00156509d67d80c771fbefa92c43ace (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < ef277ae121b3249c99994652210a326b52d527b0 (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < 36561b86cb2501647662cfaf91286dd6973804a6 (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3 (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < 6402078bd9d1ed46e79465e1faaa42e3458f8a33 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/smsc/smc91x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c4cb705e733250d13243f6a69b8b5a92e39b9f6",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "9d222141b00156509d67d80c771fbefa92c43ace",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "ef277ae121b3249c99994652210a326b52d527b0",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "36561b86cb2501647662cfaf91286dd6973804a6",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "6402078bd9d1ed46e79465e1faaa42e3458f8a33",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/smsc/smc91x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc91x: fix broken irq-context in PREEMPT_RT\n\nWhen smc91x.c is built with PREEMPT_RT, the following splat occurs\nin FVP_RevC:\n\n[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000\n[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]\n[ 13.062137] preempt=0x00000000 lock=0-\u003e0 RCU=0-\u003e1 workfn=mld_ifc_work\n[ 13.062266] C\n** replaying previous printk message **\n[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}\n[ 13.062353] Hardware name: , BIOS\n[ 13.062382] Workqueue: mld mld_ifc_work\n[ 13.062469] Call trace:\n[ 13.062494] show_stack+0x24/0x40 (C)\n[ 13.062602] __dump_stack+0x28/0x48\n[ 13.062710] dump_stack_lvl+0x7c/0xb0\n[ 13.062818] dump_stack+0x18/0x34\n[ 13.062926] process_scheduled_works+0x294/0x450\n[ 13.063043] worker_thread+0x260/0x3d8\n[ 13.063124] kthread+0x1c4/0x228\n[ 13.063235] ret_from_fork+0x10/0x20\n\nThis happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,\nbut smc_special_unlock() does not restore IRQs on PREEMPT_RT.\nThe reason is that smc_special_unlock() calls spin_unlock_irqrestore(),\nand rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke\nrcu_read_unlock() through __local_bh_enable_ip() when current-\u003esoftirq_disable_cnt becomes zero.\n\nTo address this issue, replace smc_special_trylock() with spin_trylock_irqsave()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:28.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6"
},
{
"url": "https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace"
},
{
"url": "https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0"
},
{
"url": "https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6"
},
{
"url": "https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3"
},
{
"url": "https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33"
}
],
"title": "smc91x: fix broken irq-context in PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71132",
"datePublished": "2026-01-14T15:07:47.860Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:28.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40271 (GCVE-0-2025-40271)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fs/proc: fix uaf in proc_readdir_de()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/proc: fix uaf in proc_readdir_de()
Pde is erased from subdir rbtree through rb_erase(), but not set the node
to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()
set the erased node to EMPTY, then pde_subdir_next() will return NULL to
avoid uaf access.
We found an uaf issue while using stress-ng testing, need to run testcase
getdent and tun in the same time. The steps of the issue is as follows:
1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
pde is tun3;
2) in the [time windows] unregister netdevice tun3 and tun2, and erase
them from rbtree. erase tun3 first, and then erase tun2. the
pde(tun2) will be released to slab;
3) continue to getdent process, then pde_subdir_next() will return
pde(tun2) which is released, it will case uaf access.
CPU 0 | CPU 1
-------------------------------------------------------------------------
traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2
sys_getdents64() |
iterate_dir() |
proc_readdir() |
proc_readdir_de() | snmp6_unregister_dev()
pde_get(de); | proc_remove()
read_unlock(&proc_subdir_lock); | remove_proc_subtree()
| write_lock(&proc_subdir_lock);
[time window] | rb_erase(&root->subdir_node, &parent->subdir);
| write_unlock(&proc_subdir_lock);
read_lock(&proc_subdir_lock); |
next = pde_subdir_next(de); |
pde_put(de); |
de = next; //UAF |
rbtree of dev_snmp6
|
pde(tun3)
/ \
NULL pde(tun2)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
710585d4922fd315f2cada8fbe550ae8ed23e994 , < 1d1596d68a6f11d28f677eedf6cf5b17dbfeb491
(git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < c81d0385500446efe48c305bbb83d47f2ae23a50 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 4cba73c4c89219beef7685a47374bf88b1022369 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 6f2482745e510ae1dacc9b090194b9c5f918d774 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 67272c11f379d9aa5e0f6b16286b9d89b3f76046 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 623bb26127fb581a741e880e1e1a47d79aecb6f8 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 03de7ff197a3d0e17d0d5c58fdac99a63cba8110 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 895b4c0c79b092d732544011c3cecaf7322c36a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d1596d68a6f11d28f677eedf6cf5b17dbfeb491",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "c81d0385500446efe48c305bbb83d47f2ae23a50",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "4cba73c4c89219beef7685a47374bf88b1022369",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "6f2482745e510ae1dacc9b090194b9c5f918d774",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "67272c11f379d9aa5e0f6b16286b9d89b3f76046",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "623bb26127fb581a741e880e1e1a47d79aecb6f8",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "03de7ff197a3d0e17d0d5c58fdac99a63cba8110",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "895b4c0c79b092d732544011c3cecaf7322c36a1",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n them from rbtree. erase tun3 first, and then erase tun2. the\n pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n pde(tun2) which is released, it will case uaf access.\n\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-\u003edev) //tun3 tun2\nsys_getdents64() |\n iterate_dir() |\n proc_readdir() |\n proc_readdir_de() | snmp6_unregister_dev()\n pde_get(de); | proc_remove()\n read_unlock(\u0026proc_subdir_lock); | remove_proc_subtree()\n | write_lock(\u0026proc_subdir_lock);\n [time window] | rb_erase(\u0026root-\u003esubdir_node, \u0026parent-\u003esubdir);\n | write_unlock(\u0026proc_subdir_lock);\n read_lock(\u0026proc_subdir_lock); |\n next = pde_subdir_next(de); |\n pde_put(de); |\n de = next; //UAF |\n\nrbtree of dev_snmp6\n |\n pde(tun3)\n / \\\n NULL pde(tun2)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:21.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"
},
{
"url": "https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50"
},
{
"url": "https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369"
},
{
"url": "https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774"
},
{
"url": "https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046"
},
{
"url": "https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8"
},
{
"url": "https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110"
},
{
"url": "https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1"
}
],
"title": "fs/proc: fix uaf in proc_readdir_de()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40271",
"datePublished": "2025-12-06T21:50:53.266Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:21.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68283 (GCVE-0-2025-68283)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
libceph: replace BUG_ON with bounds check for map->max_osd
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace BUG_ON with bounds check for map->max_osd
OSD indexes come from untrusted network packets. Boundary checks are
added to validate these against map->max_osd.
[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic
edits ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 57f5fbae9f1024aba17ff75e00433324115c548a
(git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < becc488a4d864db338ebd4e313aa3c77da24b604 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < b4368b7f97014e1015445d61abd0b27c4c6e8424 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < ec3797f043756a94ea2d0f106022e14ac4946c02 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57f5fbae9f1024aba17ff75e00433324115c548a",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "becc488a4d864db338ebd4e313aa3c77da24b604",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "b4368b7f97014e1015445d61abd0b27c4c6e8424",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "ec3797f043756a94ea2d0f106022e14ac4946c02",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace BUG_ON with bounds check for map-\u003emax_osd\n\nOSD indexes come from untrusted network packets. Boundary checks are\nadded to validate these against map-\u003emax_osd.\n\n[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic\n edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:47.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57f5fbae9f1024aba17ff75e00433324115c548a"
},
{
"url": "https://git.kernel.org/stable/c/becc488a4d864db338ebd4e313aa3c77da24b604"
},
{
"url": "https://git.kernel.org/stable/c/e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d"
},
{
"url": "https://git.kernel.org/stable/c/b4368b7f97014e1015445d61abd0b27c4c6e8424"
},
{
"url": "https://git.kernel.org/stable/c/ec3797f043756a94ea2d0f106022e14ac4946c02"
}
],
"title": "libceph: replace BUG_ON with bounds check for map-\u003emax_osd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68283",
"datePublished": "2025-12-16T15:06:05.355Z",
"dateReserved": "2025-12-16T14:48:05.291Z",
"dateUpdated": "2026-01-02T15:34:47.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21833 (GCVE-0-2025-21833)
Vulnerability from cvelistv5 – Published: 2025-03-06 16:22 – Updated: 2025-11-02 13:30
VLAI?
EPSS
Title
iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE
There is a WARN_ON_ONCE to catch an unlikely situation when
domain_remove_dev_pasid can't find the `pasid`. In case it nevertheless
happens we must avoid using a NULL pointer.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d87731f609318a27e9aa3d01cf97798599d32839 , < 68ec78beb4a3fb0877cbaaf49758c85410c05977
(git)
Affected: d87731f609318a27e9aa3d01cf97798599d32839 , < df96876be3b064aefc493f760e0639765d13ed0d (git) Affected: d87731f609318a27e9aa3d01cf97798599d32839 , < 60f030f7418d3f1d94f2fb207fe3080e1844630b (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:27:04.147746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:35.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68ec78beb4a3fb0877cbaaf49758c85410c05977",
"status": "affected",
"version": "d87731f609318a27e9aa3d01cf97798599d32839",
"versionType": "git"
},
{
"lessThan": "df96876be3b064aefc493f760e0639765d13ed0d",
"status": "affected",
"version": "d87731f609318a27e9aa3d01cf97798599d32839",
"versionType": "git"
},
{
"lessThan": "60f030f7418d3f1d94f2fb207fe3080e1844630b",
"status": "affected",
"version": "d87731f609318a27e9aa3d01cf97798599d32839",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid use of NULL after WARN_ON_ONCE\n\nThere is a WARN_ON_ONCE to catch an unlikely situation when\ndomain_remove_dev_pasid can\u0027t find the `pasid`. In case it nevertheless\nhappens we must avoid using a NULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-02T13:30:22.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68ec78beb4a3fb0877cbaaf49758c85410c05977"
},
{
"url": "https://git.kernel.org/stable/c/df96876be3b064aefc493f760e0639765d13ed0d"
},
{
"url": "https://git.kernel.org/stable/c/60f030f7418d3f1d94f2fb207fe3080e1844630b"
}
],
"title": "iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21833",
"datePublished": "2025-03-06T16:22:34.798Z",
"dateReserved": "2024-12-29T08:45:45.777Z",
"dateUpdated": "2025-11-02T13:30:22.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68757 (GCVE-0-2025-68757)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
drm/vgem-fence: Fix potential deadlock on release
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vgem-fence: Fix potential deadlock on release
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_r
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4077798484459a2eced2050045099a466ecb618a , < 37289a18099fc7ce916933bd542926a7334791a3
(git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 489b2158aec92a3fc256d70992416869f86e16e0 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 338e388c0d80ffc04963b6b0ec702ffdfd2c4eba (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 4f335cb8fad69b2be5accf0ebac3a8b345915f4e (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 78b4d6463e9e69e5103f98b367f8984ad12cdc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "37289a18099fc7ce916933bd542926a7334791a3",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "489b2158aec92a3fc256d70992416869f86e16e0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "338e388c0d80ffc04963b6b0ec702ffdfd2c4eba",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "4f335cb8fad69b2be5accf0ebac3a8b345915f4e",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1f0ca9d3e7c38a39f1f12377c24decf0bba46e54",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "78b4d6463e9e69e5103f98b367f8984ad12cdc6f",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put(). In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used. One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363] lock_acquire+0xc4/0x2e0\n[117.004366] call_timer_fn+0x80/0x2a0\n[117.004368] __run_timers+0x231/0x310\n[117.004370] run_timer_softirq+0x76/0xe0\n[117.004372] handle_softirqs+0xd4/0x4d0\n[117.004375] __irq_exit_rcu+0x13f/0x160\n[117.004377] irq_exit_rcu+0xe/0x20\n[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385] cpuidle_enter_state+0x12b/0x8a0\n[117.004388] cpuidle_enter+0x2e/0x50\n[117.004393] call_cpuidle+0x22/0x60\n[117.004395] do_idle+0x1fd/0x260\n[117.004398] cpu_startup_entry+0x29/0x30\n[117.004401] start_secondary+0x12d/0x160\n[117.004404] common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429] Possible unsafe locking scenario:\n[117.004432] CPU0\n[117.004433] ----\n[117.004434] lock((\u0026fence-\u003etimer));\n[117.004436] \u003cInterrupt\u003e\n[117.004438] lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445] #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456] \u003cIRQ\u003e\n[117.004457] dump_stack_lvl+0x91/0xf0\n[117.004460] dump_stack+0x10/0x20\n[117.004461] print_usage_bug.part.0+0x260/0x360\n[117.004463] mark_lock+0x76e/0x9c0\n[117.004465] ? register_lock_class+0x48/0x4a0\n[117.004467] __lock_acquire+0xbc3/0x2860\n[117.004469] lock_acquire+0xc4/0x2e0\n[117.004470] ? __timer_delete_sync+0x4b/0x190\n[117.004472] ? __timer_delete_sync+0x4b/0x190\n[117.004473] __timer_delete_sync+0x68/0x190\n[117.004474] ? __timer_delete_sync+0x4b/0x190\n[117.004475] timer_delete_sync+0x10/0x20\n[117.004476] vgem_fence_release+0x19/0x30 [vgem]\n[117.004478] dma_fence_release+0xc1/0x3b0\n[117.004480] ? dma_fence_release+0xa1/0x3b0\n[117.004481] dma_fence_chain_release+0xe7/0x130\n[117.004483] dma_fence_release+0xc1/0x3b0\n[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485] dma_fence_chain_irq_work+0x59/0x80\n[117.004487] irq_work_single+0x75/0xa0\n[117.004490] irq_work_r\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:01.777Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"
},
{
"url": "https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"
},
{
"url": "https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"
},
{
"url": "https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"
},
{
"url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
},
{
"url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
},
{
"url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
},
{
"url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
}
],
"title": "drm/vgem-fence: Fix potential deadlock on release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68757",
"datePublished": "2026-01-05T09:32:30.496Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:01.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40251 (GCVE-0-2025-40251)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-02-19 15:39
VLAI?
EPSS
Title
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
The function devl_rate_nodes_destroy is documented to "Unset parent for
all rate objects". However, it was only calling the driver-specific
`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
the parent's refcount, without actually setting the
`devlink_rate->parent` pointer to NULL.
This leaves a dangling pointer in the `devlink_rate` struct, which cause
refcount error in netdevsim[1] and mlx5[2]. In addition, this is
inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
where the parent pointer is correctly cleared.
This patch fixes the issue by explicitly setting `devlink_rate->parent`
to NULL after notifying the driver, thus fulfilling the function's
documented behavior for all rate objects.
[1]
repro steps:
echo 1 > /sys/bus/netdevsim/new_device
devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
devlink port function rate add netdevsim/netdevsim1/test_node
devlink port function rate set netdevsim/netdevsim1/128 parent test_node
echo 1 > /sys/bus/netdevsim/del_device
dmesg:
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x42/0xe0
Call Trace:
<TASK>
devl_rate_leaf_destroy+0x8d/0x90
__nsim_dev_port_del+0x6c/0x70 [netdevsim]
nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
nsim_drv_remove+0x2b/0xb0 [netdevsim]
device_release_driver_internal+0x194/0x1f0
bus_remove_device+0xc6/0x130
device_del+0x159/0x3c0
device_unregister+0x1a/0x60
del_device_store+0x111/0x170 [netdevsim]
kernfs_fop_write_iter+0x12e/0x1e0
vfs_write+0x215/0x3d0
ksys_write+0x5f/0xd0
do_syscall_64+0x55/0x10f0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
devlink dev eswitch set pci/0000:08:00.0 mode switchdev
devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
devlink port function rate add pci/0000:08:00.0/group1
devlink port function rate set pci/0000:08:00.0/32768 parent group1
modprobe -r mlx5_ib mlx5_fwctl mlx5_core
dmesg:
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x42/0xe0
Call Trace:
<TASK>
devl_rate_leaf_destroy+0x8d/0x90
mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
notifier_call_chain+0x33/0xa0
blocking_notifier_call_chain+0x3b/0x50
mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
mlx5_unload+0x1d/0x170 [mlx5_core]
mlx5_uninit_one+0xa2/0x130 [mlx5_core]
remove_one+0x78/0xd0 [mlx5_core]
pci_device_remove+0x39/0xa0
device_release_driver_internal+0x194/0x1f0
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x12e/0x1e0
vfs_write+0x215/0x3d0
ksys_write+0x5f/0xd0
do_syscall_64+0x53/0x1f0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7555984507822458b32a6405881038241d140be , < 90e51e20bcec9bff5b2421ce1bd95704764655f5
(git)
Affected: d7555984507822458b32a6405881038241d140be , < 715d9cda646a8a38ea8b2bb5afb679a7464055e2 (git) Affected: d7555984507822458b32a6405881038241d140be , < c70df6c17d389cc743f0eb30160e2d6bc6910db8 (git) Affected: d7555984507822458b32a6405881038241d140be , < 542f45486f1ce2d2dde75bd85aca0389ef7046c3 (git) Affected: d7555984507822458b32a6405881038241d140be , < f94c1a114ac209977bdf5ca841b98424295ab1f0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/devlink/rate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e51e20bcec9bff5b2421ce1bd95704764655f5",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "715d9cda646a8a38ea8b2bb5afb679a7464055e2",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "c70df6c17d389cc743f0eb30160e2d6bc6910db8",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "542f45486f1ce2d2dde75bd85aca0389ef7046c3",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "f94c1a114ac209977bdf5ca841b98424295ab1f0",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/devlink/rate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\n\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\nall rate objects\". However, it was only calling the driver-specific\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\nthe parent\u0027s refcount, without actually setting the\n`devlink_rate-\u003eparent` pointer to NULL.\n\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\nwhere the parent pointer is correctly cleared.\n\nThis patch fixes the issue by explicitly setting `devlink_rate-\u003eparent`\nto NULL after notifying the driver, thus fulfilling the function\u0027s\ndocumented behavior for all rate objects.\n\n[1]\nrepro steps:\necho 1 \u003e /sys/bus/netdevsim/new_device\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\necho 1 \u003e /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\ndevlink port function rate add netdevsim/netdevsim1/test_node\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\necho 1 \u003e /sys/bus/netdevsim/del_device\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n device_unregister+0x1a/0x60\n del_device_store+0x111/0x170 [netdevsim]\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x55/0x10f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\ndevlink port function rate add pci/0000:08:00.0/group1\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\n notifier_call_chain+0x33/0xa0\n blocking_notifier_call_chain+0x3b/0x50\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\n mlx5_unload+0x1d/0x170 [mlx5_core]\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\n remove_one+0x78/0xd0 [mlx5_core]\n pci_device_remove+0x39/0xa0\n device_release_driver_internal+0x194/0x1f0\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x53/0x1f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T15:39:20.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e51e20bcec9bff5b2421ce1bd95704764655f5"
},
{
"url": "https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2"
},
{
"url": "https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8"
},
{
"url": "https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3"
},
{
"url": "https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0"
}
],
"title": "devlink: rate: Unset parent pointer in devl_rate_nodes_destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40251",
"datePublished": "2025-12-04T16:08:13.710Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-02-19T15:39:20.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39907 (GCVE-0-2025-39907)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
Avoid below overlapping mappings by using a contiguous
non-cacheable buffer.
[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,
overlapping mappings aren't supported
[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300
[ 4.097071] Modules linked in:
[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1
[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)
[ 4.118824] Workqueue: events_unbound deferred_probe_work_func
[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.131624] pc : add_dma_entry+0x23c/0x300
[ 4.135658] lr : add_dma_entry+0x23c/0x300
[ 4.139792] sp : ffff800009dbb490
[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000
[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8
[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20
[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006
[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e
[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec
[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58
[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000
[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40
[ 4.214185] Call trace:
[ 4.216605] add_dma_entry+0x23c/0x300
[ 4.220338] debug_dma_map_sg+0x198/0x350
[ 4.224373] __dma_map_sg_attrs+0xa0/0x110
[ 4.228411] dma_map_sg_attrs+0x10/0x2c
[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc
[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174
[ 4.242127] nand_read_oob+0x1d4/0x8e0
[ 4.245861] mtd_read_oob_std+0x58/0x84
[ 4.249596] mtd_read_oob+0x90/0x150
[ 4.253231] mtd_read+0x68/0xac
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2cd457f328c100bc98e36d55fe210e9ab067c704 , < dc1c6e60993b93b87604eb11266ac72e1a3be9e0
(git)
Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < dfe2ac47a6ee0ab50393694517c54ef1e276dda3 (git) Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < e32a2ea52b51368774d014e5bcd9b86110a2b727 (git) Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < 75686c49574dd5f171ca682c18717787f1d8d55e (git) Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < 06d8ef8f853752fea88c8d5bb093a40e71b330cf (git) Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < 26adba1e7d7924174e15a3ba4b1132990786300b (git) Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < f6fd98d961fa6f97347cead4f08ed862cbbb91ff (git) Affected: 2cd457f328c100bc98e36d55fe210e9ab067c704 , < 513c40e59d5a414ab763a9c84797534b5e8c208d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:34.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc1c6e60993b93b87604eb11266ac72e1a3be9e0",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "dfe2ac47a6ee0ab50393694517c54ef1e276dda3",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "e32a2ea52b51368774d014e5bcd9b86110a2b727",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "75686c49574dd5f171ca682c18717787f1d8d55e",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "06d8ef8f853752fea88c8d5bb093a40e71b330cf",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "26adba1e7d7924174e15a3ba4b1132990786300b",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "f6fd98d961fa6f97347cead4f08ed862cbbb91ff",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "513c40e59d5a414ab763a9c84797534b5e8c208d",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n\nAvoid below overlapping mappings by using a contiguous\nnon-cacheable buffer.\n\n[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,\noverlapping mappings aren\u0027t supported\n[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300\n[ 4.097071] Modules linked in:\n[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1\n[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)\n[ 4.118824] Workqueue: events_unbound deferred_probe_work_func\n[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.131624] pc : add_dma_entry+0x23c/0x300\n[ 4.135658] lr : add_dma_entry+0x23c/0x300\n[ 4.139792] sp : ffff800009dbb490\n[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000\n[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8\n[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20\n[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006\n[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e\n[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec\n[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58\n[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000\n[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40\n[ 4.214185] Call trace:\n[ 4.216605] add_dma_entry+0x23c/0x300\n[ 4.220338] debug_dma_map_sg+0x198/0x350\n[ 4.224373] __dma_map_sg_attrs+0xa0/0x110\n[ 4.228411] dma_map_sg_attrs+0x10/0x2c\n[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc\n[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174\n[ 4.242127] nand_read_oob+0x1d4/0x8e0\n[ 4.245861] mtd_read_oob_std+0x58/0x84\n[ 4.249596] mtd_read_oob+0x90/0x150\n[ 4.253231] mtd_read+0x68/0xac"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:38.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc1c6e60993b93b87604eb11266ac72e1a3be9e0"
},
{
"url": "https://git.kernel.org/stable/c/dfe2ac47a6ee0ab50393694517c54ef1e276dda3"
},
{
"url": "https://git.kernel.org/stable/c/e32a2ea52b51368774d014e5bcd9b86110a2b727"
},
{
"url": "https://git.kernel.org/stable/c/75686c49574dd5f171ca682c18717787f1d8d55e"
},
{
"url": "https://git.kernel.org/stable/c/06d8ef8f853752fea88c8d5bb093a40e71b330cf"
},
{
"url": "https://git.kernel.org/stable/c/26adba1e7d7924174e15a3ba4b1132990786300b"
},
{
"url": "https://git.kernel.org/stable/c/f6fd98d961fa6f97347cead4f08ed862cbbb91ff"
},
{
"url": "https://git.kernel.org/stable/c/513c40e59d5a414ab763a9c84797534b5e8c208d"
}
],
"title": "mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39907",
"datePublished": "2025-10-01T07:44:30.864Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:34.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68213 (GCVE-0-2025-68213)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
idpf: fix possible vport_config NULL pointer deref in remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix possible vport_config NULL pointer deref in remove
Attempting to remove the driver will cause a crash in cases where
the vport failed to initialize. Following trace is from an instance where
the driver failed during an attempt to create a VF:
[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated
[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)
[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028
...
[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]
...
[ 1723.364973] Call Trace:
[ 1723.365475] <TASK>
[ 1723.365972] pci_device_remove+0x42/0xb0
[ 1723.366481] device_release_driver_internal+0x1a9/0x210
[ 1723.366987] pci_stop_bus_device+0x6d/0x90
[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20
[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120
[ 1723.368309] sriov_disable+0x34/0xe0
[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]
[ 1723.368982] sriov_numvfs_store+0xda/0x1c0
Avoid the NULL pointer dereference by adding NULL pointer check for
vport_config[i], before freeing user_config.q_coalesce.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bd80fbf3ed250ca98923780dab5e634db5d2f828 , < a0e1c9bc1c9fe735978150ad075616a728073bc7
(git)
Affected: e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179 , < d5be8663cff0ba7b94da34ebd499ce1123b4c334 (git) Affected: e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179 , < 118082368c2b6ddefe6cb607efc312285148f044 (git) Affected: 5e87b3145578a169839e456fa0aba86e123d2d8e (git) Affected: ba11b0f3e9a97661f6caeee3dfc633af8ecee5a5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0e1c9bc1c9fe735978150ad075616a728073bc7",
"status": "affected",
"version": "bd80fbf3ed250ca98923780dab5e634db5d2f828",
"versionType": "git"
},
{
"lessThan": "d5be8663cff0ba7b94da34ebd499ce1123b4c334",
"status": "affected",
"version": "e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179",
"versionType": "git"
},
{
"lessThan": "118082368c2b6ddefe6cb607efc312285148f044",
"status": "affected",
"version": "e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179",
"versionType": "git"
},
{
"status": "affected",
"version": "5e87b3145578a169839e456fa0aba86e123d2d8e",
"versionType": "git"
},
{
"status": "affected",
"version": "ba11b0f3e9a97661f6caeee3dfc633af8ecee5a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix possible vport_config NULL pointer deref in remove\n\nAttempting to remove the driver will cause a crash in cases where\nthe vport failed to initialize. Following trace is from an instance where\nthe driver failed during an attempt to create a VF:\n[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated\n[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)\n[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028\n...\n[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]\n...\n[ 1723.364973] Call Trace:\n[ 1723.365475] \u003cTASK\u003e\n[ 1723.365972] pci_device_remove+0x42/0xb0\n[ 1723.366481] device_release_driver_internal+0x1a9/0x210\n[ 1723.366987] pci_stop_bus_device+0x6d/0x90\n[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20\n[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120\n[ 1723.368309] sriov_disable+0x34/0xe0\n[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]\n[ 1723.368982] sriov_numvfs_store+0xda/0x1c0\n\nAvoid the NULL pointer dereference by adding NULL pointer check for\nvport_config[i], before freeing user_config.q_coalesce."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:09.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0e1c9bc1c9fe735978150ad075616a728073bc7"
},
{
"url": "https://git.kernel.org/stable/c/d5be8663cff0ba7b94da34ebd499ce1123b4c334"
},
{
"url": "https://git.kernel.org/stable/c/118082368c2b6ddefe6cb607efc312285148f044"
}
],
"title": "idpf: fix possible vport_config NULL pointer deref in remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68213",
"datePublished": "2025-12-16T13:57:09.046Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:09.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68755 (GCVE-0-2025-68755)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
staging: most: remove broken i2c driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: most: remove broken i2c driver
The MOST I2C driver has been completely broken for five years without
anyone noticing so remove the driver from staging.
Specifically, commit 723de0f9171e ("staging: most: remove device from
interface structure") started requiring drivers to set the interface
device pointer before registration, but the I2C driver was never updated
which results in a NULL pointer dereference if anyone ever tries to
probe it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 6cbba922934805f86eece6ba7010b7201962695d
(git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 6059a66dba7f26b21852831432e17075f1a1c783 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < e463548fd80e779efea1cb2d3049b8a7231e6925 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 495df2da6944477d282d5cc0c13174d06e25b310 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cbba922934805f86eece6ba7010b7201962695d",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "6059a66dba7f26b21852831432e17075f1a1c783",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "e463548fd80e779efea1cb2d3049b8a7231e6925",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "495df2da6944477d282d5cc0c13174d06e25b310",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: most: remove broken i2c driver\n\nThe MOST I2C driver has been completely broken for five years without\nanyone noticing so remove the driver from staging.\n\nSpecifically, commit 723de0f9171e (\"staging: most: remove device from\ninterface structure\") started requiring drivers to set the interface\ndevice pointer before registration, but the I2C driver was never updated\nwhich results in a NULL pointer dereference if anyone ever tries to\nprobe it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:59.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cbba922934805f86eece6ba7010b7201962695d"
},
{
"url": "https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783"
},
{
"url": "https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925"
},
{
"url": "https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310"
}
],
"title": "staging: most: remove broken i2c driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68755",
"datePublished": "2026-01-05T09:32:29.149Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:32:59.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71136 (GCVE-0-2025-71136)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
It's possible for cp_read() and hdmi_read() to return -EIO. Those
values are further used as indexes for accessing arrays.
Fix that by checking return values where it's needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < f81ee181cb036d046340c213091b69d9a8701a76
(git)
Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < f913b9a2ccd6114b206b9e91dae5e3dc13a415a0 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < d6a22a4a96e4dfe6897cb3532d2b3016d87706f0 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < a73881ae085db5702d8b13e2fc9f78d51c723d3f (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < 60dde0960e3ead8a9569f6c494d90d0232ac0983 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < b693d48a6ed0cd09171103ad418e4a693203d6e4 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/adv7842.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81ee181cb036d046340c213091b69d9a8701a76",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "f913b9a2ccd6114b206b9e91dae5e3dc13a415a0",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "d6a22a4a96e4dfe6897cb3532d2b3016d87706f0",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "a73881ae085db5702d8b13e2fc9f78d51c723d3f",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "60dde0960e3ead8a9569f6c494d90d0232ac0983",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "b693d48a6ed0cd09171103ad418e4a693203d6e4",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "8163419e3e05d71dcfa8fb49c8fdf8d76908fe51",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/adv7842.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()\n\nIt\u0027s possible for cp_read() and hdmi_read() to return -EIO. Those\nvalues are further used as indexes for accessing arrays.\n\nFix that by checking return values where it\u0027s needed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:32.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76"
},
{
"url": "https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0"
},
{
"url": "https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0"
},
{
"url": "https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f"
},
{
"url": "https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983"
},
{
"url": "https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4"
},
{
"url": "https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51"
}
],
"title": "media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71136",
"datePublished": "2026-01-14T15:07:50.568Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-02-09T08:35:32.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39971 (GCVE-0-2025-39971)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: fix idx validation in config queues msg
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in config queues msg
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_vc_config_queues_msg().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < a6ff2af78343eceb0f77ab1a2fe802183bc21648
(git)
Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < f5f91d164af22e7147130ef8bebbdb28d8ecc6e2 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 1fa0aadade34481c567cdf4a897c0d4e4d548bd1 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 8b9c7719b0987b1c6c5fc910599f3618a558dbde (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 2cc26dac0518d2fa9b67ec813ee60e183480f98a (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 5c1f96123113e0bdc6d8dc2b0830184c93da9f65 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < f1ad24c5abe1eaef69158bac1405a74b3c365115 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6ff2af78343eceb0f77ab1a2fe802183bc21648",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f5f91d164af22e7147130ef8bebbdb28d8ecc6e2",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "1fa0aadade34481c567cdf4a897c0d4e4d548bd1",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "8b9c7719b0987b1c6c5fc910599f3618a558dbde",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "2cc26dac0518d2fa9b67ec813ee60e183480f98a",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "5c1f96123113e0bdc6d8dc2b0830184c93da9f65",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f1ad24c5abe1eaef69158bac1405a74b3c365115",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in config queues msg\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_vc_config_queues_msg()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6ff2af78343eceb0f77ab1a2fe802183bc21648"
},
{
"url": "https://git.kernel.org/stable/c/f5f91d164af22e7147130ef8bebbdb28d8ecc6e2"
},
{
"url": "https://git.kernel.org/stable/c/1fa0aadade34481c567cdf4a897c0d4e4d548bd1"
},
{
"url": "https://git.kernel.org/stable/c/8b9c7719b0987b1c6c5fc910599f3618a558dbde"
},
{
"url": "https://git.kernel.org/stable/c/2cc26dac0518d2fa9b67ec813ee60e183480f98a"
},
{
"url": "https://git.kernel.org/stable/c/bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b"
},
{
"url": "https://git.kernel.org/stable/c/5c1f96123113e0bdc6d8dc2b0830184c93da9f65"
},
{
"url": "https://git.kernel.org/stable/c/f1ad24c5abe1eaef69158bac1405a74b3c365115"
}
],
"title": "i40e: fix idx validation in config queues msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39971",
"datePublished": "2025-10-15T07:55:54.270Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39955 (GCVE-0-2025-39955)
Vulnerability from cvelistv5 – Published: 2025-10-09 09:47 – Updated: 2025-10-09 09:47
VLAI?
EPSS
Title
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk
in the TCP_ESTABLISHED state. [0]
syzbot reused the server-side TCP Fast Open socket as a new client before
the TFO socket completes 3WHS:
1. accept()
2. connect(AF_UNSPEC)
3. connect() to another destination
As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes
it to TCP_CLOSE and makes connect() possible, which restarts timers.
Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the
retransmit timer triggered the warning and the intended packet was not
retransmitted.
Let's call reqsk_fastopen_remove() in tcp_disconnect().
[0]:
WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e
RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293
RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017
RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400
RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8
R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540
R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0
FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0
Call Trace:
<IRQ>
tcp_write_timer (net/ipv4/tcp_timer.c:738)
call_timer_fn (kernel/time/timer.c:1747)
__run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)
timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)
tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)
__walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))
tmigr_handle_remote (kernel/time/timer_migration.c:1096)
handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)
irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 7ec092a91ff351dcde89c23e795b73a328274db6
(git)
Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < a4378dedd6e07e62f2fccb17d78c9665718763d0 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 17d699727577814198d744d6afe54735c6b54c99 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < dfd06131107e7b699ef1e2a24ed2f7d17c917753 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < fa4749c065644af4db496b338452a69a3e5147d9 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < ae313d14b45eca7a6bb29cb9bf396d977e7d28fb (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ec092a91ff351dcde89c23e795b73a328274db6",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "17d699727577814198d744d6afe54735c6b54c99",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "fa4749c065644af4db496b338452a69a3e5147d9",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)-\u003efastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n 1. accept()\n 2. connect(AF_UNSPEC)\n 3. connect() to another destination\n\nAs of accept(), sk-\u003esk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)-\u003efastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet\u0027s call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 \u003c0f\u003e 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T09:47:33.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6"
},
{
"url": "https://git.kernel.org/stable/c/a4378dedd6e07e62f2fccb17d78c9665718763d0"
},
{
"url": "https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce65380c3b0136b407ca57609"
},
{
"url": "https://git.kernel.org/stable/c/17d699727577814198d744d6afe54735c6b54c99"
},
{
"url": "https://git.kernel.org/stable/c/dfd06131107e7b699ef1e2a24ed2f7d17c917753"
},
{
"url": "https://git.kernel.org/stable/c/fa4749c065644af4db496b338452a69a3e5147d9"
},
{
"url": "https://git.kernel.org/stable/c/ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"
},
{
"url": "https://git.kernel.org/stable/c/45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"
}
],
"title": "tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39955",
"datePublished": "2025-10-09T09:47:33.556Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-09T09:47:33.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39981 (GCVE-0-2025-39981)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-11-24 09:49
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix possible UAFs
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix possible UAFs
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf75ad8b41d2aa06f98f365d42a3ae8b059daddd , < d71b98f253b079cbadc83266383f26fe7e9e103b
(git)
Affected: cf75ad8b41d2aa06f98f365d42a3ae8b059daddd , < 87a1f16f07c6c43771754075e08f45b41d237421 (git) Affected: cf75ad8b41d2aa06f98f365d42a3ae8b059daddd , < 302a1f674c00dd5581ab8e493ef44767c5101aab (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d71b98f253b079cbadc83266383f26fe7e9e103b",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
},
{
"lessThan": "87a1f16f07c6c43771754075e08f45b41d237421",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
},
{
"lessThan": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible UAFs\n\nThis attemps to fix possible UAFs caused by struct mgmt_pending being\nfreed while still being processed like in the following trace, in order\nto fix mgmt_pending_valid is introduce and use to check if the\nmgmt_pending hasn\u0027t been removed from the pending list, on the complete\ncallbacks it is used to check and in addtion remove the cmd from the list\nwhile holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd\nis left on the list it can still be accessed and freed.\n\nBUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\nRead of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55\n\nCPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 12210:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247\n add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n sock_write_iter+0x258/0x330 net/socket.c:1133\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 12221:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4648 [inline]\n kfree+0x18e/0x440 mm/slub.c:4847\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444\n hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290\n hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]\n hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526\n sock_do_ioctl+0xd9/0x300 net/socket.c:1192\n sock_ioctl+0x576/0x790 net/socket.c:1313\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T09:49:54.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d71b98f253b079cbadc83266383f26fe7e9e103b"
},
{
"url": "https://git.kernel.org/stable/c/87a1f16f07c6c43771754075e08f45b41d237421"
},
{
"url": "https://git.kernel.org/stable/c/302a1f674c00dd5581ab8e493ef44767c5101aab"
}
],
"title": "Bluetooth: MGMT: Fix possible UAFs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39981",
"datePublished": "2025-10-15T07:56:00.959Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-11-24T09:49:54.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68358 (GCVE-0-2025-68358)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-19 15:39
VLAI?
EPSS
Title
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
From the memory-barriers.txt document regarding memory barrier ordering
guarantees:
(*) These guarantees do not apply to bitfields, because compilers often
generate code to modify these using non-atomic read-modify-write
sequences. Do not attempt to use bitfields to synchronize parallel
algorithms.
(*) Even in cases where bitfields are protected by locks, all fields
in a given bitfield must be protected by one lock. If two fields
in a given bitfield are protected by different locks, the compiler's
non-atomic read-modify-write sequences can cause an update to one
field to corrupt the value of an adjacent field.
btrfs_space_info has a bitfield sharing an underlying word consisting of
the fields full, chunk_alloc, and flush:
struct btrfs_space_info {
struct btrfs_fs_info * fs_info; /* 0 8 */
struct btrfs_space_info * parent; /* 8 8 */
...
int clamp; /* 172 4 */
unsigned int full:1; /* 176: 0 4 */
unsigned int chunk_alloc:1; /* 176: 1 4 */
unsigned int flush:1; /* 176: 2 4 */
...
Therefore, to be safe from parallel read-modify-writes losing a write to
one of the bitfield members protected by a lock, all writes to all the
bitfields must use the lock. They almost universally do, except for
btrfs_clear_space_info_full() which iterates over the space_infos and
writes out found->full = 0 without a lock.
Imagine that we have one thread completing a transaction in which we
finished deleting a block_group and are thus calling
btrfs_clear_space_info_full() while simultaneously the data reclaim
ticket infrastructure is running do_async_reclaim_data_space():
T1 T2
btrfs_commit_transaction
btrfs_clear_space_info_full
data_sinfo->full = 0
READ: full:0, chunk_alloc:0, flush:1
do_async_reclaim_data_space(data_sinfo)
spin_lock(&space_info->lock);
if(list_empty(tickets))
space_info->flush = 0;
READ: full: 0, chunk_alloc:0, flush:1
MOD/WRITE: full: 0, chunk_alloc:0, flush:0
spin_unlock(&space_info->lock);
return;
MOD/WRITE: full:0, chunk_alloc:0, flush:1
and now data_sinfo->flush is 1 but the reclaim worker has exited. This
breaks the invariant that flush is 0 iff there is no work queued or
running. Once this invariant is violated, future allocations that go
into __reserve_bytes() will add tickets to space_info->tickets but will
see space_info->flush is set to 1 and not queue the work. After this,
they will block forever on the resulting ticket, as it is now impossible
to kick the worker again.
I also confirmed by looking at the assembly of the affected kernel that
it is doing RMW operations. For example, to set the flush (3rd) bit to 0,
the assembly is:
andb $0xfb,0x60(%rbx)
and similarly for setting the full (1st) bit to 0:
andb $0xfe,-0x20(%rax)
So I think this is really a bug on practical systems. I have observed
a number of systems in this exact state, but am currently unable to
reproduce it.
Rather than leaving this footgun lying around for the future, take
advantage of the fact that there is room in the struct anyway, and that
it is already quite large and simply change the three bitfield members to
bools. This avoids writes to space_info->full having any effect on
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
957780eb2788d8c218d539e19a85653f51a96dc1 , < b0bb67385480a3aa4c54b139e4f371ddd06b5150
(git)
Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 55835646da78e83e7ad06abd741ca8fd8c0b0ea7 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < d4a81b8ec639895999275ea2472c69825cd67ea4 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < db4ae18e1b31e0421fb5312e56aefa382bbc6ece (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 6f442808a86eef847ee10afa9e6459494ed85bb3 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 742b90eaf394f0018352c0e10dc89763b2dd5267 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 38e818718c5e04961eea0fa8feff3f100ce40408 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/space-info.c",
"fs/btrfs/space-info.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0bb67385480a3aa4c54b139e4f371ddd06b5150",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "55835646da78e83e7ad06abd741ca8fd8c0b0ea7",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "d4a81b8ec639895999275ea2472c69825cd67ea4",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "db4ae18e1b31e0421fb5312e56aefa382bbc6ece",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "6f442808a86eef847ee10afa9e6459494ed85bb3",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "742b90eaf394f0018352c0e10dc89763b2dd5267",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "38e818718c5e04961eea0fa8feff3f100ce40408",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/space-info.c",
"fs/btrfs/space-info.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix racy bitfield write in btrfs_clear_space_info_full()\n\nFrom the memory-barriers.txt document regarding memory barrier ordering\nguarantees:\n\n (*) These guarantees do not apply to bitfields, because compilers often\n generate code to modify these using non-atomic read-modify-write\n sequences. Do not attempt to use bitfields to synchronize parallel\n algorithms.\n\n (*) Even in cases where bitfields are protected by locks, all fields\n in a given bitfield must be protected by one lock. If two fields\n in a given bitfield are protected by different locks, the compiler\u0027s\n non-atomic read-modify-write sequences can cause an update to one\n field to corrupt the value of an adjacent field.\n\nbtrfs_space_info has a bitfield sharing an underlying word consisting of\nthe fields full, chunk_alloc, and flush:\n\nstruct btrfs_space_info {\n struct btrfs_fs_info * fs_info; /* 0 8 */\n struct btrfs_space_info * parent; /* 8 8 */\n ...\n int clamp; /* 172 4 */\n unsigned int full:1; /* 176: 0 4 */\n unsigned int chunk_alloc:1; /* 176: 1 4 */\n unsigned int flush:1; /* 176: 2 4 */\n ...\n\nTherefore, to be safe from parallel read-modify-writes losing a write to\none of the bitfield members protected by a lock, all writes to all the\nbitfields must use the lock. They almost universally do, except for\nbtrfs_clear_space_info_full() which iterates over the space_infos and\nwrites out found-\u003efull = 0 without a lock.\n\nImagine that we have one thread completing a transaction in which we\nfinished deleting a block_group and are thus calling\nbtrfs_clear_space_info_full() while simultaneously the data reclaim\nticket infrastructure is running do_async_reclaim_data_space():\n\n T1 T2\nbtrfs_commit_transaction\n btrfs_clear_space_info_full\n data_sinfo-\u003efull = 0\n READ: full:0, chunk_alloc:0, flush:1\n do_async_reclaim_data_space(data_sinfo)\n spin_lock(\u0026space_info-\u003elock);\n if(list_empty(tickets))\n space_info-\u003eflush = 0;\n READ: full: 0, chunk_alloc:0, flush:1\n MOD/WRITE: full: 0, chunk_alloc:0, flush:0\n spin_unlock(\u0026space_info-\u003elock);\n return;\n MOD/WRITE: full:0, chunk_alloc:0, flush:1\n\nand now data_sinfo-\u003eflush is 1 but the reclaim worker has exited. This\nbreaks the invariant that flush is 0 iff there is no work queued or\nrunning. Once this invariant is violated, future allocations that go\ninto __reserve_bytes() will add tickets to space_info-\u003etickets but will\nsee space_info-\u003eflush is set to 1 and not queue the work. After this,\nthey will block forever on the resulting ticket, as it is now impossible\nto kick the worker again.\n\nI also confirmed by looking at the assembly of the affected kernel that\nit is doing RMW operations. For example, to set the flush (3rd) bit to 0,\nthe assembly is:\n andb $0xfb,0x60(%rbx)\nand similarly for setting the full (1st) bit to 0:\n andb $0xfe,-0x20(%rax)\n\nSo I think this is really a bug on practical systems. I have observed\na number of systems in this exact state, but am currently unable to\nreproduce it.\n\nRather than leaving this footgun lying around for the future, take\nadvantage of the fact that there is room in the struct anyway, and that\nit is already quite large and simply change the three bitfield members to\nbools. This avoids writes to space_info-\u003efull having any effect on\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T15:39:22.167Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0bb67385480a3aa4c54b139e4f371ddd06b5150"
},
{
"url": "https://git.kernel.org/stable/c/55835646da78e83e7ad06abd741ca8fd8c0b0ea7"
},
{
"url": "https://git.kernel.org/stable/c/d4a81b8ec639895999275ea2472c69825cd67ea4"
},
{
"url": "https://git.kernel.org/stable/c/db4ae18e1b31e0421fb5312e56aefa382bbc6ece"
},
{
"url": "https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3"
},
{
"url": "https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267"
},
{
"url": "https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408"
}
],
"title": "btrfs: fix racy bitfield write in btrfs_clear_space_info_full()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68358",
"datePublished": "2025-12-24T10:32:47.692Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2026-02-19T15:39:22.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40342 (GCVE-0-2025-40342)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
nvme-fc: use lock accessing port_state and rport state
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: use lock accessing port_state and rport state
nvme_fc_unregister_remote removes the remote port on a lport object at
any point in time when there is no active association. This races with
with the reconnect logic, because nvme_fc_create_association is not
taking a lock to check the port_state and atomically increase the
active count on the rport.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e399441de9115cd472b8ace6c517708273ca7997 , < de3d91af47bc015031e7721b100a29989f6498a5
(git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < e8cde03de8674b05f2c5e0870729049eba517800 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 4253e0a4546138a2bf9cb6acf66b32fee677fc7c (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 25f4bf1f7979a7871974fd36c79d69ff1cf4b446 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 9950af4303942081dc8c7a5fdc3688c17c7eb6c0 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < a2f7fa75c4a2a07328fa22ccbef461db76790b55 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 891cdbb162ccdb079cd5228ae43bdeebce8597ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de3d91af47bc015031e7721b100a29989f6498a5",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "e8cde03de8674b05f2c5e0870729049eba517800",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "4253e0a4546138a2bf9cb6acf66b32fee677fc7c",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "25f4bf1f7979a7871974fd36c79d69ff1cf4b446",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "9950af4303942081dc8c7a5fdc3688c17c7eb6c0",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "a2f7fa75c4a2a07328fa22ccbef461db76790b55",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "891cdbb162ccdb079cd5228ae43bdeebce8597ad",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:12.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5"
},
{
"url": "https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800"
},
{
"url": "https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c"
},
{
"url": "https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446"
},
{
"url": "https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0"
},
{
"url": "https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55"
},
{
"url": "https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad"
}
],
"title": "nvme-fc: use lock accessing port_state and rport state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40342",
"datePublished": "2025-12-09T04:09:59.673Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:12.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39860 (GCVE-0-2025-39860)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
syzbot reported the splat below without a repro.
In the splat, a single thread calling bt_accept_dequeue() freed sk
and touched it after that.
The root cause would be the racy l2cap_sock_cleanup_listen() call
added by the cited commit.
bt_accept_dequeue() is called under lock_sock() except for
l2cap_sock_release().
Two threads could see the same socket during the list iteration
in bt_accept_dequeue():
CPU1 CPU2 (close())
---- ----
sock_hold(sk) sock_hold(sk);
lock_sock(sk) <-- block close()
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- refcnt by bt_accept_enqueue()
release_sock(sk)
lock_sock(sk)
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- last refcnt
bt_accept_unlink(sk) <-- UAF
Depending on the timing, the other thread could show up in the
"Freed by task" part.
Let's call l2cap_sock_cleanup_listen() under lock_sock() in
l2cap_sock_release().
[0]:
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
spin_lock_bh include/linux/spinlock.h:356 [inline]
release_sock+0x21/0x220 net/core/sock.c:3746
bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2accf8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
</TASK>
Allocated by task 5326:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_nopro
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a2da00d1ea1abfb04f846638e210b5b5166e3c9c , < 964cbb198f9c46c2b2358cd1faffc04c1e8248cf
(git)
Affected: 06f87c96216bc5cd1094c23492274f77f1d5dd3b , < 83e1d9892ef51785cf0760b7681436760dda435a (git) Affected: fbe5a2fed8156cc19eb3b956602b0a1dd46a302d , < 47f6090bcf75c369695d21c3f179db8a56bbbd49 (git) Affected: 29fac18499332211b2615ade356e2bd8b3269f98 , < 2ca99fc3512a8074de20ee52a87b492dfcc41a4d (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 6077d16b5c0f65d571eee709de2f0541fb5ef0ca (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 306b0991413b482dbf5585b423022123bb505966 (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 3dff390f55ccd9ce12e91233849769b5312180c2 (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 862c628108562d8c7a516a900034823b381d3cba (git) Affected: 51822644a047eac2310fab0799b64e3430b5a111 (git) Affected: 82cdb2ccbe43337798393369f0ceb98699fe6037 (git) Affected: 10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:12.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "964cbb198f9c46c2b2358cd1faffc04c1e8248cf",
"status": "affected",
"version": "a2da00d1ea1abfb04f846638e210b5b5166e3c9c",
"versionType": "git"
},
{
"lessThan": "83e1d9892ef51785cf0760b7681436760dda435a",
"status": "affected",
"version": "06f87c96216bc5cd1094c23492274f77f1d5dd3b",
"versionType": "git"
},
{
"lessThan": "47f6090bcf75c369695d21c3f179db8a56bbbd49",
"status": "affected",
"version": "fbe5a2fed8156cc19eb3b956602b0a1dd46a302d",
"versionType": "git"
},
{
"lessThan": "2ca99fc3512a8074de20ee52a87b492dfcc41a4d",
"status": "affected",
"version": "29fac18499332211b2615ade356e2bd8b3269f98",
"versionType": "git"
},
{
"lessThan": "6077d16b5c0f65d571eee709de2f0541fb5ef0ca",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "306b0991413b482dbf5585b423022123bb505966",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "3dff390f55ccd9ce12e91233849769b5312180c2",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "862c628108562d8c7a516a900034823b381d3cba",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"status": "affected",
"version": "51822644a047eac2310fab0799b64e3430b5a111",
"versionType": "git"
},
{
"status": "affected",
"version": "82cdb2ccbe43337798393369f0ceb98699fe6037",
"versionType": "git"
},
{
"status": "affected",
"version": "10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.4.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n CPU1 CPU2 (close())\n ---- ----\n sock_hold(sk) sock_hold(sk);\n lock_sock(sk) \u003c-- block close()\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- refcnt by bt_accept_enqueue()\n release_sock(sk)\n lock_sock(sk)\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- last refcnt\n bt_accept_unlink(sk) \u003c-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet\u0027s call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n \u003c/TASK\u003e\n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:14.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/964cbb198f9c46c2b2358cd1faffc04c1e8248cf"
},
{
"url": "https://git.kernel.org/stable/c/83e1d9892ef51785cf0760b7681436760dda435a"
},
{
"url": "https://git.kernel.org/stable/c/47f6090bcf75c369695d21c3f179db8a56bbbd49"
},
{
"url": "https://git.kernel.org/stable/c/2ca99fc3512a8074de20ee52a87b492dfcc41a4d"
},
{
"url": "https://git.kernel.org/stable/c/6077d16b5c0f65d571eee709de2f0541fb5ef0ca"
},
{
"url": "https://git.kernel.org/stable/c/306b0991413b482dbf5585b423022123bb505966"
},
{
"url": "https://git.kernel.org/stable/c/3dff390f55ccd9ce12e91233849769b5312180c2"
},
{
"url": "https://git.kernel.org/stable/c/862c628108562d8c7a516a900034823b381d3cba"
}
],
"title": "Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39860",
"datePublished": "2025-09-19T15:26:30.767Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:12.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68192 (GCVE-0-2025-68192)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43
VLAI?
EPSS
Title
net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Raw IP packets have no MAC header, leaving skb->mac_header uninitialized.
This can trigger kernel panics on ARM64 when xfrm or other subsystems
access the offset due to strict alignment checks.
Initialize the MAC header to prevent such crashes.
This can trigger kernel panics on ARM when running IPsec over the
qmimux0 interface.
Example trace:
Internal error: Oops: 000000009600004f [#1] SMP
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1
Hardware name: LS1028A RDB Board (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfrm_input+0xde8/0x1318
lr : xfrm_input+0x61c/0x1318
sp : ffff800080003b20
Call trace:
xfrm_input+0xde8/0x1318
xfrm6_rcv+0x38/0x44
xfrm6_esp_rcv+0x48/0xa8
ip6_protocol_deliver_rcu+0x94/0x4b0
ip6_input_finish+0x44/0x70
ip6_input+0x44/0xc0
ipv6_rcv+0x6c/0x114
__netif_receive_skb_one_core+0x5c/0x8c
__netif_receive_skb+0x18/0x60
process_backlog+0x78/0x17c
__napi_poll+0x38/0x180
net_rx_action+0x168/0x2f0
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6adf77953bcec0ad63d7782479452464e50f7a3 , < d693c47fb902b988f5752182e4f7fbde5e6dcaf9
(git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 0aabccdcec1f4a36f95829ea2263f845bbc77223 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 4e6b9004f01d0fef5b19778399bc5bf55f8c2d71 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < bf527b80b80a282ab5bf1540546211fc35e5cd42 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < dd03780c29f87c26c0e0bb7e0db528c8109461fb (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < ae811175cea35b03ac6d7c910f43a82a43b9c3b3 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 8ab3b8f958d861a7f725a5be60769106509fbd69 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < e120f46768d98151ece8756ebd688b0e43dc8b29 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/qmi_wwan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d693c47fb902b988f5752182e4f7fbde5e6dcaf9",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "0aabccdcec1f4a36f95829ea2263f845bbc77223",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "4e6b9004f01d0fef5b19778399bc5bf55f8c2d71",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "bf527b80b80a282ab5bf1540546211fc35e5cd42",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "dd03780c29f87c26c0e0bb7e0db528c8109461fb",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "ae811175cea35b03ac6d7c910f43a82a43b9c3b3",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "8ab3b8f958d861a7f725a5be60769106509fbd69",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "e120f46768d98151ece8756ebd688b0e43dc8b29",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/qmi_wwan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup\n\nRaw IP packets have no MAC header, leaving skb-\u003emac_header uninitialized.\nThis can trigger kernel panics on ARM64 when xfrm or other subsystems\naccess the offset due to strict alignment checks.\n\nInitialize the MAC header to prevent such crashes.\n\nThis can trigger kernel panics on ARM when running IPsec over the\nqmimux0 interface.\n\nExample trace:\n\n Internal error: Oops: 000000009600004f [#1] SMP\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1\n Hardware name: LS1028A RDB Board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : xfrm_input+0xde8/0x1318\n lr : xfrm_input+0x61c/0x1318\n sp : ffff800080003b20\n Call trace:\n xfrm_input+0xde8/0x1318\n xfrm6_rcv+0x38/0x44\n xfrm6_esp_rcv+0x48/0xa8\n ip6_protocol_deliver_rcu+0x94/0x4b0\n ip6_input_finish+0x44/0x70\n ip6_input+0x44/0xc0\n ipv6_rcv+0x6c/0x114\n __netif_receive_skb_one_core+0x5c/0x8c\n __netif_receive_skb+0x18/0x60\n process_backlog+0x78/0x17c\n __napi_poll+0x38/0x180\n net_rx_action+0x168/0x2f0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:18.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9"
},
{
"url": "https://git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223"
},
{
"url": "https://git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71"
},
{
"url": "https://git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42"
},
{
"url": "https://git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fb"
},
{
"url": "https://git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3"
},
{
"url": "https://git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69"
},
{
"url": "https://git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29"
}
],
"title": "net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68192",
"datePublished": "2025-12-16T13:43:18.858Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2025-12-16T13:43:18.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40160 (GCVE-0-2025-40160)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
xen/events: Return -EEXIST for bound VIRQs
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/events: Return -EEXIST for bound VIRQs
Change find_virq() to return -EEXIST when a VIRQ is bound to a
different CPU than the one passed in. With that, remove the BUG_ON()
from bind_virq_to_irq() to propogate the error upwards.
Some VIRQs are per-cpu, but others are per-domain or global. Those must
be bound to CPU0 and can then migrate elsewhere. The lookup for
per-domain and global will probably fail when migrated off CPU 0,
especially when the current CPU is tracked. This now returns -EEXIST
instead of BUG_ON().
A second call to bind a per-domain or global VIRQ is not expected, but
make it non-fatal to avoid trying to look up the irq, since we don't
know which per_cpu(virq_to_irq) it will be in.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < 612ef6056855c0aacb9b25d1d853c435754483f7
(git)
Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa (git) Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < f81db055a793eca9d05f79658ff62adafb41d664 (git) Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < 07ce121d93a5e5fb2440a24da3dbf408fcee978e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/events/events_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "612ef6056855c0aacb9b25d1d853c435754483f7",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
},
{
"lessThan": "a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
},
{
"lessThan": "f81db055a793eca9d05f79658ff62adafb41d664",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
},
{
"lessThan": "07ce121d93a5e5fb2440a24da3dbf408fcee978e",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/events/events_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: Return -EEXIST for bound VIRQs\n\nChange find_virq() to return -EEXIST when a VIRQ is bound to a\ndifferent CPU than the one passed in. With that, remove the BUG_ON()\nfrom bind_virq_to_irq() to propogate the error upwards.\n\nSome VIRQs are per-cpu, but others are per-domain or global. Those must\nbe bound to CPU0 and can then migrate elsewhere. The lookup for\nper-domain and global will probably fail when migrated off CPU 0,\nespecially when the current CPU is tracked. This now returns -EEXIST\ninstead of BUG_ON().\n\nA second call to bind a per-domain or global VIRQ is not expected, but\nmake it non-fatal to avoid trying to look up the irq, since we don\u0027t\nknow which per_cpu(virq_to_irq) it will be in."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:05.136Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/612ef6056855c0aacb9b25d1d853c435754483f7"
},
{
"url": "https://git.kernel.org/stable/c/a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa"
},
{
"url": "https://git.kernel.org/stable/c/f81db055a793eca9d05f79658ff62adafb41d664"
},
{
"url": "https://git.kernel.org/stable/c/07ce121d93a5e5fb2440a24da3dbf408fcee978e"
}
],
"title": "xen/events: Return -EEXIST for bound VIRQs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40160",
"datePublished": "2025-11-12T10:24:36.429Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-02T15:33:05.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71128 (GCVE-0-2025-71128)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
erspan: Initialize options_len before referencing options.
Summary
In the Linux kernel, the following vulnerability has been resolved:
erspan: Initialize options_len before referencing options.
The struct ip_tunnel_info has a flexible array member named
options that is protected by a counted_by(options_len)
attribute.
The compiler will use this information to enforce runtime bounds
checking deployed by FORTIFY_SOURCE string helpers.
As laid out in the GCC documentation, the counter must be
initialized before the first reference to the flexible array
member.
After scanning through the files that use struct ip_tunnel_info
and also refer to options or options_len, it appears the normal
case is to use the ip_tunnel_info_opts_set() helper.
Said helper would initialize options_len properly before copying
data into options, however in the GRE ERSPAN code a partial
update is done, preventing the use of the helper function.
Before this change the handling of ERSPAN traffic in GRE tunnels
would cause a kernel panic when the kernel is compiled with
GCC 15+ and having FORTIFY_SOURCE configured:
memcpy: detected buffer overflow: 4 byte write of buffer size 0
Call Trace:
<IRQ>
__fortify_panic+0xd/0xf
erspan_rcv.cold+0x68/0x83
? ip_route_input_slow+0x816/0x9d0
gre_rcv+0x1b2/0x1c0
gre_rcv+0x8e/0x100
? raw_v4_input+0x2a0/0x2b0
ip_protocol_deliver_rcu+0x1ea/0x210
ip_local_deliver_finish+0x86/0x110
ip_local_deliver+0x65/0x110
? ip_rcv_finish_core+0xd6/0x360
ip_rcv+0x186/0x1a0
Reported-at: https://launchpad.net/bugs/2129580
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c",
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b282b2a9eed848587c1348abdd5d83fa346a2743",
"status": "affected",
"version": "bb5e62f2d547c4de6d1b144cbce2373a76c33f18",
"versionType": "git"
},
{
"lessThan": "35ddf66c65eff93fff91406756ba273600bf61a3",
"status": "affected",
"version": "bb5e62f2d547c4de6d1b144cbce2373a76c33f18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c",
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing options.\n\nThe struct ip_tunnel_info has a flexible array member named\noptions that is protected by a counted_by(options_len)\nattribute.\n\nThe compiler will use this information to enforce runtime bounds\nchecking deployed by FORTIFY_SOURCE string helpers.\n\nAs laid out in the GCC documentation, the counter must be\ninitialized before the first reference to the flexible array\nmember.\n\nAfter scanning through the files that use struct ip_tunnel_info\nand also refer to options or options_len, it appears the normal\ncase is to use the ip_tunnel_info_opts_set() helper.\n\nSaid helper would initialize options_len properly before copying\ndata into options, however in the GRE ERSPAN code a partial\nupdate is done, preventing the use of the helper function.\n\nBefore this change the handling of ERSPAN traffic in GRE tunnels\nwould cause a kernel panic when the kernel is compiled with\nGCC 15+ and having FORTIFY_SOURCE configured:\n\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\n\nCall Trace:\n \u003cIRQ\u003e\n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReported-at: https://launchpad.net/bugs/2129580"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:24.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743"
},
{
"url": "https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3"
}
],
"title": "erspan: Initialize options_len before referencing options.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71128",
"datePublished": "2026-01-14T15:07:44.941Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:24.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39823 (GCVE-0-2025-39823)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
KVM: x86: use array_index_nospec with indices that come from guest
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: use array_index_nospec with indices that come from guest
min and dest_id are guest-controlled indices. Using array_index_nospec()
after the bounds checks clamps these values to mitigate speculative execution
side-channels.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4180bf1b655a791a0a6ef93a2ffffc762722c782 , < 72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48
(git)
Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < 31a0ad2f60cb4816e06218b63e695eb72ce74974 (git) Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < d51e381beed5e2f50f85f49f6c90e023754efa12 (git) Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < 33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985f (git) Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < f49161646e03d107ce81a99c6ca5da682fe5fb69 (git) Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < 67a05679621b7f721bdba37a5d18665d3aceb695 (git) Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < f57a4bd8d6cb5af05b8ac1be9098e249034639fb (git) Affected: 4180bf1b655a791a0a6ef93a2ffffc762722c782 , < c87bd4dd43a624109c3cc42d843138378a7f4548 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:43.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "31a0ad2f60cb4816e06218b63e695eb72ce74974",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "d51e381beed5e2f50f85f49f6c90e023754efa12",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985f",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "f49161646e03d107ce81a99c6ca5da682fe5fb69",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "67a05679621b7f721bdba37a5d18665d3aceb695",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "f57a4bd8d6cb5af05b8ac1be9098e249034639fb",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "c87bd4dd43a624109c3cc42d843138378a7f4548",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: use array_index_nospec with indices that come from guest\n\nmin and dest_id are guest-controlled indices. Using array_index_nospec()\nafter the bounds checks clamps these values to mitigate speculative execution\nside-channels."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:23.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48"
},
{
"url": "https://git.kernel.org/stable/c/31a0ad2f60cb4816e06218b63e695eb72ce74974"
},
{
"url": "https://git.kernel.org/stable/c/d51e381beed5e2f50f85f49f6c90e023754efa12"
},
{
"url": "https://git.kernel.org/stable/c/33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985f"
},
{
"url": "https://git.kernel.org/stable/c/f49161646e03d107ce81a99c6ca5da682fe5fb69"
},
{
"url": "https://git.kernel.org/stable/c/67a05679621b7f721bdba37a5d18665d3aceb695"
},
{
"url": "https://git.kernel.org/stable/c/f57a4bd8d6cb5af05b8ac1be9098e249034639fb"
},
{
"url": "https://git.kernel.org/stable/c/c87bd4dd43a624109c3cc42d843138378a7f4548"
}
],
"title": "KVM: x86: use array_index_nospec with indices that come from guest",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39823",
"datePublished": "2025-09-16T13:00:22.298Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-11-03T17:43:43.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68364 (GCVE-0-2025-68364)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just
to avoid crashing the whole kernel due to a filesystem corruption.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f603e567aa7a243e68ca48b4f105b990851360f , < cb34a55f552960c74e26b3699c84745b96e3131a
(git)
Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 08b93c1c12c66989316883d733475c64d14de5d2 (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 1ad2f81a099b8df5f72bce0a3e9f531263a846b8 (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < bcb94288d95cfc52f4d7cead260f4db54c8c741a (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < e5c2503696ec2e0dc7b2aee902dc859ccde39ddf (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 7abbe41d22a06aae00fd46d29f59dd40a01e988f (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < e5c52c320577cd405b251943ef77842dc6f303bf (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb34a55f552960c74e26b3699c84745b96e3131a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "08b93c1c12c66989316883d733475c64d14de5d2",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "1ad2f81a099b8df5f72bce0a3e9f531263a846b8",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "bcb94288d95cfc52f4d7cead260f4db54c8c741a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c2503696ec2e0dc7b2aee902dc859ccde39ddf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "7abbe41d22a06aae00fd46d29f59dd40a01e988f",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c52c320577cd405b251943ef77842dc6f303bf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()\n\nIn \u0027__ocfs2_move_extent()\u0027, relax \u0027BUG()\u0027 to \u0027ocfs2_error()\u0027 just\nto avoid crashing the whole kernel due to a filesystem corruption."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:00.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb34a55f552960c74e26b3699c84745b96e3131a"
},
{
"url": "https://git.kernel.org/stable/c/08b93c1c12c66989316883d733475c64d14de5d2"
},
{
"url": "https://git.kernel.org/stable/c/1ad2f81a099b8df5f72bce0a3e9f531263a846b8"
},
{
"url": "https://git.kernel.org/stable/c/bcb94288d95cfc52f4d7cead260f4db54c8c741a"
},
{
"url": "https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf"
},
{
"url": "https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f"
},
{
"url": "https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf"
},
{
"url": "https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d"
}
],
"title": "ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68364",
"datePublished": "2025-12-24T10:32:51.922Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:32:00.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40194 (GCVE-0-2025-40194)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.
Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).
Address this issue by modifying update_qos_request() to drop the
reference to the policy later.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da5c504c7aae96db68c4b38e2564a88e91842d89 , < 15ac9579ebdaf22a37d7f60b3a8efc1029732ef9
(git)
Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < bc26564bcc659beb6d977cd6eb394041ec2f2851 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 0a58d3e77b22b087a57831c87cafd360e144a5bd (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 69a18ff6c60e8e113420f15355fad862cb45d38e (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 57e4a6aadf12578b96a038373cffd54b3a58b092 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15ac9579ebdaf22a37d7f60b3a8efc1029732ef9",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "bc26564bcc659beb6d977cd6eb394041ec2f2851",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "0a58d3e77b22b087a57831c87cafd360e144a5bd",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69a18ff6c60e8e113420f15355fad862cb45d38e",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "57e4a6aadf12578b96a038373cffd54b3a58b092",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()\n\nThe cpufreq_cpu_put() call in update_qos_request() takes place too early\nbecause the latter subsequently calls freq_qos_update_request() that\nindirectly accesses the policy object in question through the QoS request\nobject passed to it.\n\nFortunately, update_qos_request() is called under intel_pstate_driver_lock,\nso this issue does not matter for changing the intel_pstate operation\nmode, but it theoretically can cause a crash to occur on CPU device hot\nremoval (which currently can only happen in virt, but it is formally\nsupported nevertheless).\n\nAddress this issue by modifying update_qos_request() to drop the\nreference to the policy later."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:54.506Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3a8efc1029732ef9"
},
{
"url": "https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6eb394041ec2f2851"
},
{
"url": "https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4"
},
{
"url": "https://git.kernel.org/stable/c/0a58d3e77b22b087a57831c87cafd360e144a5bd"
},
{
"url": "https://git.kernel.org/stable/c/69a18ff6c60e8e113420f15355fad862cb45d38e"
},
{
"url": "https://git.kernel.org/stable/c/ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3"
},
{
"url": "https://git.kernel.org/stable/c/57e4a6aadf12578b96a038373cffd54b3a58b092"
},
{
"url": "https://git.kernel.org/stable/c/69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467"
}
],
"title": "cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40194",
"datePublished": "2025-11-12T21:56:32.025Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:54.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40243 (GCVE-0-2025-40243)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
The syzbot reported issue in hfs_find_set_zero_bits():
=====================================================
BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
__block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
block_write_begin fs/buffer.c:2262 [inline]
cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
cont_expand_zero fs/buffer.c:2528 [inline]
cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
notify_change+0x1993/0x1aa0 fs/attr.c:552
do_truncate+0x28f/0x310 fs/open.c:68
do_ftruncate+0x698/0x730 fs/open.c:195
do_sys_ftruncate fs/open.c:210 [inline]
__do_sys_ftruncate fs/open.c:215 [inline]
__se_sys_ftruncate fs/open.c:213 [inline]
__x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4154 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
kmalloc_noprof include/linux/slab.h:905 [inline]
hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
get_tree_bdev+0x38/0x50 fs/super.c:1704
hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
do_new_mount+0x738/0x1610 fs/namespace.c:3902
path_mount+0x6db/0x1e90 fs/namespace.c:4226
do_mount fs/namespace.c:4239 [inline]
__do_sys_mount fs/namespace.c:4450 [inline]
__se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================
The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
Finally, it can trigger the reported issue because kmalloc()
doesn't clear the allocated memory. If allocated memory contains
only zeros, then everything will work pretty fine.
But if the allocated memory contains the "garbage", then
it can affect the bitmap operations and it triggers
the reported issue.
This patch simply exchanges the kmalloc() on kzalloc()
with the goal to guarantee the correctness of bitmap operations.
Because, newly created allocation bitmap should have all
available blocks free. Potentially, initialization bitmap's read
operation could not fill the whole allocated memory and
"garbage" in the not initialized memory will be the reason of
volume coruptions and file system driver bugs.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fc56548fca732f3d3692c83b40db796259a03887
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bf1683078fbdd09a7f7f9b74121ebaa03432bd00 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a112cdd66f5a132da5235ca31a320528c86bf33 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e148ed5cda8fd96d4620c4622fb02f552a2d166a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b447fd401824e1ccf0b769188edefe866a1e676 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 502fa92a71f344611101bd04ef1a595b8b6014f5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/mdb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc56548fca732f3d3692c83b40db796259a03887",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf1683078fbdd09a7f7f9b74121ebaa03432bd00",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a112cdd66f5a132da5235ca31a320528c86bf33",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e148ed5cda8fd96d4620c4622fb02f552a2d166a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3b447fd401824e1ccf0b769188edefe866a1e676",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "502fa92a71f344611101bd04ef1a595b8b6014f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/mdb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()\n\nThe syzbot reported issue in hfs_find_set_zero_bits():\n\n=====================================================\nBUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45\n hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45\n hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151\n hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408\n hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353\n __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151\n block_write_begin fs/buffer.c:2262 [inline]\n cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601\n hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52\n cont_expand_zero fs/buffer.c:2528 [inline]\n cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591\n hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52\n hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494\n hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654\n notify_change+0x1993/0x1aa0 fs/attr.c:552\n do_truncate+0x28f/0x310 fs/open.c:68\n do_ftruncate+0x698/0x730 fs/open.c:195\n do_sys_ftruncate fs/open.c:210 [inline]\n __do_sys_ftruncate fs/open.c:215 [inline]\n __se_sys_ftruncate fs/open.c:213 [inline]\n __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213\n x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354\n kmalloc_noprof include/linux/slab.h:905 [inline]\n hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175\n hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337\n get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681\n get_tree_bdev+0x38/0x50 fs/super.c:1704\n hfs_get_tree+0x35/0x40 fs/hfs/super.c:388\n vfs_get_tree+0xb0/0x5c0 fs/super.c:1804\n do_new_mount+0x738/0x1610 fs/namespace.c:3902\n path_mount+0x6db/0x1e90 fs/namespace.c:4226\n do_mount fs/namespace.c:4239 [inline]\n __do_sys_mount fs/namespace.c:4450 [inline]\n __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427\n x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n=====================================================\n\nThe HFS_SB(sb)-\u003ebitmap buffer is allocated in hfs_mdb_get():\n\nHFS_SB(sb)-\u003ebitmap = kmalloc(8192, GFP_KERNEL);\n\nFinally, it can trigger the reported issue because kmalloc()\ndoesn\u0027t clear the allocated memory. If allocated memory contains\nonly zeros, then everything will work pretty fine.\nBut if the allocated memory contains the \"garbage\", then\nit can affect the bitmap operations and it triggers\nthe reported issue.\n\nThis patch simply exchanges the kmalloc() on kzalloc()\nwith the goal to guarantee the correctness of bitmap operations.\nBecause, newly created allocation bitmap should have all\navailable blocks free. Potentially, initialization bitmap\u0027s read\noperation could not fill the whole allocated memory and\n\"garbage\" in the not initialized memory will be the reason of\nvolume coruptions and file system driver bugs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:12.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc56548fca732f3d3692c83b40db796259a03887"
},
{
"url": "https://git.kernel.org/stable/c/bf1683078fbdd09a7f7f9b74121ebaa03432bd00"
},
{
"url": "https://git.kernel.org/stable/c/2a112cdd66f5a132da5235ca31a320528c86bf33"
},
{
"url": "https://git.kernel.org/stable/c/e148ed5cda8fd96d4620c4622fb02f552a2d166a"
},
{
"url": "https://git.kernel.org/stable/c/cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca"
},
{
"url": "https://git.kernel.org/stable/c/3b447fd401824e1ccf0b769188edefe866a1e676"
},
{
"url": "https://git.kernel.org/stable/c/502fa92a71f344611101bd04ef1a595b8b6014f5"
},
{
"url": "https://git.kernel.org/stable/c/2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd"
}
],
"title": "hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40243",
"datePublished": "2025-12-04T15:31:32.422Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:12.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68808 (GCVE-0-2025-68808)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
media: vidtv: initialize local pointers upon transfer of memory ownership
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: initialize local pointers upon transfer of memory ownership
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3be8037960bccd13052cfdeba8805ad785041d70 , < c342e294dac4988c8ada759b2f057246e48c5108
(git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 12ab6ebb37789b84073e83e4d9b14a5e0d133323 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < a69c7fd603bf5ad93177394fbd9711922ee81032 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 30f4d4e5224a9e44e9ceb3956489462319d804ce (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c342e294dac4988c8ada759b2f057246e48c5108",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "12ab6ebb37789b84073e83e4d9b14a5e0d133323",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "a69c7fd603bf5ad93177394fbd9711922ee81032",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "30f4d4e5224a9e44e9ceb3956489462319d804ce",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "98aabfe2d79f74613abc2b0b1cef08f97eaf5322",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: initialize local pointers upon transfer of memory ownership\n\nvidtv_channel_si_init() creates a temporary list (program, service, event)\nand ownership of the memory itself is transferred to the PAT/SDT/EIT\ntables through vidtv_psi_pat_program_assign(),\nvidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().\n\nThe problem here is that the local pointer where the memory ownership\ntransfer was completed is not initialized to NULL. This causes the\nvidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and\nin the flow that jumps to free_eit, the memory that was freed by\nvidtv_psi_*_table_destroy() can be accessed again by\nvidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it\nis freed once again.\n\nTherefore, to prevent use-after-free and double-free vulnerability,\nlocal pointers must be initialized to NULL when transferring memory\nownership."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:57.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108"
},
{
"url": "https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323"
},
{
"url": "https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e"
},
{
"url": "https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8"
},
{
"url": "https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032"
},
{
"url": "https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce"
},
{
"url": "https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322"
}
],
"title": "media: vidtv: initialize local pointers upon transfer of memory ownership",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68808",
"datePublished": "2026-01-13T15:29:15.164Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:57.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71083 (GCVE-0-2025-71083)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
drm/ttm: Avoid NULL pointer deref for evicted BOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Avoid NULL pointer deref for evicted BOs
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
09ac4fcb3f255e9225967c75f5893325c116cdbe , < 47a85604a761005d255ae38115ee630cc6931756
(git)
Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 4b9944493c6d92d7b29cfd83aaf3deb842b8da79 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 3d004f7341d4898889801ebb2ef61ffca610dd6f (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < b94182b3d7228aec18d069cba56d5982e9bfe1b1 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 491adc6a0f9903c32b05f284df1148de39e8e644 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47a85604a761005d255ae38115ee630cc6931756",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "4b9944493c6d92d7b29cfd83aaf3deb842b8da79",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "3d004f7341d4898889801ebb2ef61ffca610dd6f",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "b94182b3d7228aec18d069cba56d5982e9bfe1b1",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "491adc6a0f9903c32b05f284df1148de39e8e644",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Avoid NULL pointer deref for evicted BOs\n\nIt is possible for a BO to exist that is not currently associated with a\nresource, e.g. because it has been evicted.\n\nWhen devcoredump tries to read the contents of all BOs for dumping, we need\nto expect this as well -- in this case, ENODATA is recorded instead of the\nbuffer contents."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:34.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756"
},
{
"url": "https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79"
},
{
"url": "https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f"
},
{
"url": "https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0"
},
{
"url": "https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1"
},
{
"url": "https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644"
}
],
"title": "drm/ttm: Avoid NULL pointer deref for evicted BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71083",
"datePublished": "2026-01-13T15:34:46.974Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:34.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40287 (GCVE-0-2025-40287)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
exfat: fix improper check of dentry.stream.valid_size
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix improper check of dentry.stream.valid_size
We found an infinite loop bug in the exFAT file system that can lead to a
Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is
malformed, the following system calls — SYS_openat, SYS_ftruncate, and
SYS_pwrite64 — can cause the kernel to hang.
Root cause analysis shows that the size validation code in exfat_find()
does not check whether dentry.stream.valid_size is negative. As a result,
the system calls mentioned above can succeed and eventually trigger the DoS
issue.
This patch adds a check for negative dentry.stream.valid_size to prevent
this vulnerability.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad
(git)
Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 204b1b02ee018ba52ad2ece21fe3a8643d66a1b2 (git) Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 82ebecdc74ff555daf70b811d854b1f32a296bea (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
"status": "affected",
"version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
"versionType": "git"
},
{
"lessThan": "204b1b02ee018ba52ad2ece21fe3a8643d66a1b2",
"status": "affected",
"version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
"versionType": "git"
},
{
"lessThan": "82ebecdc74ff555daf70b811d854b1f32a296bea",
"status": "affected",
"version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix improper check of dentry.stream.valid_size\n\nWe found an infinite loop bug in the exFAT file system that can lead to a\nDenial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is\nmalformed, the following system calls \u2014 SYS_openat, SYS_ftruncate, and\nSYS_pwrite64 \u2014 can cause the kernel to hang.\n\nRoot cause analysis shows that the size validation code in exfat_find()\ndoes not check whether dentry.stream.valid_size is negative. As a result,\nthe system calls mentioned above can succeed and eventually trigger the DoS\nissue.\n\nThis patch adds a check for negative dentry.stream.valid_size to prevent\nthis vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:46.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c627bcc1896ba62ec793d0c00da74f3c93ce3ad"
},
{
"url": "https://git.kernel.org/stable/c/204b1b02ee018ba52ad2ece21fe3a8643d66a1b2"
},
{
"url": "https://git.kernel.org/stable/c/82ebecdc74ff555daf70b811d854b1f32a296bea"
}
],
"title": "exfat: fix improper check of dentry.stream.valid_size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40287",
"datePublished": "2025-12-06T21:51:13.328Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2026-01-26T16:17:46.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68327 (GCVE-0-2025-68327)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:13
VLAI?
EPSS
Title
usb: renesas_usbhs: Fix synchronous external abort on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: renesas_usbhs: Fix synchronous external abort on unbind
A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is
executed after the configuration sequence described above:
modprobe usb_f_ecm
modprobe libcomposite
modprobe configfs
cd /sys/kernel/config/usb_gadget
mkdir -p g1
cd g1
echo "0x1d6b" > idVendor
echo "0x0104" > idProduct
mkdir -p strings/0x409
echo "0123456789" > strings/0x409/serialnumber
echo "Renesas." > strings/0x409/manufacturer
echo "Ethernet Gadget" > strings/0x409/product
mkdir -p functions/ecm.usb0
mkdir -p configs/c.1
mkdir -p configs/c.1/strings/0x409
echo "ECM" > configs/c.1/strings/0x409/configuration
if [ ! -L configs/c.1/ecm.usb0 ]; then
ln -s functions/ecm.usb0 configs/c.1
fi
echo 11e20000.usb > UDC
echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind
The displayed trace is as follows:
Internal error: synchronous external abort: 0000000096000010 [#1] SMP
CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT
Tainted: [M]=MACHINE_CHECK
Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]
lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]
sp : ffff8000838b3920
x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810
x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000
x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020
x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344
x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000
x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80
Call trace:
usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)
usbhsg_pullup+0x4c/0x7c [renesas_usbhs]
usb_gadget_disconnect_locked+0x48/0xd4
gadget_unbind_driver+0x44/0x114
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_release_driver+0x18/0x24
bus_remove_device+0xcc/0x10c
device_del+0x14c/0x404
usb_del_gadget+0x88/0xc0
usb_del_gadget_udc+0x18/0x30
usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]
usbhs_mod_remove+0x20/0x30 [renesas_usbhs]
usbhs_remove+0x98/0xdc [renesas_usbhs]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_driver_detach+0x18/0x24
unbind_store+0xb4/0xb8
drv_attr_store+0x24/0x38
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x128/0x1b8
vfs_write+0x2ac/0x350
ksys_write+0x68/0xfc
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xf0
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)
---[ end trace 0000000000000000 ]---
note: sh[188] exited with irqs disabled
note: sh[188] exited with preempt_count 1
The issue occurs because usbhs_sys_function_pullup(), which accesses the IP
registers, is executed after the USBHS clocks have been disabled. The
problem is reproducible on the Renesas RZ/G3S SoC starting with the
addition of module stop in the clock enable/disable APIs. With module stop
functionality enabled, a bus error is expected if a master accesses a
module whose clock has been stopped and module stop activated.
Disable the IP clocks at the end of remove.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a
(git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < cd5e86e34c66a831b5cb9b720ad411a006962cc8 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 230b1bc1310edcd5c1b71dcd6b77ccba43139cb5 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 26838f147aeaa8f820ff799d72815fba5e209bd9 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < aa658a6d5ac21c7cde54c6d015f2d4daff32e02d (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < eb9ac779830b2235847b72cb15cf07c7e3333c5e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/renesas_usbhs/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "cd5e86e34c66a831b5cb9b720ad411a006962cc8",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "230b1bc1310edcd5c1b71dcd6b77ccba43139cb5",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "26838f147aeaa8f820ff799d72815fba5e209bd9",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "aa658a6d5ac21c7cde54c6d015f2d4daff32e02d",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "eb9ac779830b2235847b72cb15cf07c7e3333c5e",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/renesas_usbhs/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Fix synchronous external abort on unbind\n\nA synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is\nexecuted after the configuration sequence described above:\n\nmodprobe usb_f_ecm\nmodprobe libcomposite\nmodprobe configfs\ncd /sys/kernel/config/usb_gadget\nmkdir -p g1\ncd g1\necho \"0x1d6b\" \u003e idVendor\necho \"0x0104\" \u003e idProduct\nmkdir -p strings/0x409\necho \"0123456789\" \u003e strings/0x409/serialnumber\necho \"Renesas.\" \u003e strings/0x409/manufacturer\necho \"Ethernet Gadget\" \u003e strings/0x409/product\nmkdir -p functions/ecm.usb0\nmkdir -p configs/c.1\nmkdir -p configs/c.1/strings/0x409\necho \"ECM\" \u003e configs/c.1/strings/0x409/configuration\n\nif [ ! -L configs/c.1/ecm.usb0 ]; then\n ln -s functions/ecm.usb0 configs/c.1\nfi\n\necho 11e20000.usb \u003e UDC\necho 11e20000.usb \u003e /sys/bus/platform/drivers/renesas_usbhs/unbind\n\nThe displayed trace is as follows:\n\n Internal error: synchronous external abort: 0000000096000010 [#1] SMP\n CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT\n Tainted: [M]=MACHINE_CHECK\n Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)\n pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]\n lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]\n sp : ffff8000838b3920\n x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810\n x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000\n x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020\n x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344\n x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000\n x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418\n x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\n x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80\n Call trace:\n usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)\n usbhsg_pullup+0x4c/0x7c [renesas_usbhs]\n usb_gadget_disconnect_locked+0x48/0xd4\n gadget_unbind_driver+0x44/0x114\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_release_driver+0x18/0x24\n bus_remove_device+0xcc/0x10c\n device_del+0x14c/0x404\n usb_del_gadget+0x88/0xc0\n usb_del_gadget_udc+0x18/0x30\n usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]\n usbhs_mod_remove+0x20/0x30 [renesas_usbhs]\n usbhs_remove+0x98/0xdc [renesas_usbhs]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_driver_detach+0x18/0x24\n unbind_store+0xb4/0xb8\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x2ac/0x350\n ksys_write+0x68/0xfc\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)\n ---[ end trace 0000000000000000 ]---\n note: sh[188] exited with irqs disabled\n note: sh[188] exited with preempt_count 1\n\nThe issue occurs because usbhs_sys_function_pullup(), which accesses the IP\nregisters, is executed after the USBHS clocks have been disabled. The\nproblem is reproducible on the Renesas RZ/G3S SoC starting with the\naddition of module stop in the clock enable/disable APIs. With module stop\nfunctionality enabled, a bus error is expected if a master accesses a\nmodule whose clock has been stopped and module stop activated.\n\nDisable the IP clocks at the end of remove."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:13:58.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a"
},
{
"url": "https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8"
},
{
"url": "https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5"
},
{
"url": "https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1"
},
{
"url": "https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9"
},
{
"url": "https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d"
},
{
"url": "https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e"
}
],
"title": "usb: renesas_usbhs: Fix synchronous external abort on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68327",
"datePublished": "2025-12-22T16:12:21.402Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:13:58.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39861 (GCVE-0-2025-39861)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
Bluetooth: vhci: Prevent use-after-free by removing debugfs files early
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: vhci: Prevent use-after-free by removing debugfs files early
Move the creation of debugfs files into a dedicated function, and ensure
they are explicitly removed during vhci_release(), before associated
data structures are freed.
Previously, debugfs files such as "force_suspend", "force_wakeup", and
others were created under hdev->debugfs but not removed in
vhci_release(). Since vhci_release() frees the backing vhci_data
structure, any access to these files after release would result in
use-after-free errors.
Although hdev->debugfs is later freed in hci_release_dev(), user can
access files after vhci_data is freed but before hdev->debugfs is
released.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ab4e4380d4e158486e595013a2635190e07e28ce , < bd75eba88e88d7b896b0c737b02a74a12afc235f
(git)
Affected: ab4e4380d4e158486e595013a2635190e07e28ce , < 1503756fffe76d5aea2371a4b8dee20c3577bcfd (git) Affected: ab4e4380d4e158486e595013a2635190e07e28ce , < 7cc08f2f127b9a66f46ea918e34353811a7cb378 (git) Affected: ab4e4380d4e158486e595013a2635190e07e28ce , < 28010791193a4503f054e8d69a950ef815deb539 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:23:17.100703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:11.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_vhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd75eba88e88d7b896b0c737b02a74a12afc235f",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
},
{
"lessThan": "1503756fffe76d5aea2371a4b8dee20c3577bcfd",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
},
{
"lessThan": "7cc08f2f127b9a66f46ea918e34353811a7cb378",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
},
{
"lessThan": "28010791193a4503f054e8d69a950ef815deb539",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_vhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: vhci: Prevent use-after-free by removing debugfs files early\n\nMove the creation of debugfs files into a dedicated function, and ensure\nthey are explicitly removed during vhci_release(), before associated\ndata structures are freed.\n\nPreviously, debugfs files such as \"force_suspend\", \"force_wakeup\", and\nothers were created under hdev-\u003edebugfs but not removed in\nvhci_release(). Since vhci_release() frees the backing vhci_data\nstructure, any access to these files after release would result in\nuse-after-free errors.\n\nAlthough hdev-\u003edebugfs is later freed in hci_release_dev(), user can\naccess files after vhci_data is freed but before hdev-\u003edebugfs is\nreleased."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:16.104Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd75eba88e88d7b896b0c737b02a74a12afc235f"
},
{
"url": "https://git.kernel.org/stable/c/1503756fffe76d5aea2371a4b8dee20c3577bcfd"
},
{
"url": "https://git.kernel.org/stable/c/7cc08f2f127b9a66f46ea918e34353811a7cb378"
},
{
"url": "https://git.kernel.org/stable/c/28010791193a4503f054e8d69a950ef815deb539"
}
],
"title": "Bluetooth: vhci: Prevent use-after-free by removing debugfs files early",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39861",
"datePublished": "2025-09-19T15:26:31.519Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2026-01-14T19:33:11.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40043 (GCVE-0-2025-40043)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
net: nfc: nci: Add parameter validation for packet data
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: nci: Add parameter validation for packet data
Syzbot reported an uninitialized value bug in nci_init_req, which was
introduced by commit 5aca7966d2a7 ("Merge tag
'perf-tools-fixes-for-v6.17-2025-09-16' of
git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
This bug arises due to very limited and poor input validation
that was done at nic_valid_size(). This validation only
validates the skb->len (directly reflects size provided at the
userspace interface) with the length provided in the buffer
itself (interpreted as NCI_HEADER). This leads to the processing
of memory content at the address assuming the correct layout
per what opcode requires there. This leads to the accesses to
buffer of `skb_buff->data` which is not assigned anything yet.
Following the same silent drop of packets of invalid sizes at
`nic_valid_size()`, add validation of the data in the respective
handlers and return error values in case of failure. Release
the skb if error values are returned from handlers in
`nci_nft_packet` and effectively do a silent drop
Possible TODO: because we silently drop the packets, the
call to `nci_request` will be waiting for completion of request
and will face timeouts. These timeouts can get excessively logged
in the dmesg. A proper handling of them may require to export
`nci_request_cancel` (or propagate error handling from the
nft packets handlers).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 8fcc7315a10a84264e55bb65ede10f0af20a983f
(git)
Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < bfdda0123dde406dbff62e7e9136037e97998a15 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 0ba68bea1e356f466ad29449938bea12f5f3711f (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 74837bca0748763a77f77db47a0bdbe63b347628 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < c395d1e548cc68e84584ffa2e3ca9796a78bf7b9 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 9c328f54741bd5465ca1dc717c84c04242fac2e1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/ntf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fcc7315a10a84264e55bb65ede10f0af20a983f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "bfdda0123dde406dbff62e7e9136037e97998a15",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "0ba68bea1e356f466ad29449938bea12f5f3711f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "74837bca0748763a77f77db47a0bdbe63b347628",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "c395d1e548cc68e84584ffa2e3ca9796a78bf7b9",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "9c328f54741bd5465ca1dc717c84c04242fac2e1",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/ntf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Add parameter validation for packet data\n\nSyzbot reported an uninitialized value bug in nci_init_req, which was\nintroduced by commit 5aca7966d2a7 (\"Merge tag\n\u0027perf-tools-fixes-for-v6.17-2025-09-16\u0027 of\ngit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\").\n\nThis bug arises due to very limited and poor input validation\nthat was done at nic_valid_size(). This validation only\nvalidates the skb-\u003elen (directly reflects size provided at the\nuserspace interface) with the length provided in the buffer\nitself (interpreted as NCI_HEADER). This leads to the processing\nof memory content at the address assuming the correct layout\nper what opcode requires there. This leads to the accesses to\nbuffer of `skb_buff-\u003edata` which is not assigned anything yet.\n\nFollowing the same silent drop of packets of invalid sizes at\n`nic_valid_size()`, add validation of the data in the respective\nhandlers and return error values in case of failure. Release\nthe skb if error values are returned from handlers in\n`nci_nft_packet` and effectively do a silent drop\n\nPossible TODO: because we silently drop the packets, the\ncall to `nci_request` will be waiting for completion of request\nand will face timeouts. These timeouts can get excessively logged\nin the dmesg. A proper handling of them may require to export\n`nci_request_cancel` (or propagate error handling from the\nnft packets handlers)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:47.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f"
},
{
"url": "https://git.kernel.org/stable/c/bfdda0123dde406dbff62e7e9136037e97998a15"
},
{
"url": "https://git.kernel.org/stable/c/0ba68bea1e356f466ad29449938bea12f5f3711f"
},
{
"url": "https://git.kernel.org/stable/c/74837bca0748763a77f77db47a0bdbe63b347628"
},
{
"url": "https://git.kernel.org/stable/c/c395d1e548cc68e84584ffa2e3ca9796a78bf7b9"
},
{
"url": "https://git.kernel.org/stable/c/9c328f54741bd5465ca1dc717c84c04242fac2e1"
}
],
"title": "net: nfc: nci: Add parameter validation for packet data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40043",
"datePublished": "2025-10-28T11:48:22.230Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:47.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40219 (GCVE-0-2025-40219)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50
VLAI?
EPSS
Title
PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
Before disabling SR-IOV via config space accesses to the parent PF,
sriov_disable() first removes the PCI devices representing the VFs.
Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()")
such removal operations are serialized against concurrent remove and
rescan using the pci_rescan_remove_lock. No such locking was ever added
in sriov_disable() however. In particular when commit 18f9e9d150fc
("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device
removal into sriov_del_vfs() there was still no locking around the
pci_iov_remove_virtfn() calls.
On s390 the lack of serialization in sriov_disable() may cause double
remove and list corruption with the below (amended) trace being observed:
PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)
GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001
00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480
0000000000000001 0000000000000000 0000000000000000 0000000180692828
00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8
#0 [3800313fb20] device_del at c9158ad5c
#1 [3800313fb88] pci_remove_bus_device at c915105ba
#2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198
#3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0
#4 [3800313fc60] zpci_bus_remove_device at c90fb6104
#5 [3800313fca0] __zpci_event_availability at c90fb3dca
#6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2
#7 [3800313fd60] crw_collect_info at c91905822
#8 [3800313fe10] kthread at c90feb390
#9 [3800313fe68] __ret_from_fork at c90f6aa64
#10 [3800313fe98] ret_from_fork at c9194f3f2.
This is because in addition to sriov_disable() removing the VFs, the
platform also generates hot-unplug events for the VFs. This being the
reverse operation to the hotplug events generated by sriov_enable() and
handled via pdev->no_vf_scan. And while the event processing takes
pci_rescan_remove_lock and checks whether the struct pci_dev still exists,
the lack of synchronization makes this checking racy.
Other races may also be possible of course though given that this lack of
locking persisted so long observable races seem very rare. Even on s390 the
list corruption was only observed with certain devices since the platform
events are only triggered by config accesses after the removal, so as long
as the removal finished synchronously they would not race. Either way the
locking is missing so fix this by adding it to the sriov_del_vfs() helper.
Just like PCI rescan-remove, locking is also missing in sriov_add_vfs()
including for the error case where pci_stop_and_remove_bus_device() is
called without the PCI rescan-remove lock being held. Even in the non-error
case, adding new PCI devices and buses should be serialized via the PCI
rescan-remove lock. Add the necessary locking.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18f9e9d150fccfa747875df6f0a9f606740762b3 , < 5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf
(git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 1e8a80290f964bdbad225221c8a1594c7e01c8fd (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a645ca21de09e3137cbb224fa6c23cca873a1d01 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a24219172456f035d886857e265ca24c85b167c8 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 36039348bca77828bf06eae41b8f76e38cd15847 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 53154cd40ccf285f1d1c24367824082061d155bd (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < ee40e5db052d7c6f406fdb95ad639c894c74674c (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "1e8a80290f964bdbad225221c8a1594c7e01c8fd",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "a645ca21de09e3137cbb224fa6c23cca873a1d01",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "a24219172456f035d886857e265ca24c85b167c8",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "36039348bca77828bf06eae41b8f76e38cd15847",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "53154cd40ccf285f1d1c24367824082061d155bd",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "ee40e5db052d7c6f406fdb95ad639c894c74674c",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "05703271c3cdcc0f2a8cf6ebdc45892b8ca83520",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV\n\nBefore disabling SR-IOV via config space accesses to the parent PF,\nsriov_disable() first removes the PCI devices representing the VFs.\n\nSince commit 9d16947b7583 (\"PCI: Add global pci_lock_rescan_remove()\")\nsuch removal operations are serialized against concurrent remove and\nrescan using the pci_rescan_remove_lock. No such locking was ever added\nin sriov_disable() however. In particular when commit 18f9e9d150fc\n(\"PCI/IOV: Factor out sriov_add_vfs()\") factored out the PCI device\nremoval into sriov_del_vfs() there was still no locking around the\npci_iov_remove_virtfn() calls.\n\nOn s390 the lack of serialization in sriov_disable() may cause double\nremove and list corruption with the below (amended) trace being observed:\n\n PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)\n GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001\n\t00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480\n\t0000000000000001 0000000000000000 0000000000000000 0000000180692828\n\t00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8\n #0 [3800313fb20] device_del at c9158ad5c\n #1 [3800313fb88] pci_remove_bus_device at c915105ba\n #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198\n #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0\n #4 [3800313fc60] zpci_bus_remove_device at c90fb6104\n #5 [3800313fca0] __zpci_event_availability at c90fb3dca\n #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2\n #7 [3800313fd60] crw_collect_info at c91905822\n #8 [3800313fe10] kthread at c90feb390\n #9 [3800313fe68] __ret_from_fork at c90f6aa64\n #10 [3800313fe98] ret_from_fork at c9194f3f2.\n\nThis is because in addition to sriov_disable() removing the VFs, the\nplatform also generates hot-unplug events for the VFs. This being the\nreverse operation to the hotplug events generated by sriov_enable() and\nhandled via pdev-\u003eno_vf_scan. And while the event processing takes\npci_rescan_remove_lock and checks whether the struct pci_dev still exists,\nthe lack of synchronization makes this checking racy.\n\nOther races may also be possible of course though given that this lack of\nlocking persisted so long observable races seem very rare. Even on s390 the\nlist corruption was only observed with certain devices since the platform\nevents are only triggered by config accesses after the removal, so as long\nas the removal finished synchronously they would not race. Either way the\nlocking is missing so fix this by adding it to the sriov_del_vfs() helper.\n\nJust like PCI rescan-remove, locking is also missing in sriov_add_vfs()\nincluding for the error case where pci_stop_and_remove_bus_device() is\ncalled without the PCI rescan-remove lock being held. Even in the non-error\ncase, adding new PCI devices and buses should be serialized via the PCI\nrescan-remove lock. Add the necessary locking."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:42.996Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf"
},
{
"url": "https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd"
},
{
"url": "https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01"
},
{
"url": "https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8"
},
{
"url": "https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847"
},
{
"url": "https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd"
},
{
"url": "https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c"
},
{
"url": "https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520"
}
],
"title": "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40219",
"datePublished": "2025-12-04T14:50:42.996Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-04T14:50:42.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40246 (GCVE-0-2025-40246)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
xfs: fix out of bounds memory read error in symlink repair
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix out of bounds memory read error in symlink repair
xfs/286 produced this report on my test fleet:
==================================================================
BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110
Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):
memcpy_orig+0x54/0x110
xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]
xrep_symlink_salvage+0x100/0x110 [xfs]
xrep_symlink+0x2e/0x80 [xfs]
xrep_attempt+0x61/0x1f0 [xfs]
xfs_scrub_metadata+0x34f/0x5c0 [xfs]
xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]
xfs_file_ioctl+0xe23/0x10e0 [xfs]
__x64_sys_ioctl+0x76/0xc0
do_syscall_64+0x4e/0x1e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128
allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):
xfs_init_local_fork+0x79/0xe0 [xfs]
xfs_iformat_local+0xa4/0x170 [xfs]
xfs_iformat_data_fork+0x148/0x180 [xfs]
xfs_inode_from_disk+0x2cd/0x480 [xfs]
xfs_iget+0x450/0xd60 [xfs]
xfs_bulkstat_one_int+0x6b/0x510 [xfs]
xfs_bulkstat_iwalk+0x1e/0x30 [xfs]
xfs_iwalk_ag_recs+0xdf/0x150 [xfs]
xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]
xfs_iwalk_ag+0x1dc/0x2f0 [xfs]
xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]
xfs_iwalk+0xa4/0xd0 [xfs]
xfs_bulkstat+0xfa/0x170 [xfs]
xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]
xfs_file_ioctl+0xbf2/0x10e0 [xfs]
__x64_sys_ioctl+0x76/0xc0
do_syscall_64+0x4e/0x1e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014
==================================================================
On further analysis, I realized that the second parameter to min() is
not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data
buffer. if_bytes can be smaller than the data fork size because:
(a) the forkoff code tries to keep the data area as large as possible
(b) for symbolic links, if_bytes is the ondisk file size + 1
(c) forkoff is always a multiple of 8.
Case in point: for a single-byte symlink target, forkoff will be
8 but the buffer will only be 2 bytes long.
In other words, the logic here is wrong and we walk off the end of the
incore buffer. Fix that.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2651923d8d8db00a57665822f017fa7c76758044 , < 7c2d68e091584149fe89bcbaf9b99b3162d46ee7
(git)
Affected: 2651923d8d8db00a57665822f017fa7c76758044 , < 81a8685cac4bf081c93a7df591644f4f80240bb9 (git) Affected: 2651923d8d8db00a57665822f017fa7c76758044 , < 678e1cc2f482e0985a0613ab4a5bf89c497e5acc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/symlink_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c2d68e091584149fe89bcbaf9b99b3162d46ee7",
"status": "affected",
"version": "2651923d8d8db00a57665822f017fa7c76758044",
"versionType": "git"
},
{
"lessThan": "81a8685cac4bf081c93a7df591644f4f80240bb9",
"status": "affected",
"version": "2651923d8d8db00a57665822f017fa7c76758044",
"versionType": "git"
},
{
"lessThan": "678e1cc2f482e0985a0613ab4a5bf89c497e5acc",
"status": "affected",
"version": "2651923d8d8db00a57665822f017fa7c76758044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/symlink_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix out of bounds memory read error in symlink repair\n\nxfs/286 produced this report on my test fleet:\n\n ==================================================================\n BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110\n\n Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):\n memcpy_orig+0x54/0x110\n xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]\n xrep_symlink_salvage+0x100/0x110 [xfs]\n xrep_symlink+0x2e/0x80 [xfs]\n xrep_attempt+0x61/0x1f0 [xfs]\n xfs_scrub_metadata+0x34f/0x5c0 [xfs]\n xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]\n xfs_file_ioctl+0xe23/0x10e0 [xfs]\n __x64_sys_ioctl+0x76/0xc0\n do_syscall_64+0x4e/0x1e0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128\n\n allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):\n xfs_init_local_fork+0x79/0xe0 [xfs]\n xfs_iformat_local+0xa4/0x170 [xfs]\n xfs_iformat_data_fork+0x148/0x180 [xfs]\n xfs_inode_from_disk+0x2cd/0x480 [xfs]\n xfs_iget+0x450/0xd60 [xfs]\n xfs_bulkstat_one_int+0x6b/0x510 [xfs]\n xfs_bulkstat_iwalk+0x1e/0x30 [xfs]\n xfs_iwalk_ag_recs+0xdf/0x150 [xfs]\n xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]\n xfs_iwalk_ag+0x1dc/0x2f0 [xfs]\n xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]\n xfs_iwalk+0xa4/0xd0 [xfs]\n xfs_bulkstat+0xfa/0x170 [xfs]\n xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]\n xfs_file_ioctl+0xbf2/0x10e0 [xfs]\n __x64_sys_ioctl+0x76/0xc0\n do_syscall_64+0x4e/0x1e0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014\n ==================================================================\n\nOn further analysis, I realized that the second parameter to min() is\nnot correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data\nbuffer. if_bytes can be smaller than the data fork size because:\n\n(a) the forkoff code tries to keep the data area as large as possible\n(b) for symbolic links, if_bytes is the ondisk file size + 1\n(c) forkoff is always a multiple of 8.\n\nCase in point: for a single-byte symlink target, forkoff will be\n8 but the buffer will only be 2 bytes long.\n\nIn other words, the logic here is wrong and we walk off the end of the\nincore buffer. Fix that."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:09.751Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c2d68e091584149fe89bcbaf9b99b3162d46ee7"
},
{
"url": "https://git.kernel.org/stable/c/81a8685cac4bf081c93a7df591644f4f80240bb9"
},
{
"url": "https://git.kernel.org/stable/c/678e1cc2f482e0985a0613ab4a5bf89c497e5acc"
}
],
"title": "xfs: fix out of bounds memory read error in symlink repair",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40246",
"datePublished": "2025-12-04T16:08:09.751Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T16:08:09.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71081 (GCVE-0-2025-71081)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ASoC: stm32: sai: fix OF node leak on probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: stm32: sai: fix OF node leak on probe
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5914d285f6b782892a91d6621723fdc41a775b15 , < 7daa50a2157e41c964b745ab1dc378b5b3b626d1
(git)
Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < acda653169e180b1d860dbb6bc5aceb105858394 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 4054a3597d047f3fe87864ef87f399b5d523e6c0 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 3752afcc6d80d5525e236e329895ba2cb93bcb26 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 23261f0de09427367e99f39f588e31e2856a690e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7daa50a2157e41c964b745ab1dc378b5b3b626d1",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "acda653169e180b1d860dbb6bc5aceb105858394",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "4054a3597d047f3fe87864ef87f399b5d523e6c0",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "bae74771fc5d3b2a9cf6f5aa64596083d032c4a3",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "3752afcc6d80d5525e236e329895ba2cb93bcb26",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "23261f0de09427367e99f39f588e31e2856a690e",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: sai: fix OF node leak on probe\n\nThe reference taken to the sync provider OF node when probing the\nplatform device is currently only dropped if the set_sync() callback\nfails during DAI probe.\n\nMake sure to drop the reference on platform probe failures (e.g. probe\ndeferral) and on driver unbind.\n\nThis also avoids a potential use-after-free in case the DAI is ever\nreprobed without first rebinding the platform driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:32.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1"
},
{
"url": "https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394"
},
{
"url": "https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0"
},
{
"url": "https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3"
},
{
"url": "https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26"
},
{
"url": "https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e"
}
],
"title": "ASoC: stm32: sai: fix OF node leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71081",
"datePublished": "2026-01-13T15:34:45.503Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:32.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68328 (GCVE-0-2025-68328)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
EPSS
Title
firmware: stratix10-svc: fix bug in saving controller data
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: stratix10-svc: fix bug in saving controller data
Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They
both are of the same data and overrides each other. This resulted in the
rmmod of the svc driver to fail and throw a kernel panic for kthread_stop
and fifo free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 9d0a330abd9e49bcebf6307aac185081bde49a43
(git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 354fb03002da0970d337f0d3edbeb46cc4fa6f41 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < b359df793f609b1efce31dadfe6883ec73852619 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 71796c91ee8e33faf4434a9e210b5063c28ea907 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 60ab1851614e6007344042b66da6e31d1cc26cb3 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < bd226fa02ed6db6fce0fae010802f0950fd14fb9 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d0a330abd9e49bcebf6307aac185081bde49a43",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "354fb03002da0970d337f0d3edbeb46cc4fa6f41",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "b359df793f609b1efce31dadfe6883ec73852619",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "71796c91ee8e33faf4434a9e210b5063c28ea907",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "60ab1851614e6007344042b66da6e31d1cc26cb3",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "bd226fa02ed6db6fce0fae010802f0950fd14fb9",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "d0fcf70c680e4d1669fcb3a8632f41400b9a73c2",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: fix bug in saving controller data\n\nFix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They\nboth are of the same data and overrides each other. This resulted in the\nrmmod of the svc driver to fail and throw a kernel panic for kthread_stop\nand fifo free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:00.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43"
},
{
"url": "https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41"
},
{
"url": "https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619"
},
{
"url": "https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907"
},
{
"url": "https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3"
},
{
"url": "https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9"
},
{
"url": "https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2"
}
],
"title": "firmware: stratix10-svc: fix bug in saving controller data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68328",
"datePublished": "2025-12-22T16:12:22.218Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:00.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40221 (GCVE-0-2025-40221)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50
VLAI?
EPSS
Title
media: pci: mg4b: fix uninitialized iio scan data
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: pci: mg4b: fix uninitialized iio scan data
Fix potential leak of uninitialized stack data to userspace by ensuring
that the `scan` structure is zeroed before use.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0ab13674a9bd10514486cf1670d71dbd8afec421 , < b7f82da7f86479cb6479a76ebe213ece7c77398f
(git)
Affected: 0ab13674a9bd10514486cf1670d71dbd8afec421 , < b792eba44494b4e6ab5006013335f9819f303b8b (git) Affected: 0ab13674a9bd10514486cf1670d71dbd8afec421 , < c0d3f6969bb4d72476cfe7ea9263831f1c283704 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/mgb4/mgb4_trigger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7f82da7f86479cb6479a76ebe213ece7c77398f",
"status": "affected",
"version": "0ab13674a9bd10514486cf1670d71dbd8afec421",
"versionType": "git"
},
{
"lessThan": "b792eba44494b4e6ab5006013335f9819f303b8b",
"status": "affected",
"version": "0ab13674a9bd10514486cf1670d71dbd8afec421",
"versionType": "git"
},
{
"lessThan": "c0d3f6969bb4d72476cfe7ea9263831f1c283704",
"status": "affected",
"version": "0ab13674a9bd10514486cf1670d71dbd8afec421",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/mgb4/mgb4_trigger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: mg4b: fix uninitialized iio scan data\n\nFix potential leak of uninitialized stack data to userspace by ensuring\nthat the `scan` structure is zeroed before use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:45.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7f82da7f86479cb6479a76ebe213ece7c77398f"
},
{
"url": "https://git.kernel.org/stable/c/b792eba44494b4e6ab5006013335f9819f303b8b"
},
{
"url": "https://git.kernel.org/stable/c/c0d3f6969bb4d72476cfe7ea9263831f1c283704"
}
],
"title": "media: pci: mg4b: fix uninitialized iio scan data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40221",
"datePublished": "2025-12-04T14:50:45.439Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T14:50:45.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40078 (GCVE-0-2025-40078)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
bpf: Explicitly check accesses to bpf_sock_addr
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Explicitly check accesses to bpf_sock_addr
Syzkaller found a kernel warning on the following sock_addr program:
0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit
which triggers:
verifier bug: error during ctx access conversion (0)
This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.
This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.
I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1cedee13d25ab118d325f95588c1a084e9317229 , < de44cdc50d2dce8718cb57deddf9cf1be9a7759f
(git)
Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < 76e04bbb4296fb6eac084dbfc27e02ccc744db3e (git) Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < 6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec (git) Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < 4f00858cd9bbbdf67159e28b85a8ca9e77c83622 (git) Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < cdeafacb4f9ff261a96baef519e29480fd7b1019 (git) Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < fe9d33f0470350558cb08cecb54cf2267b3a45d2 (git) Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69 (git) Affected: 1cedee13d25ab118d325f95588c1a084e9317229 , < 6fabca2fc94d33cdf7ec102058983b086293395f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de44cdc50d2dce8718cb57deddf9cf1be9a7759f",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "76e04bbb4296fb6eac084dbfc27e02ccc744db3e",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "4f00858cd9bbbdf67159e28b85a8ca9e77c83622",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "cdeafacb4f9ff261a96baef519e29480fd7b1019",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "fe9d33f0470350558cb08cecb54cf2267b3a45d2",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "6fabca2fc94d33cdf7ec102058983b086293395f",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Explicitly check accesses to bpf_sock_addr\n\nSyzkaller found a kernel warning on the following sock_addr program:\n\n 0: r0 = 0\n 1: r2 = *(u32 *)(r1 +60)\n 2: exit\n\nwhich triggers:\n\n verifier bug: error during ctx access conversion (0)\n\nThis is happening because offset 60 in bpf_sock_addr corresponds to an\nimplicit padding of 4 bytes, right after msg_src_ip4. Access to this\npadding isn\u0027t rejected in sock_addr_is_valid_access and it thus later\nfails to convert the access.\n\nThis patch fixes it by explicitly checking the various fields of\nbpf_sock_addr in sock_addr_is_valid_access.\n\nI checked the other ctx structures and is_valid_access functions and\ndidn\u0027t find any other similar cases. Other cases of (properly handled)\npadding are covered in new tests in a subsequent patch."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:35.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de44cdc50d2dce8718cb57deddf9cf1be9a7759f"
},
{
"url": "https://git.kernel.org/stable/c/76e04bbb4296fb6eac084dbfc27e02ccc744db3e"
},
{
"url": "https://git.kernel.org/stable/c/6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec"
},
{
"url": "https://git.kernel.org/stable/c/4f00858cd9bbbdf67159e28b85a8ca9e77c83622"
},
{
"url": "https://git.kernel.org/stable/c/cdeafacb4f9ff261a96baef519e29480fd7b1019"
},
{
"url": "https://git.kernel.org/stable/c/fe9d33f0470350558cb08cecb54cf2267b3a45d2"
},
{
"url": "https://git.kernel.org/stable/c/ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69"
},
{
"url": "https://git.kernel.org/stable/c/6fabca2fc94d33cdf7ec102058983b086293395f"
}
],
"title": "bpf: Explicitly check accesses to bpf_sock_addr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40078",
"datePublished": "2025-10-28T11:48:43.548Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:35.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40314 (GCVE-0-2025-40314)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget
structure (pdev->gadget) was freed before its endpoints.
The endpoints are linked via the ep_list in the gadget structure.
Freeing the gadget first leaves dangling pointers in the endpoint list.
When the endpoints are subsequently freed, this results in a use-after-free.
Fix:
By separating the usb_del_gadget_udc() operation into distinct "del" and
"put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the
final release of the gadget structure with usb_put_gadget().
A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure
only after freeing endpoints").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8bc1901ca7b07d864fca11461b3875b31f949765 , < 0cf9a50af91fbdac3849f8d950e883a3eaa3ecea
(git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 37158ce6ba964b62d1e3eebd11f03c6900a52dd1 (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < ea37884097a0931abb8e11e40eacfb25e9fdb5e9 (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 9c52f01429c377a2d32cafc977465f37b5384f77 (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < fdf573c517627a96f5040f988e9b21267806be5c (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 87c5ff5615dc0a37167e8faf3adeeddc6f1344a3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdnsp-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cf9a50af91fbdac3849f8d950e883a3eaa3ecea",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "37158ce6ba964b62d1e3eebd11f03c6900a52dd1",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "ea37884097a0931abb8e11e40eacfb25e9fdb5e9",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "9c52f01429c377a2d32cafc977465f37b5384f77",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "fdf573c517627a96f5040f988e9b21267806be5c",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "87c5ff5615dc0a37167e8faf3adeeddc6f1344a3",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdnsp-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget\n\nIn the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget\nstructure (pdev-\u003egadget) was freed before its endpoints.\nThe endpoints are linked via the ep_list in the gadget structure.\nFreeing the gadget first leaves dangling pointers in the endpoint list.\nWhen the endpoints are subsequently freed, this results in a use-after-free.\n\nFix:\nBy separating the usb_del_gadget_udc() operation into distinct \"del\" and\n\"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the\nfinal release of the gadget structure with usb_put_gadget().\n\nA patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure\n only after freeing endpoints\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:04.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea"
},
{
"url": "https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1"
},
{
"url": "https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9"
},
{
"url": "https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77"
},
{
"url": "https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c"
},
{
"url": "https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3"
}
],
"title": "usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40314",
"datePublished": "2025-12-08T00:46:40.576Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:04.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40273 (GCVE-0-2025-40273)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
NFSD: free copynotify stateid in nfs4_free_ol_stateid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: free copynotify stateid in nfs4_free_ol_stateid()
Typically copynotify stateid is freed either when parent's stateid
is being close/freed or in nfsd4_laundromat if the stateid hasn't
been used in a lease period.
However, in case when the server got an OPEN (which created
a parent stateid), followed by a COPY_NOTIFY using that stateid,
followed by a client reboot. New client instance while doing
CREATE_SESSION would force expire previous state of this client.
It leads to the open state being freed thru release_openowner->
nfs4_free_ol_stateid() and it finds that it still has copynotify
stateid associated with it. We currently print a warning and is
triggerred
WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]
This patch, instead, frees the associated copynotify stateid here.
If the parent stateid is freed (without freeing the copynotify
stateids associated with it), it leads to the list corruption
when laundromat ends up freeing the copynotify state later.
[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink
[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)
[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN
[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]
[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200
[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200
[ 1626.861182] sp : ffff8000881d7a40
[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200
[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20
[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8
[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000
[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065
[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3
[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000
[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001
[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000
[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d
[ 1626.868167] Call trace:
[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)
[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]
[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]
[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]
[ 1626.870231] process_one_work+0x584/0x1050
[ 1626.870595] worker_thread+0x4c4/0xc60
[ 1626.870893] kthread+0x2f8/0x398
[ 1626.871146] ret_from_fork+0x10/0x20
[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)
[ 1626.871892] SMP: stopping secondary CPUs
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
624322f1adc58acd0b69f77a6ddc764207e97241 , < 935a2dc8928670bb2c37e21025331e61ec48ccf4
(git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < b114996a095da39e38410a0328d4a8aca8c36088 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 839f56f626723f36904764858467e7a3881b975d (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < d7be15a634aa3874827d0d3ea47452ee878b8df7 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 4aa17144d5abc3c756883e3a010246f0dba8b468 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "935a2dc8928670bb2c37e21025331e61ec48ccf4",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "b114996a095da39e38410a0328d4a8aca8c36088",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "839f56f626723f36904764858467e7a3881b975d",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "d7be15a634aa3874827d0d3ea47452ee878b8df7",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "4aa17144d5abc3c756883e3a010246f0dba8b468",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: free copynotify stateid in nfs4_free_ol_stateid()\n\nTypically copynotify stateid is freed either when parent\u0027s stateid\nis being close/freed or in nfsd4_laundromat if the stateid hasn\u0027t\nbeen used in a lease period.\n\nHowever, in case when the server got an OPEN (which created\na parent stateid), followed by a COPY_NOTIFY using that stateid,\nfollowed by a client reboot. New client instance while doing\nCREATE_SESSION would force expire previous state of this client.\nIt leads to the open state being freed thru release_openowner-\u003e\nnfs4_free_ol_stateid() and it finds that it still has copynotify\nstateid associated with it. We currently print a warning and is\ntriggerred\n\nWARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]\n\nThis patch, instead, frees the associated copynotify stateid here.\n\nIf the parent stateid is freed (without freeing the copynotify\nstateids associated with it), it leads to the list corruption\nwhen laundromat ends up freeing the copynotify state later.\n\n[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink\n[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)\n[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]\n[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.861182] sp : ffff8000881d7a40\n[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200\n[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20\n[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8\n[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000\n[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065\n[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3\n[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000\n[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001\n[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000\n[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d\n[ 1626.868167] Call trace:\n[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)\n[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]\n[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]\n[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]\n[ 1626.870231] process_one_work+0x584/0x1050\n[ 1626.870595] worker_thread+0x4c4/0xc60\n[ 1626.870893] kthread+0x2f8/0x398\n[ 1626.871146] ret_from_fork+0x10/0x20\n[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)\n[ 1626.871892] SMP: stopping secondary CPUs"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:55.723Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4"
},
{
"url": "https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088"
},
{
"url": "https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d"
},
{
"url": "https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66"
},
{
"url": "https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7"
},
{
"url": "https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb"
},
{
"url": "https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468"
}
],
"title": "NFSD: free copynotify stateid in nfs4_free_ol_stateid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40273",
"datePublished": "2025-12-06T21:50:55.723Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:50:55.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40104 (GCVE-0-2025-40104)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
ixgbevf: fix mailbox API compatibility by negotiating supported features
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbevf: fix mailbox API compatibility by negotiating supported features
There was backward compatibility in the terms of mailbox API. Various
drivers from various OSes supporting 10G adapters from Intel portfolio
could easily negotiate mailbox API.
This convention has been broken since introducing API 1.4.
Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support
for IPSec which is specific only for the kernel ixgbe driver. None of the
rest of the Intel 10G PF/VF drivers supports it. And actually lack of
support was not included in the IPSec implementation - there were no such
code paths. No possibility to negotiate support for the feature was
introduced along with introduction of the feature itself.
Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication
between PF and VF") increasing API version to 1.5 did the same - it
introduced code supported specifically by the PF ESX driver. It altered API
version for the VF driver in the same time not touching the version
defined for the PF ixgbe driver. It led to additional discrepancies,
as the code provided within API 1.6 cannot be supported for Linux ixgbe
driver as it causes crashes.
The issue was noticed some time ago and mitigated by Jake within the commit
d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5").
As a result we have regression for IPsec support and after increasing API
to version 1.6 ixgbevf driver stopped to support ESX MBX.
To fix this mess add new mailbox op asking PF driver about supported
features. Basing on a response determine whether to set support for IPSec
and ESX-specific enhanced mailbox.
New mailbox op, for compatibility purposes, must be added within new API
revision, as API version of OOT PF & VF drivers is already increased to
1.6 and doesn't incorporate features negotiate op.
Features negotiation mechanism gives possibility to be extended with new
features when needed in the future.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0062e7cc955e0827a88570ed36ea511a7dcb391e , < 871ac1cd4ce4804defcb428cbb003fd84c415ff4
(git)
Affected: 0062e7cc955e0827a88570ed36ea511a7dcb391e , < 2e0aab9ddaf1428602c78f12064cd1e6ffcc4d18 (git) Affected: 0062e7cc955e0827a88570ed36ea511a7dcb391e , < bf580112ed61736c2645a893413a04732505d4b1 (git) Affected: 0062e7cc955e0827a88570ed36ea511a7dcb391e , < a376e29b1b196dc90b50df7e5e3947e3026300c4 (git) Affected: 0062e7cc955e0827a88570ed36ea511a7dcb391e , < a7075f501bd33c93570af759b6f4302ef0175168 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbevf/ipsec.c",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf.h",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c",
"drivers/net/ethernet/intel/ixgbevf/mbx.h",
"drivers/net/ethernet/intel/ixgbevf/vf.c",
"drivers/net/ethernet/intel/ixgbevf/vf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "871ac1cd4ce4804defcb428cbb003fd84c415ff4",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "2e0aab9ddaf1428602c78f12064cd1e6ffcc4d18",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "bf580112ed61736c2645a893413a04732505d4b1",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "a376e29b1b196dc90b50df7e5e3947e3026300c4",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "a7075f501bd33c93570af759b6f4302ef0175168",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbevf/ipsec.c",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf.h",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c",
"drivers/net/ethernet/intel/ixgbevf/mbx.h",
"drivers/net/ethernet/intel/ixgbevf/vf.c",
"drivers/net/ethernet/intel/ixgbevf/vf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: fix mailbox API compatibility by negotiating supported features\n\nThere was backward compatibility in the terms of mailbox API. Various\ndrivers from various OSes supporting 10G adapters from Intel portfolio\ncould easily negotiate mailbox API.\n\nThis convention has been broken since introducing API 1.4.\nCommit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support\nfor IPSec which is specific only for the kernel ixgbe driver. None of the\nrest of the Intel 10G PF/VF drivers supports it. And actually lack of\nsupport was not included in the IPSec implementation - there were no such\ncode paths. No possibility to negotiate support for the feature was\nintroduced along with introduction of the feature itself.\n\nCommit 339f28964147 (\"ixgbevf: Add support for new mailbox communication\nbetween PF and VF\") increasing API version to 1.5 did the same - it\nintroduced code supported specifically by the PF ESX driver. It altered API\nversion for the VF driver in the same time not touching the version\ndefined for the PF ixgbe driver. It led to additional discrepancies,\nas the code provided within API 1.6 cannot be supported for Linux ixgbe\ndriver as it causes crashes.\n\nThe issue was noticed some time ago and mitigated by Jake within the commit\nd0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\").\nAs a result we have regression for IPsec support and after increasing API\nto version 1.6 ixgbevf driver stopped to support ESX MBX.\n\nTo fix this mess add new mailbox op asking PF driver about supported\nfeatures. Basing on a response determine whether to set support for IPSec\nand ESX-specific enhanced mailbox.\n\nNew mailbox op, for compatibility purposes, must be added within new API\nrevision, as API version of OOT PF \u0026 VF drivers is already increased to\n1.6 and doesn\u0027t incorporate features negotiate op.\n\nFeatures negotiation mechanism gives possibility to be extended with new\nfeatures when needed in the future."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:07.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/871ac1cd4ce4804defcb428cbb003fd84c415ff4"
},
{
"url": "https://git.kernel.org/stable/c/2e0aab9ddaf1428602c78f12064cd1e6ffcc4d18"
},
{
"url": "https://git.kernel.org/stable/c/bf580112ed61736c2645a893413a04732505d4b1"
},
{
"url": "https://git.kernel.org/stable/c/a376e29b1b196dc90b50df7e5e3947e3026300c4"
},
{
"url": "https://git.kernel.org/stable/c/a7075f501bd33c93570af759b6f4302ef0175168"
}
],
"title": "ixgbevf: fix mailbox API compatibility by negotiating supported features",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40104",
"datePublished": "2025-10-30T09:48:09.051Z",
"dateReserved": "2025-04-16T07:20:57.165Z",
"dateUpdated": "2025-12-01T06:18:07.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71075 (GCVE-0-2025-71075)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
scsi: aic94xx: fix use-after-free in device removal path
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: aic94xx: fix use-after-free in device removal path
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2908d778ab3e244900c310974e1fc1c69066e450 , < c8f6f88cd1df35155258285c4f43268b361819df
(git)
Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 278455a82245a572aeb218a6212a416a98e418de (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < b3e655e52b98a1d3df41c8e42035711e083099f8 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < e354793a7ab9bb0934ea699a9d57bcd1b48fc27b (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < a41dc180b6e1229ae49ca290ae14d82101c148c3 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 751c19635c2bfaaf2836a533caa3663633066dcf (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < f6ab594672d4cba08540919a4e6be2e202b60007 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f6f88cd1df35155258285c4f43268b361819df",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "278455a82245a572aeb218a6212a416a98e418de",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "b3e655e52b98a1d3df41c8e42035711e083099f8",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e354793a7ab9bb0934ea699a9d57bcd1b48fc27b",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a41dc180b6e1229ae49ca290ae14d82101c148c3",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "751c19635c2bfaaf2836a533caa3663633066dcf",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f6ab594672d4cba08540919a4e6be2e202b60007",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aic94xx: fix use-after-free in device removal path\n\nThe asd_pci_remove() function fails to synchronize with pending tasklets\nbefore freeing the asd_ha structure, leading to a potential\nuse-after-free vulnerability.\n\nWhen a device removal is triggered (via hot-unplug or module unload),\nrace condition can occur.\n\nThe fix adds tasklet_kill() before freeing the asd_ha structure,\nensuring all scheduled tasklets complete before cleanup proceeds."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:26.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df"
},
{
"url": "https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de"
},
{
"url": "https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8"
},
{
"url": "https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b"
},
{
"url": "https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3"
},
{
"url": "https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf"
},
{
"url": "https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007"
}
],
"title": "scsi: aic94xx: fix use-after-free in device removal path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71075",
"datePublished": "2026-01-13T15:31:28.075Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:26.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40264 (GCVE-0-2025-40264)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:39
VLAI?
EPSS
Title
be2net: pass wrb_params in case of OS2BMC
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: pass wrb_params in case of OS2BMC
be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL
pointer when processing a workaround for specific packet, as commit
bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
packet") states.
The correct way would be to pass the wrb_params from be_xmit().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
760c295e0e8d982917d004c9095cff61c0cbd803 , < 48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe
(git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < f499dfa5c98e92e72dd454eb95a1000a448f3405 (git) Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 630360c6724e27f1aa494ba3fffe1e38c4205284 (git) Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 012ee5882b1830db469194466a210768ed207388 (git) Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < ce0a3699244aca3acb659f143c9cb1327b210f89 (git) Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 1ecd86ec6efddb59a10c927e8e679f183bb9113e (git) Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d (git) Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 7d277a7a58578dd62fd546ddaef459ec24ccae36 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "f499dfa5c98e92e72dd454eb95a1000a448f3405",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "630360c6724e27f1aa494ba3fffe1e38c4205284",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "012ee5882b1830db469194466a210768ed207388",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "ce0a3699244aca3acb659f143c9cb1327b210f89",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "1ecd86ec6efddb59a10c927e8e679f183bb9113e",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "7d277a7a58578dd62fd546ddaef459ec24ccae36",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: pass wrb_params in case of OS2BMC\n\nbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULL\nat be_send_pkt_to_bmc() call site.\u00a0 This may lead to dereferencing a NULL\npointer when processing a workaround for specific packet, as commit\nbc0c3405abbb (\"be2net: fix a Tx stall bug caused by a specific ipv6\npacket\") states.\n\nThe correct way would be to pass the wrb_params from be_xmit()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:39:07.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe"
},
{
"url": "https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405"
},
{
"url": "https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284"
},
{
"url": "https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388"
},
{
"url": "https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89"
},
{
"url": "https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e"
},
{
"url": "https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d"
},
{
"url": "https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36"
}
],
"title": "be2net: pass wrb_params in case of OS2BMC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40264",
"datePublished": "2025-12-04T16:08:24.028Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:39:07.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39945 (GCVE-0-2025-39945)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
cnic: Fix use-after-free bugs in cnic_delete_task
Summary
In the Linux kernel, the following vulnerability has been resolved:
cnic: Fix use-after-free bugs in cnic_delete_task
The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),
which does not guarantee that the delayed work item 'delete_task' has
fully completed if it was already running. Additionally, the delayed work
item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only
blocks and waits for work items that were already queued to the
workqueue prior to its invocation. Any work items submitted after
flush_workqueue() is called are not included in the set of tasks that the
flush operation awaits. This means that after the cyclic work items have
finished executing, a delayed work item may still exist in the workqueue.
This leads to use-after-free scenarios where the cnic_dev is deallocated
by cnic_free_dev(), while delete_task remains active and attempt to
dereference cnic_dev in cnic_delete_task().
A typical race condition is illustrated below:
CPU 0 (cleanup) | CPU 1 (delayed work callback)
cnic_netdev_event() |
cnic_stop_hw() | cnic_delete_task()
cnic_cm_stop_bnx2x_hw() | ...
cancel_delayed_work() | /* the queue_delayed_work()
flush_workqueue() | executes after flush_workqueue()*/
| queue_delayed_work()
cnic_free_dev(dev)//free | cnic_delete_task() //new instance
| dev = cp->dev; //use
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the cyclic delayed work item is properly canceled and that any
ongoing execution of the work item completes before the cnic_dev is
deallocated. Furthermore, since cancel_delayed_work_sync() uses
__flush_work(work, true) to synchronously wait for any currently
executing instance of the work item to finish, the flush_workqueue()
becomes redundant and should be removed.
This bug was identified through static analysis. To reproduce the issue
and validate the fix, I simulated the cnic PCI device in QEMU and
introduced intentional delays — such as inserting calls to ssleep()
within the cnic_delete_task() function — to increase the likelihood
of triggering the bug.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fdf24086f4752aee5dfb40143c736250df017820 , < fde6e73189f40ebcf0633aed2b68e731c25f3aa3
(git)
Affected: fdf24086f4752aee5dfb40143c736250df017820 , < 7b6a5b0a6b392263c3767fc945b311ea04b34bbd (git) Affected: fdf24086f4752aee5dfb40143c736250df017820 , < 0405055930264ea8fd26f4131466fa7652e5e47d (git) Affected: fdf24086f4752aee5dfb40143c736250df017820 , < e1fcd4a9c09feac0902a65615e866dbf22616125 (git) Affected: fdf24086f4752aee5dfb40143c736250df017820 , < 8eeb2091e72d75df8ceaa2172638d61b4cf8929a (git) Affected: fdf24086f4752aee5dfb40143c736250df017820 , < 6e33a7eed587062ca8161ad1f4584882a860d697 (git) Affected: fdf24086f4752aee5dfb40143c736250df017820 , < 0627e1481676669cae2df0d85b5ff13e7d24c390 (git) Affected: fdf24086f4752aee5dfb40143c736250df017820 , < cfa7d9b1e3a8604afc84e9e51d789c29574fb216 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/cnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fde6e73189f40ebcf0633aed2b68e731c25f3aa3",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "7b6a5b0a6b392263c3767fc945b311ea04b34bbd",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "0405055930264ea8fd26f4131466fa7652e5e47d",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "e1fcd4a9c09feac0902a65615e866dbf22616125",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "8eeb2091e72d75df8ceaa2172638d61b4cf8929a",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "6e33a7eed587062ca8161ad1f4584882a860d697",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "0627e1481676669cae2df0d85b5ff13e7d24c390",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "cfa7d9b1e3a8604afc84e9e51d789c29574fb216",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/cnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncnic: Fix use-after-free bugs in cnic_delete_task\n\nThe original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),\nwhich does not guarantee that the delayed work item \u0027delete_task\u0027 has\nfully completed if it was already running. Additionally, the delayed work\nitem is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only\nblocks and waits for work items that were already queued to the\nworkqueue prior to its invocation. Any work items submitted after\nflush_workqueue() is called are not included in the set of tasks that the\nflush operation awaits. This means that after the cyclic work items have\nfinished executing, a delayed work item may still exist in the workqueue.\nThis leads to use-after-free scenarios where the cnic_dev is deallocated\nby cnic_free_dev(), while delete_task remains active and attempt to\ndereference cnic_dev in cnic_delete_task().\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\ncnic_netdev_event() |\n cnic_stop_hw() | cnic_delete_task()\n cnic_cm_stop_bnx2x_hw() | ...\n cancel_delayed_work() | /* the queue_delayed_work()\n flush_workqueue() | executes after flush_workqueue()*/\n | queue_delayed_work()\n cnic_free_dev(dev)//free | cnic_delete_task() //new instance\n | dev = cp-\u003edev; //use\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the cyclic delayed work item is properly canceled and that any\nongoing execution of the work item completes before the cnic_dev is\ndeallocated. Furthermore, since cancel_delayed_work_sync() uses\n__flush_work(work, true) to synchronously wait for any currently\nexecuting instance of the work item to finish, the flush_workqueue()\nbecomes redundant and should be removed.\n\nThis bug was identified through static analysis. To reproduce the issue\nand validate the fix, I simulated the cnic PCI device in QEMU and\nintroduced intentional delays \u2014 such as inserting calls to ssleep()\nwithin the cnic_delete_task() function \u2014 to increase the likelihood\nof triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:04.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fde6e73189f40ebcf0633aed2b68e731c25f3aa3"
},
{
"url": "https://git.kernel.org/stable/c/7b6a5b0a6b392263c3767fc945b311ea04b34bbd"
},
{
"url": "https://git.kernel.org/stable/c/0405055930264ea8fd26f4131466fa7652e5e47d"
},
{
"url": "https://git.kernel.org/stable/c/e1fcd4a9c09feac0902a65615e866dbf22616125"
},
{
"url": "https://git.kernel.org/stable/c/8eeb2091e72d75df8ceaa2172638d61b4cf8929a"
},
{
"url": "https://git.kernel.org/stable/c/6e33a7eed587062ca8161ad1f4584882a860d697"
},
{
"url": "https://git.kernel.org/stable/c/0627e1481676669cae2df0d85b5ff13e7d24c390"
},
{
"url": "https://git.kernel.org/stable/c/cfa7d9b1e3a8604afc84e9e51d789c29574fb216"
}
],
"title": "cnic: Fix use-after-free bugs in cnic_delete_task",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39945",
"datePublished": "2025-10-04T07:31:07.109Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:04.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68372 (GCVE-0-2025-68372)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
nbd: defer config put in recv_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config put in recv_work
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
nbd_genl_connect // conf_ref=2 (connect and recv_work A)
nbd_open // conf_ref=3
recv_work A done // conf_ref=2
NBD_CLEAR_SOCK // conf_ref=1
nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
close nbd // conf_ref=1
recv_work B
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK:
nbd_genl_connect // conf_ref=2
nbd_open // conf_ref=3
NBD_CLEAR_SOCK // conf_ref=2
close nbd
nbd_release
config_put // conf_ref=1
recv_work
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=1 (trigger recv_work)
open nbd // nbd_refs=2
NBD_CLEAR_SOCK
close nbd
nbd_release
nbd_disconnect_and_put
flush_workqueue // recv_work done
nbd_config_put
nbd_put // nbd_refs=1
nbd_put // nbd_refs=0
queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=2 (trigger recv_work)
open nbd // nbd_refs=3
NBD_CLEAR_SOCK // conf_refs=2
close nbd
nbd_release
nbd_config_put // conf_refs=1
nbd_put // nbd_refs=2
recv_work done // conf_refs=0, nbd_refs=1
rmmod // nbd_refs=0
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 198aa230a6f8c1f6af7ed26b29180749c3e79e4d
(git)
Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < d3ba312675911ff9e3fefefd551751e153a9f0a9 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 3692884bd6187d89d41eef81e5a9724519fd01c1 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 6b69593f72e1bfba6ca47ca8d9b619341fded7d6 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 443a1721806b6ff6303b5229e9811d68172d622f (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 742012f6bf29553fdc460bf646a58df3a7b43d01 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 9517b82d8d422d426a988b213fdd45c6b417b86d (git) Affected: 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8 (git) Affected: 2ef6f4bd60411934e3fc2715442c2afe70f84bf3 (git) Affected: 742fd49cf811ca164489e339b862e3fb8e240a73 (git) Affected: 14df8724aeeef338172e2a2d6efadc989921ca0f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "198aa230a6f8c1f6af7ed26b29180749c3e79e4d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "d3ba312675911ff9e3fefefd551751e153a9f0a9",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "3692884bd6187d89d41eef81e5a9724519fd01c1",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "6b69593f72e1bfba6ca47ca8d9b619341fded7d6",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "443a1721806b6ff6303b5229e9811d68172d622f",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "742012f6bf29553fdc460bf646a58df3a7b43d01",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "9517b82d8d422d426a988b213fdd45c6b417b86d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"status": "affected",
"version": "0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8",
"versionType": "git"
},
{
"status": "affected",
"version": "2ef6f4bd60411934e3fc2715442c2afe70f84bf3",
"versionType": "git"
},
{
"status": "affected",
"version": "742fd49cf811ca164489e339b862e3fb8e240a73",
"versionType": "git"
},
{
"status": "affected",
"version": "14df8724aeeef338172e2a2d6efadc989921ca0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n nbd_genl_connect // conf_ref=2 (connect and recv_work A)\n nbd_open\t // conf_ref=3\n recv_work A done // conf_ref=2\n NBD_CLEAR_SOCK // conf_ref=1\n nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n close nbd\t // conf_ref=1\n recv_work B\n config_put // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nOr only running NBD_CLEAR_SOCK:\n nbd_genl_connect // conf_ref=2\n nbd_open \t // conf_ref=3\n NBD_CLEAR_SOCK // conf_ref=2\n close nbd\n nbd_release\n config_put // conf_ref=1\n recv_work\n config_put \t // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd-\u003etask_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don\u0027t need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=1 (trigger recv_work)\n open nbd // nbd_refs=2\n NBD_CLEAR_SOCK\n close nbd\n nbd_release\n nbd_disconnect_and_put\n flush_workqueue // recv_work done\n nbd_config_put\n nbd_put // nbd_refs=1\n nbd_put // nbd_refs=0\n queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=2 (trigger recv_work)\n open nbd // nbd_refs=3\n NBD_CLEAR_SOCK // conf_refs=2\n close nbd\n nbd_release\n nbd_config_put // conf_refs=1\n nbd_put // nbd_refs=2\n recv_work done // conf_refs=0, nbd_refs=1\n rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:09.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/198aa230a6f8c1f6af7ed26b29180749c3e79e4d"
},
{
"url": "https://git.kernel.org/stable/c/d3ba312675911ff9e3fefefd551751e153a9f0a9"
},
{
"url": "https://git.kernel.org/stable/c/3692884bd6187d89d41eef81e5a9724519fd01c1"
},
{
"url": "https://git.kernel.org/stable/c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509"
},
{
"url": "https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6"
},
{
"url": "https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f"
},
{
"url": "https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01"
},
{
"url": "https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d"
}
],
"title": "nbd: defer config put in recv_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68372",
"datePublished": "2025-12-24T10:33:02.679Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:09.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40021 (GCVE-0-2025-40021)
Vulnerability from cvelistv5 – Published: 2025-10-24 12:24 – Updated: 2025-10-24 12:24
VLAI?
EPSS
Title
tracing: dynevent: Add a missing lockdown check on dynevent
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: dynevent: Add a missing lockdown check on dynevent
Since dynamic_events interface on tracefs is compatible with
kprobe_events and uprobe_events, it should also check the lockdown
status and reject if it is set.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf
(git)
Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 0d41604d2d53c1abe27fefb54b37a8f6642a4d74 (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 07b1f63b5f86765793fab44d3d4c2be681cddafb (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 3887f3814c0e770e6b73567fe0f83a2c01a6470c (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 573b1e39edfcb7b4eecde0f1664455a1f4462eee (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 456c32e3c4316654f95f9d49c12cbecfb77d5660 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_dynevent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "0d41604d2d53c1abe27fefb54b37a8f6642a4d74",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "07b1f63b5f86765793fab44d3d4c2be681cddafb",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "3887f3814c0e770e6b73567fe0f83a2c01a6470c",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "573b1e39edfcb7b4eecde0f1664455a1f4462eee",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "456c32e3c4316654f95f9d49c12cbecfb77d5660",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_dynevent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: dynevent: Add a missing lockdown check on dynevent\n\nSince dynamic_events interface on tracefs is compatible with\nkprobe_events and uprobe_events, it should also check the lockdown\nstatus and reject if it is set."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:57.107Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf"
},
{
"url": "https://git.kernel.org/stable/c/0d41604d2d53c1abe27fefb54b37a8f6642a4d74"
},
{
"url": "https://git.kernel.org/stable/c/07b1f63b5f86765793fab44d3d4c2be681cddafb"
},
{
"url": "https://git.kernel.org/stable/c/3887f3814c0e770e6b73567fe0f83a2c01a6470c"
},
{
"url": "https://git.kernel.org/stable/c/573b1e39edfcb7b4eecde0f1664455a1f4462eee"
},
{
"url": "https://git.kernel.org/stable/c/b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb"
},
{
"url": "https://git.kernel.org/stable/c/456c32e3c4316654f95f9d49c12cbecfb77d5660"
}
],
"title": "tracing: dynevent: Add a missing lockdown check on dynevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40021",
"datePublished": "2025-10-24T12:24:57.107Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:57.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39870 (GCVE-0-2025-39870)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
dmaengine: idxd: Fix double free in idxd_setup_wqs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix double free in idxd_setup_wqs()
The clean up in idxd_setup_wqs() has had a couple bugs because the error
handling is a bit subtle. It's simpler to just re-write it in a cleaner
way. The issues here are:
1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when
"conf_dev" hasn't been initialized.
2) If kzalloc_node() fails then again "conf_dev" is invalid. It's
either uninitialized or it points to the "conf_dev" from the
previous iteration so it leads to a double free.
It's better to free partial loop iterations within the loop and then
the unwinding at the end can handle whole loop iterations. I also
renamed the labels to describe what the goto does and not where the goto
was located.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d584acdf54f409cb7eae1359ae6c12aaabedeed8 , < 25e6146c2812487a88f619d5ff6efbdcd5b2bc31
(git)
Affected: 47846211998a9ffb0fcc08092eb95ac783d2b11a , < df82c7901513fd0fc738052a8e6a330d92cc8ec9 (git) Affected: 5fcd392dae6d6aba7dc64ffdbb838ff191315da3 , < ec5430d090d0b6ace8fefa290fc37e88930017d2 (git) Affected: 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 , < 9f0e225635475b2285b966271d5e82cba74295b1 (git) Affected: 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 , < 39aaa337449e71a41d4813be0226a722827ba606 (git) Affected: ed2c66000aa64c0d2621864831f0d04c820a1441 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:19.166Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25e6146c2812487a88f619d5ff6efbdcd5b2bc31",
"status": "affected",
"version": "d584acdf54f409cb7eae1359ae6c12aaabedeed8",
"versionType": "git"
},
{
"lessThan": "df82c7901513fd0fc738052a8e6a330d92cc8ec9",
"status": "affected",
"version": "47846211998a9ffb0fcc08092eb95ac783d2b11a",
"versionType": "git"
},
{
"lessThan": "ec5430d090d0b6ace8fefa290fc37e88930017d2",
"status": "affected",
"version": "5fcd392dae6d6aba7dc64ffdbb838ff191315da3",
"versionType": "git"
},
{
"lessThan": "9f0e225635475b2285b966271d5e82cba74295b1",
"status": "affected",
"version": "3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4",
"versionType": "git"
},
{
"lessThan": "39aaa337449e71a41d4813be0226a722827ba606",
"status": "affected",
"version": "3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4",
"versionType": "git"
},
{
"status": "affected",
"version": "ed2c66000aa64c0d2621864831f0d04c820a1441",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix double free in idxd_setup_wqs()\n\nThe clean up in idxd_setup_wqs() has had a couple bugs because the error\nhandling is a bit subtle. It\u0027s simpler to just re-write it in a cleaner\nway. The issues here are:\n\n1) If \"idxd-\u003emax_wqs\" is \u003c= 0 then we call put_device(conf_dev) when\n \"conf_dev\" hasn\u0027t been initialized.\n2) If kzalloc_node() fails then again \"conf_dev\" is invalid. It\u0027s\n either uninitialized or it points to the \"conf_dev\" from the\n previous iteration so it leads to a double free.\n\nIt\u0027s better to free partial loop iterations within the loop and then\nthe unwinding at the end can handle whole loop iterations. I also\nrenamed the labels to describe what the goto does and not where the goto\nwas located."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:26.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25e6146c2812487a88f619d5ff6efbdcd5b2bc31"
},
{
"url": "https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8e6a330d92cc8ec9"
},
{
"url": "https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290fc37e88930017d2"
},
{
"url": "https://git.kernel.org/stable/c/9f0e225635475b2285b966271d5e82cba74295b1"
},
{
"url": "https://git.kernel.org/stable/c/39aaa337449e71a41d4813be0226a722827ba606"
}
],
"title": "dmaengine: idxd: Fix double free in idxd_setup_wqs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39870",
"datePublished": "2025-09-23T06:00:44.369Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:19.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40124 (GCVE-0-2025-40124)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
Summary
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios
enabled resulted from copy_from_user() returning impossibly large values
greater than the size to be copied. This lead to __copy_from_iter()
returning impossible values instead of the actual number of bytes it was
able to copy.
The BUG_ON has been reported in
https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. The exception handlers expect that
%o2 has already been masked during the bulk copy loop, but the masking was
performed after that loop. This will fix the return value of copy_from_user
and copy_to_user in the faulting case. The behaviour of memcpy stays
unchanged.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ee841d0aff649164080e445e84885015958d8ff4 , < fdd43fe6d286f27b826572457a89c926f97e2d3a
(git)
Affected: ee841d0aff649164080e445e84885015958d8ff4 , < 1198077606aeffb102587c6ea079ce99641c99d4 (git) Affected: ee841d0aff649164080e445e84885015958d8ff4 , < 1857cdca12c4aff58bf26a7005a4d02850c29927 (git) Affected: ee841d0aff649164080e445e84885015958d8ff4 , < 91eda032eb16e5d2be27c95584665bc555bb5a90 (git) Affected: ee841d0aff649164080e445e84885015958d8ff4 , < dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e (git) Affected: ee841d0aff649164080e445e84885015958d8ff4 , < 5ef9c94d7110e90260c06868cf1dcf899b9f25ee (git) Affected: ee841d0aff649164080e445e84885015958d8ff4 , < e50377c6b3f278c9f3ef017ffce17f5fcc9dace4 (git) Affected: ee841d0aff649164080e445e84885015958d8ff4 , < 47b49c06eb62504075f0f2e2227aee2e2c2a58b3 (git) Affected: 1c7e17b1c4d60cc5aa575460f7efb73686dd3b39 (git) Affected: ac663c54f40b2830b1ca32d1ae9d683fe248b14c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U3memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fdd43fe6d286f27b826572457a89c926f97e2d3a",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "1198077606aeffb102587c6ea079ce99641c99d4",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "1857cdca12c4aff58bf26a7005a4d02850c29927",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "91eda032eb16e5d2be27c95584665bc555bb5a90",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "5ef9c94d7110e90260c06868cf1dcf899b9f25ee",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "e50377c6b3f278c9f3ef017ffce17f5fcc9dace4",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "47b49c06eb62504075f0f2e2227aee2e2c2a58b3",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"status": "affected",
"version": "1c7e17b1c4d60cc5aa575460f7efb73686dd3b39",
"versionType": "git"
},
{
"status": "affected",
"version": "ac663c54f40b2830b1ca32d1ae9d683fe248b14c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U3memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III\n\nAnthony Yznaga tracked down that a BUG_ON in ext4 code with large folios\nenabled resulted from copy_from_user() returning impossibly large values\ngreater than the size to be copied. This lead to __copy_from_iter()\nreturning impossible values instead of the actual number of bytes it was\nable to copy.\n\nThe BUG_ON has been reported in\nhttps://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. The exception handlers expect that\n%o2 has already been masked during the bulk copy loop, but the masking was\nperformed after that loop. This will fix the return value of copy_from_user\nand copy_to_user in the faulting case. The behaviour of memcpy stays\nunchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:29.671Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fdd43fe6d286f27b826572457a89c926f97e2d3a"
},
{
"url": "https://git.kernel.org/stable/c/1198077606aeffb102587c6ea079ce99641c99d4"
},
{
"url": "https://git.kernel.org/stable/c/1857cdca12c4aff58bf26a7005a4d02850c29927"
},
{
"url": "https://git.kernel.org/stable/c/91eda032eb16e5d2be27c95584665bc555bb5a90"
},
{
"url": "https://git.kernel.org/stable/c/dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e"
},
{
"url": "https://git.kernel.org/stable/c/5ef9c94d7110e90260c06868cf1dcf899b9f25ee"
},
{
"url": "https://git.kernel.org/stable/c/e50377c6b3f278c9f3ef017ffce17f5fcc9dace4"
},
{
"url": "https://git.kernel.org/stable/c/47b49c06eb62504075f0f2e2227aee2e2c2a58b3"
}
],
"title": "sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40124",
"datePublished": "2025-11-12T10:23:19.861Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:29.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39881 (GCVE-0-2025-39881)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
kernfs: Fix UAF in polling when open file is released
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernfs: Fix UAF in polling when open file is released
A use-after-free (UAF) vulnerability was identified in the PSI (Pressure
Stall Information) monitoring mechanism:
BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140
Read of size 8 at addr ffff3de3d50bd308 by task systemd/1
psi_trigger_poll+0x3c/0x140
cgroup_pressure_poll+0x70/0xa0
cgroup_file_poll+0x8c/0x100
kernfs_fop_poll+0x11c/0x1c0
ep_item_poll.isra.0+0x188/0x2c0
Allocated by task 1:
cgroup_file_open+0x88/0x388
kernfs_fop_open+0x73c/0xaf0
do_dentry_open+0x5fc/0x1200
vfs_open+0xa0/0x3f0
do_open+0x7e8/0xd08
path_openat+0x2fc/0x6b0
do_filp_open+0x174/0x368
Freed by task 8462:
cgroup_file_release+0x130/0x1f8
kernfs_drain_open_files+0x17c/0x440
kernfs_drain+0x2dc/0x360
kernfs_show+0x1b8/0x288
cgroup_file_show+0x150/0x268
cgroup_pressure_write+0x1dc/0x340
cgroup_file_write+0x274/0x548
Reproduction Steps:
1. Open test/cpu.pressure and establish epoll monitoring
2. Disable monitoring: echo 0 > test/cgroup.pressure
3. Re-enable monitoring: echo 1 > test/cgroup.pressure
The race condition occurs because:
1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:
- Releases PSI triggers via cgroup_file_release()
- Frees of->priv through kernfs_drain_open_files()
2. While epoll still holds reference to the file and continues polling
3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv
epolling disable/enable cgroup.pressure
fd=open(cpu.pressure)
while(1)
...
epoll_wait
kernfs_fop_poll
kernfs_get_active = true echo 0 > cgroup.pressure
... cgroup_file_show
kernfs_show
// inactive kn
kernfs_drain_open_files
cft->release(of);
kfree(ctx);
...
kernfs_get_active = false
echo 1 > cgroup.pressure
kernfs_show
kernfs_activate_one(kn);
kernfs_fop_poll
kernfs_get_active = true
cgroup_file_poll
psi_trigger_poll
// UAF
...
end: close(fd)
To address this issue, introduce kernfs_get_active_of() for kernfs open
files to obtain active references. This function will fail if the open file
has been released. Replace kernfs_get_active() with kernfs_get_active_of()
to prevent further operations on released file descriptors.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
34f26a15611afb03c33df6819359d36f5b382589 , < 34d9cafd469c69ad85e6a36b4303c78382cf5c79
(git)
Affected: 34f26a15611afb03c33df6819359d36f5b382589 , < 854baafc00c433cccbe0ab4231b77aeb9b637b77 (git) Affected: 34f26a15611afb03c33df6819359d36f5b382589 , < 7e64474aba78d240f7804f48f2d454dcca78b15f (git) Affected: 34f26a15611afb03c33df6819359d36f5b382589 , < ac5cda4fae8818cf1963317bb699f7f2f85b60af (git) Affected: 34f26a15611afb03c33df6819359d36f5b382589 , < 3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:23.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/kernfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34d9cafd469c69ad85e6a36b4303c78382cf5c79",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "854baafc00c433cccbe0ab4231b77aeb9b637b77",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "7e64474aba78d240f7804f48f2d454dcca78b15f",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "ac5cda4fae8818cf1963317bb699f7f2f85b60af",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/kernfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 \u003e test/cgroup.pressure\n3. Re-enable monitoring: echo 1 \u003e test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 \u003e cgroup.pressure), it:\n - Releases PSI triggers via cgroup_file_release()\n - Frees of-\u003epriv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 \u003e cgroup.pressure) accesses freed of-\u003epriv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 \u003e cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft-\u003erelease(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 \u003e cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:40.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79"
},
{
"url": "https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77"
},
{
"url": "https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f"
},
{
"url": "https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af"
},
{
"url": "https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f"
}
],
"title": "kernfs: Fix UAF in polling when open file is released",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39881",
"datePublished": "2025-09-23T06:00:50.496Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:23.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22121 (GCVE-0-2025-22121)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e50e5129f384ae282adebfb561189cdb19b81cee , < 27202452b0bc942fdc3db72a44c4dcdab96d5b56
(git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < b374e9ecc92aaa7fb2ab221ee3ff5451118ab566 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < c000a8a9b5343a5ef867df173c6349672dacbd0f (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 3c591353956ffcace2cc74d09930774afed60619 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 098927a13fd918bd7c64c2de905350a1ad7b4a3a (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 5701875f9609b000d91351eaa6bfd97fe2f157f4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c",
"fs/ext4/xattr.c",
"fs/ext4/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27202452b0bc942fdc3db72a44c4dcdab96d5b56",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "b374e9ecc92aaa7fb2ab221ee3ff5451118ab566",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "c000a8a9b5343a5ef867df173c6349672dacbd0f",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "3c591353956ffcace2cc74d09930774afed60619",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "098927a13fd918bd7c64c2de905350a1ad7b4a3a",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "5701875f9609b000d91351eaa6bfd97fe2f157f4",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c",
"fs/ext4/xattr.c",
"fs/ext4/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere\u0027s issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn\u0027t check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:55.783Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56"
},
{
"url": "https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566"
},
{
"url": "https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f"
},
{
"url": "https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619"
},
{
"url": "https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a"
},
{
"url": "https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8"
},
{
"url": "https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4"
}
],
"title": "ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22121",
"datePublished": "2025-04-16T14:13:05.894Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2026-01-19T12:17:55.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68191 (GCVE-0-2025-68191)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
udp_tunnel: use netdev_warn() instead of netdev_WARN()
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp_tunnel: use netdev_warn() instead of netdev_WARN()
netdev_WARN() uses WARN/WARN_ON to print a backtrace along with
file and line information. In this case, udp_tunnel_nic_register()
returning an error is just a failed operation, not a kernel bug.
udp_tunnel_nic_register() can fail due to a memory allocation
failure (kzalloc() or udp_tunnel_nic_alloc()).
This is a normal runtime error and not a kernel bug.
Replace netdev_WARN() with netdev_warn() accordingly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < 087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0
(git)
Affected: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < 45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4 (git) Affected: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < 7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba (git) Affected: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < c018a87942bf1607aeebf8dba5a210ca9a09a0fd (git) Affected: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < 51b3033088f0420b19027e3d54cd989b6ebd987e (git) Affected: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < 3c3b148bf8384c8a787753cf20abde1c5731f97f (git) Affected: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 , < dc2f650f7e6857bf384069c1a56b2937a1ee370d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp_tunnel_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "c018a87942bf1607aeebf8dba5a210ca9a09a0fd",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "51b3033088f0420b19027e3d54cd989b6ebd987e",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "3c3b148bf8384c8a787753cf20abde1c5731f97f",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "dc2f650f7e6857bf384069c1a56b2937a1ee370d",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp_tunnel_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: use netdev_warn() instead of netdev_WARN()\n\nnetdev_WARN() uses WARN/WARN_ON to print a backtrace along with\nfile and line information. In this case, udp_tunnel_nic_register()\nreturning an error is just a failed operation, not a kernel bug.\n\nudp_tunnel_nic_register() can fail due to a memory allocation\nfailure (kzalloc() or udp_tunnel_nic_alloc()).\nThis is a normal runtime error and not a kernel bug.\n\nReplace netdev_WARN() with netdev_warn() accordingly."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:20.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0"
},
{
"url": "https://git.kernel.org/stable/c/45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4"
},
{
"url": "https://git.kernel.org/stable/c/7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba"
},
{
"url": "https://git.kernel.org/stable/c/c018a87942bf1607aeebf8dba5a210ca9a09a0fd"
},
{
"url": "https://git.kernel.org/stable/c/51b3033088f0420b19027e3d54cd989b6ebd987e"
},
{
"url": "https://git.kernel.org/stable/c/3c3b148bf8384c8a787753cf20abde1c5731f97f"
},
{
"url": "https://git.kernel.org/stable/c/dc2f650f7e6857bf384069c1a56b2937a1ee370d"
}
],
"title": "udp_tunnel: use netdev_warn() instead of netdev_WARN()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68191",
"datePublished": "2025-12-16T13:43:13.146Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:20.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68726 (GCVE-0-2025-68726)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
crypto: aead - Fix reqsize handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: aead - Fix reqsize handling
Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg")
introduced cra_reqsize field in crypto_alg struct to replace type
specific reqsize fields. It looks like this was introduced specifically
for ahash and acomp from the commit description as subsequent commits
add necessary changes in these alg frameworks.
However, this is being recommended for use in all crypto algs
instead of setting reqsize using crypto_*_set_reqsize(). Using
cra_reqsize in aead algorithms, hence, causes memory corruptions and
crashes as the underlying functions in the algorithm framework have not
been updated to set the reqsize properly from cra_reqsize. [1]
Add proper set_reqsize calls in the aead init function to properly
initialize reqsize for these algorithms in the framework.
[1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
afddce13ce81d52a13898fa0700917835c71acd6 , < 64377e66e187164bd6737112d07257f5f0feb681
(git)
Affected: afddce13ce81d52a13898fa0700917835c71acd6 , < 12b413f5460c393d1151a37f591140693eca0f84 (git) Affected: afddce13ce81d52a13898fa0700917835c71acd6 , < 9b04d8f00569573796dd05397f5779135593eb24 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64377e66e187164bd6737112d07257f5f0feb681",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
},
{
"lessThan": "12b413f5460c393d1151a37f591140693eca0f84",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
},
{
"lessThan": "9b04d8f00569573796dd05397f5779135593eb24",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead - Fix reqsize handling\n\nCommit afddce13ce81d (\"crypto: api - Add reqsize to crypto_alg\")\nintroduced cra_reqsize field in crypto_alg struct to replace type\nspecific reqsize fields. It looks like this was introduced specifically\nfor ahash and acomp from the commit description as subsequent commits\nadd necessary changes in these alg frameworks.\n\nHowever, this is being recommended for use in all crypto algs\ninstead of setting reqsize using crypto_*_set_reqsize(). Using\ncra_reqsize in aead algorithms, hence, causes memory corruptions and\ncrashes as the underlying functions in the algorithm framework have not\nbeen updated to set the reqsize properly from cra_reqsize. [1]\n\nAdd proper set_reqsize calls in the aead init function to properly\ninitialize reqsize for these algorithms in the framework.\n\n[1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:22.354Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64377e66e187164bd6737112d07257f5f0feb681"
},
{
"url": "https://git.kernel.org/stable/c/12b413f5460c393d1151a37f591140693eca0f84"
},
{
"url": "https://git.kernel.org/stable/c/9b04d8f00569573796dd05397f5779135593eb24"
}
],
"title": "crypto: aead - Fix reqsize handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68726",
"datePublished": "2025-12-24T10:33:10.364Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-02-09T08:32:22.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68814 (GCVE-0-2025-68814)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
io_uring: fix filename leak in __io_openat_prep()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix filename leak in __io_openat_prep()
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b9445598d8c60a1379887b957024b71343965f74 , < 2420ef01b2e836fbc05a0a8c73a1016504eb0458
(git)
Affected: b9445598d8c60a1379887b957024b71343965f74 , < 8f44c4a550570cd5903625133f938c6b51310c9b (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < 18b99fa603d0df5e1c898699c17d3b92ddc80746 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < e232269d511566b1f80872256a48593acc1becf4 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < 7fbfb85b05bc960cc50e09d03e5e562131e48d45 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < b14fad555302a2104948feaff70503b64c80ac01 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2420ef01b2e836fbc05a0a8c73a1016504eb0458",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "8f44c4a550570cd5903625133f938c6b51310c9b",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "18b99fa603d0df5e1c898699c17d3b92ddc80746",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "e232269d511566b1f80872256a48593acc1becf4",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "7fbfb85b05bc960cc50e09d03e5e562131e48d45",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "b14fad555302a2104948feaff70503b64c80ac01",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix filename leak in __io_openat_prep()\n\n __io_openat_prep() allocates a struct filename using getname(). However,\nfor the condition of the file being installed in the fixed file table as\nwell as having O_CLOEXEC flag set, the function returns early. At that\npoint, the request doesn\u0027t have REQ_F_NEED_CLEANUP flag set. Due to this,\nthe memory for the newly allocated struct filename is not cleaned up,\ncausing a memory leak.\n\nFix this by setting the REQ_F_NEED_CLEANUP for the request just after the\nsuccessful getname() call, so that when the request is torn down, the\nfilename will be cleaned up, along with other resources needing cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:04.016Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458"
},
{
"url": "https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b"
},
{
"url": "https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746"
},
{
"url": "https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4"
},
{
"url": "https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45"
},
{
"url": "https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01"
}
],
"title": "io_uring: fix filename leak in __io_openat_prep()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68814",
"datePublished": "2026-01-13T15:29:19.129Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:04.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40275 (GCVE-0-2025-40275)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
In snd_usb_create_streams(), for UAC version 3 devices, the Interface
Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this
call fails, a fallback routine attempts to obtain the IAD from the next
interface and sets a BADD profile. However, snd_usb_mixer_controls_badd()
assumes that the IAD retrieved from usb_ifnum_to_if() is always valid,
without performing a NULL check. This can lead to a NULL pointer
dereference when usb_ifnum_to_if() fails to find the interface descriptor.
This patch adds a NULL pointer check after calling usb_ifnum_to_if() in
snd_usb_mixer_controls_badd() to prevent the dereference.
This issue was discovered by syzkaller, which triggered the bug by sending
a crafted USB device descriptor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17156f23e93c0f59e06dd2aaffd06221341caaee , < 23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4
(git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 9f282104627be5fbded3102ff9004f753c55a063 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 2762d3ea9c929ca4094541ca517c317ffa94625b (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 57f607c112966c21240c424b33e2cb71e121dcf0 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < cbdbfc756f2990942138ed0138da9303b4dbf9ff (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 85568535893600024d7d8794f4f8b6428b521e0c (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 632108ec072ad64c8c83db6e16a7efee29ebfb74 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "9f282104627be5fbded3102ff9004f753c55a063",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "2762d3ea9c929ca4094541ca517c317ffa94625b",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "57f607c112966c21240c424b33e2cb71e121dcf0",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "cbdbfc756f2990942138ed0138da9303b4dbf9ff",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "85568535893600024d7d8794f4f8b6428b521e0c",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "632108ec072ad64c8c83db6e16a7efee29ebfb74",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:57.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"
},
{
"url": "https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"
},
{
"url": "https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063"
},
{
"url": "https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b"
},
{
"url": "https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0"
},
{
"url": "https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff"
},
{
"url": "https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c"
},
{
"url": "https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74"
}
],
"title": "ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40275",
"datePublished": "2025-12-06T21:50:57.914Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:50:57.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68753 (GCVE-0-2025-68753)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.
Fix by adding a bounds check before put_user().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < ea2c921d9de6e32ca50cb817b9d57bb881be70de
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6d4f17782ce4facf3197e79707df411ee3d7b30a (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < df692cf2b601a54b34edfdb9e683d67483aa8ce1 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 298e753880b6ea99ac30df34959a7a03b0878eed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea2c921d9de6e32ca50cb817b9d57bb881be70de",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6d4f17782ce4facf3197e79707df411ee3d7b30a",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "df692cf2b601a54b34edfdb9e683d67483aa8ce1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "298e753880b6ea99ac30df34959a7a03b0878eed",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:57.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de"
},
{
"url": "https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a"
},
{
"url": "https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f"
},
{
"url": "https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1"
},
{
"url": "https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187"
},
{
"url": "https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed"
}
],
"title": "ALSA: firewire-motu: add bounds check in put_user loop for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68753",
"datePublished": "2026-01-05T09:32:27.029Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:32:57.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71118 (GCVE-0-2025-71118)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
ACPICA: Avoid walking the Namespace if start_node is NULL
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Avoid walking the Namespace if start_node is NULL
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
[ rjw: Subject adjustment, changelog edits ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b84edef48cc8afb41150949a87dcfa81bc95b53e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ecb296286c8787895625bd4c53e9478db4ae139c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7f9b951ed11842373851dd3c91860778356d62d3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1bc34293dfbd266c29875206849b4f8e8177e6df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0d8bb08126920fd4b12dbf32d9250757c9064b36 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f91dad0a3b381244183ffbea4cec5a7a69d6f41e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d6c58dae8f6590c746ac5d0012ffe14a77539f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b84edef48cc8afb41150949a87dcfa81bc95b53e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecb296286c8787895625bd4c53e9478db4ae139c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f9b951ed11842373851dd3c91860778356d62d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bc34293dfbd266c29875206849b4f8e8177e6df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0d8bb08126920fd4b12dbf32d9250757c9064b36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f91dad0a3b381244183ffbea4cec5a7a69d6f41e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d6c58dae8f6590c746ac5d0012ffe14a77539f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid walking the Namespace if start_node is NULL\n\nAlthough commit 0c9992315e73 (\"ACPICA: Avoid walking the ACPI Namespace\nif it is not there\") fixed the situation when both start_node and\nacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed\non Honor Magicbook 14 Pro [1].\n\nThat happens due to the access to the member of parent_node in\nacpi_ns_get_next_node(). The NULL pointer dereference will always\nhappen, no matter whether or not the start_node is equal to\nACPI_ROOT_OBJECT, so move the check of start_node being NULL\nout of the if block.\n\nUnfortunately, all the attempts to contact Honor have failed, they\nrefused to provide any technical support for Linux.\n\nThe bad DSDT table\u0027s dump could be found on GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Subject adjustment, changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:13.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e"
},
{
"url": "https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c"
},
{
"url": "https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3"
},
{
"url": "https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df"
},
{
"url": "https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36"
},
{
"url": "https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e"
},
{
"url": "https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0"
}
],
"title": "ACPICA: Avoid walking the Namespace if start_node is NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71118",
"datePublished": "2026-01-14T15:06:05.861Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:13.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68178 (GCVE-0-2025-68178)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
blk-cgroup: fix possible deadlock while configuring policy
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: fix possible deadlock while configuring policy
Following deadlock can be triggered easily by lockdep:
WARNING: possible circular locking dependency detected
6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted
------------------------------------------------------
check/1334 is trying to acquire lock:
ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180
but task is already holding lock:
ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}:
blk_queue_enter+0x40b/0x470
blkg_conf_prep+0x7b/0x3c0
tg_set_limit+0x10a/0x3e0
cgroup_file_write+0xc6/0x420
kernfs_fop_write_iter+0x189/0x280
vfs_write+0x256/0x490
ksys_write+0x83/0x190
__x64_sys_write+0x21/0x30
x64_sys_call+0x4608/0x4630
do_syscall_64+0xdb/0x6b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #1 (&q->rq_qos_mutex){+.+.}-{4:4}:
__mutex_lock+0xd8/0xf50
mutex_lock_nested+0x2b/0x40
wbt_init+0x17e/0x280
wbt_enable_default+0xe9/0x140
blk_register_queue+0x1da/0x2e0
__add_disk+0x38c/0x5d0
add_disk_fwnode+0x89/0x250
device_add_disk+0x18/0x30
virtblk_probe+0x13a3/0x1800
virtio_dev_probe+0x389/0x610
really_probe+0x136/0x620
__driver_probe_device+0xb3/0x230
driver_probe_device+0x2f/0xe0
__driver_attach+0x158/0x250
bus_for_each_dev+0xa9/0x130
driver_attach+0x26/0x40
bus_add_driver+0x178/0x3d0
driver_register+0x7d/0x1c0
__register_virtio_driver+0x2c/0x60
virtio_blk_init+0x6f/0xe0
do_one_initcall+0x94/0x540
kernel_init_freeable+0x56a/0x7b0
kernel_init+0x2b/0x270
ret_from_fork+0x268/0x4c0
ret_from_fork_asm+0x1a/0x30
-> #0 (&q->sysfs_lock){+.+.}-{4:4}:
__lock_acquire+0x1835/0x2940
lock_acquire+0xf9/0x450
__mutex_lock+0xd8/0xf50
mutex_lock_nested+0x2b/0x40
blk_unregister_queue+0x53/0x180
__del_gendisk+0x226/0x690
del_gendisk+0xba/0x110
sd_remove+0x49/0xb0 [sd_mod]
device_remove+0x87/0xb0
device_release_driver_internal+0x11e/0x230
device_release_driver+0x1a/0x30
bus_remove_device+0x14d/0x220
device_del+0x1e1/0x5a0
__scsi_remove_device+0x1ff/0x2f0
scsi_remove_device+0x37/0x60
sdev_store_delete+0x77/0x100
dev_attr_store+0x1f/0x40
sysfs_kf_write+0x65/0x90
kernfs_fop_write_iter+0x189/0x280
vfs_write+0x256/0x490
ksys_write+0x83/0x190
__x64_sys_write+0x21/0x30
x64_sys_call+0x4608/0x4630
do_syscall_64+0xdb/0x6b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
other info that might help us debug this:
Chain exists of:
&q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&q->q_usage_counter(queue)#3);
lock(&q->rq_qos_mutex);
lock(&q->q_usage_counter(queue)#3);
lock(&q->sysfs_lock);
Root cause is that queue_usage_counter is grabbed with rq_qos_mutex
held in blkg_conf_prep(), while queue should be freezed before
rq_qos_mutex from other context.
The blk_queue_enter() from blkg_conf_prep() is used to protect against
policy deactivation, which is already protected with blkcg_mutex, hence
convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile,
consider that blkcg_mutex is held after queue is freezed from policy
deactivation, also convert blkg_alloc() to use GFP_NOIO.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a13bd91be22318768d55470cbc0b0f4488ef9edf , < e1729523759cda2c0afb76b1c88e0d2f2ef5b7cb
(git)
Affected: a13bd91be22318768d55470cbc0b0f4488ef9edf , < 56ac639d6fa6fbb99caee74ee1c7276fc9bb47ed (git) Affected: a13bd91be22318768d55470cbc0b0f4488ef9edf , < 0585b24d71197dd9ee8cf79c168a31628c631960 (git) Affected: a13bd91be22318768d55470cbc0b0f4488ef9edf , < 5d726c4dbeeddef612e6bed27edd29733f4d13af (git) Affected: 16398b4638b5cd8c1dc95fc940a1591a801d53ce (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1729523759cda2c0afb76b1c88e0d2f2ef5b7cb",
"status": "affected",
"version": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
"versionType": "git"
},
{
"lessThan": "56ac639d6fa6fbb99caee74ee1c7276fc9bb47ed",
"status": "affected",
"version": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
"versionType": "git"
},
{
"lessThan": "0585b24d71197dd9ee8cf79c168a31628c631960",
"status": "affected",
"version": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
"versionType": "git"
},
{
"lessThan": "5d726c4dbeeddef612e6bed27edd29733f4d13af",
"status": "affected",
"version": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
"versionType": "git"
},
{
"status": "affected",
"version": "16398b4638b5cd8c1dc95fc940a1591a801d53ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix possible deadlock while configuring policy\n\nFollowing deadlock can be triggered easily by lockdep:\n\nWARNING: possible circular locking dependency detected\n6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted\n------------------------------------------------------\ncheck/1334 is trying to acquire lock:\nff1100011d9d0678 (\u0026q-\u003esysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180\n\nbut task is already holding lock:\nff1100011d9d00e0 (\u0026q-\u003eq_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 (\u0026q-\u003eq_usage_counter(queue)#3){++++}-{0:0}:\n blk_queue_enter+0x40b/0x470\n blkg_conf_prep+0x7b/0x3c0\n tg_set_limit+0x10a/0x3e0\n cgroup_file_write+0xc6/0x420\n kernfs_fop_write_iter+0x189/0x280\n vfs_write+0x256/0x490\n ksys_write+0x83/0x190\n __x64_sys_write+0x21/0x30\n x64_sys_call+0x4608/0x4630\n do_syscall_64+0xdb/0x6b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-\u003e #1 (\u0026q-\u003erq_qos_mutex){+.+.}-{4:4}:\n __mutex_lock+0xd8/0xf50\n mutex_lock_nested+0x2b/0x40\n wbt_init+0x17e/0x280\n wbt_enable_default+0xe9/0x140\n blk_register_queue+0x1da/0x2e0\n __add_disk+0x38c/0x5d0\n add_disk_fwnode+0x89/0x250\n device_add_disk+0x18/0x30\n virtblk_probe+0x13a3/0x1800\n virtio_dev_probe+0x389/0x610\n really_probe+0x136/0x620\n __driver_probe_device+0xb3/0x230\n driver_probe_device+0x2f/0xe0\n __driver_attach+0x158/0x250\n bus_for_each_dev+0xa9/0x130\n driver_attach+0x26/0x40\n bus_add_driver+0x178/0x3d0\n driver_register+0x7d/0x1c0\n __register_virtio_driver+0x2c/0x60\n virtio_blk_init+0x6f/0xe0\n do_one_initcall+0x94/0x540\n kernel_init_freeable+0x56a/0x7b0\n kernel_init+0x2b/0x270\n ret_from_fork+0x268/0x4c0\n ret_from_fork_asm+0x1a/0x30\n\n-\u003e #0 (\u0026q-\u003esysfs_lock){+.+.}-{4:4}:\n __lock_acquire+0x1835/0x2940\n lock_acquire+0xf9/0x450\n __mutex_lock+0xd8/0xf50\n mutex_lock_nested+0x2b/0x40\n blk_unregister_queue+0x53/0x180\n __del_gendisk+0x226/0x690\n del_gendisk+0xba/0x110\n sd_remove+0x49/0xb0 [sd_mod]\n device_remove+0x87/0xb0\n device_release_driver_internal+0x11e/0x230\n device_release_driver+0x1a/0x30\n bus_remove_device+0x14d/0x220\n device_del+0x1e1/0x5a0\n __scsi_remove_device+0x1ff/0x2f0\n scsi_remove_device+0x37/0x60\n sdev_store_delete+0x77/0x100\n dev_attr_store+0x1f/0x40\n sysfs_kf_write+0x65/0x90\n kernfs_fop_write_iter+0x189/0x280\n vfs_write+0x256/0x490\n ksys_write+0x83/0x190\n __x64_sys_write+0x21/0x30\n x64_sys_call+0x4608/0x4630\n do_syscall_64+0xdb/0x6b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nother info that might help us debug this:\n\nChain exists of:\n \u0026q-\u003esysfs_lock --\u003e \u0026q-\u003erq_qos_mutex --\u003e \u0026q-\u003eq_usage_counter(queue)#3\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(\u0026q-\u003eq_usage_counter(queue)#3);\n lock(\u0026q-\u003erq_qos_mutex);\n lock(\u0026q-\u003eq_usage_counter(queue)#3);\n lock(\u0026q-\u003esysfs_lock);\n\nRoot cause is that queue_usage_counter is grabbed with rq_qos_mutex\nheld in blkg_conf_prep(), while queue should be freezed before\nrq_qos_mutex from other context.\n\nThe blk_queue_enter() from blkg_conf_prep() is used to protect against\npolicy deactivation, which is already protected with blkcg_mutex, hence\nconvert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile,\nconsider that blkcg_mutex is held after queue is freezed from policy\ndeactivation, also convert blkg_alloc() to use GFP_NOIO."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:12.732Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1729523759cda2c0afb76b1c88e0d2f2ef5b7cb"
},
{
"url": "https://git.kernel.org/stable/c/56ac639d6fa6fbb99caee74ee1c7276fc9bb47ed"
},
{
"url": "https://git.kernel.org/stable/c/0585b24d71197dd9ee8cf79c168a31628c631960"
},
{
"url": "https://git.kernel.org/stable/c/5d726c4dbeeddef612e6bed27edd29733f4d13af"
}
],
"title": "blk-cgroup: fix possible deadlock while configuring policy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68178",
"datePublished": "2025-12-16T13:42:57.148Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:12.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68797 (GCVE-0-2025-68797)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
char: applicom: fix NULL pointer dereference in ac_ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
char: applicom: fix NULL pointer dereference in ac_ioctl
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5a6240804fb7bbd4f5f6e706955248a6f4c1abbc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1b0452280029d05a98c75631131ee61c0b0d084 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b8b353e09888bccee405e0dd6feafb60360f478 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d285517429a75423789e6408653e57b6fdfc8e54 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 74883565c621eec6cd2e35fe6d27454cf2810c23 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f83e3e9f89181b42f6076a115d767a7552c4a39e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82d12088c297fa1cef670e1718b3d24f414c23f7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a6240804fb7bbd4f5f6e706955248a6f4c1abbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1b0452280029d05a98c75631131ee61c0b0d084",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b8b353e09888bccee405e0dd6feafb60360f478",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d285517429a75423789e6408653e57b6fdfc8e54",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74883565c621eec6cd2e35fe6d27454cf2810c23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f83e3e9f89181b42f6076a115d767a7552c4a39e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82d12088c297fa1cef670e1718b3d24f414c23f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: applicom: fix NULL pointer dereference in ac_ioctl\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nIn ac_ioctl, the validation of IndexCard and the check for a valid\nRamIO pointer are skipped when cmd is 6. However, the function\nunconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the\nend.\n\nIf cmd is 6, IndexCard may reference a board that does not exist\n(where RamIO is NULL), leading to a NULL pointer dereference.\n\nFix this by skipping the readb access when cmd is 6, as this\ncommand is a global information query and does not target a specific\nboard context."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:45.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc"
},
{
"url": "https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084"
},
{
"url": "https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478"
},
{
"url": "https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54"
},
{
"url": "https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23"
},
{
"url": "https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e"
},
{
"url": "https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7"
}
],
"title": "char: applicom: fix NULL pointer dereference in ac_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68797",
"datePublished": "2026-01-13T15:29:07.575Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:45.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39909 (GCVE-0-2025-39909)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()
Patch series "mm/damon: avoid divide-by-zero in DAMON module's parameters
application".
DAMON's RECLAIM and LRU_SORT modules perform no validation on
user-configured parameters during application, which may lead to
division-by-zero errors.
Avoid the divide-by-zero by adding validation checks when DAMON modules
attempt to apply the parameters.
This patch (of 2):
During the calculation of 'hot_thres' and 'cold_thres', either
'sample_interval' or 'aggr_interval' is used as the divisor, which may
lead to division-by-zero errors. Fix it by directly returning -EINVAL
when such a case occurs. Additionally, since 'aggr_interval' is already
required to be set no smaller than 'sample_interval' in damon_set_attrs(),
only the case where 'sample_interval' is zero needs to be checked.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
40e983cca9274e177bd5b9379299b44d9536ac68 , < 74e391f7da7d9d5235a3cca88ee9fc18f720c75b
(git)
Affected: 40e983cca9274e177bd5b9379299b44d9536ac68 , < 7bb675c9f0257840d33e5d1337d7e3afdd74a6bf (git) Affected: 40e983cca9274e177bd5b9379299b44d9536ac68 , < af0ae62b935317bed1a1361c8c9579db9d300e70 (git) Affected: 40e983cca9274e177bd5b9379299b44d9536ac68 , < 326a4b3750c71af3f3c52399ec4dbe33b6da4c26 (git) Affected: 40e983cca9274e177bd5b9379299b44d9536ac68 , < 711f19dfd783ffb37ca4324388b9c4cb87e71363 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:35.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74e391f7da7d9d5235a3cca88ee9fc18f720c75b",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "7bb675c9f0257840d33e5d1337d7e3afdd74a6bf",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "af0ae62b935317bed1a1361c8c9579db9d300e70",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "326a4b3750c71af3f3c52399ec4dbe33b6da4c26",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "711f19dfd783ffb37ca4324388b9c4cb87e71363",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()\n\nPatch series \"mm/damon: avoid divide-by-zero in DAMON module\u0027s parameters\napplication\".\n\nDAMON\u0027s RECLAIM and LRU_SORT modules perform no validation on\nuser-configured parameters during application, which may lead to\ndivision-by-zero errors.\n\nAvoid the divide-by-zero by adding validation checks when DAMON modules\nattempt to apply the parameters.\n\n\nThis patch (of 2):\n\nDuring the calculation of \u0027hot_thres\u0027 and \u0027cold_thres\u0027, either\n\u0027sample_interval\u0027 or \u0027aggr_interval\u0027 is used as the divisor, which may\nlead to division-by-zero errors. Fix it by directly returning -EINVAL\nwhen such a case occurs. Additionally, since \u0027aggr_interval\u0027 is already\nrequired to be set no smaller than \u0027sample_interval\u0027 in damon_set_attrs(),\nonly the case where \u0027sample_interval\u0027 is zero needs to be checked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:32.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74e391f7da7d9d5235a3cca88ee9fc18f720c75b"
},
{
"url": "https://git.kernel.org/stable/c/7bb675c9f0257840d33e5d1337d7e3afdd74a6bf"
},
{
"url": "https://git.kernel.org/stable/c/af0ae62b935317bed1a1361c8c9579db9d300e70"
},
{
"url": "https://git.kernel.org/stable/c/326a4b3750c71af3f3c52399ec4dbe33b6da4c26"
},
{
"url": "https://git.kernel.org/stable/c/711f19dfd783ffb37ca4324388b9c4cb87e71363"
}
],
"title": "mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39909",
"datePublished": "2025-10-01T07:44:32.936Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:35.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68341 (GCVE-0-2025-68341)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
veth: reduce XDP no_direct return section to fix race
Summary
In the Linux kernel, the following vulnerability has been resolved:
veth: reduce XDP no_direct return section to fix race
As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing
old or uninitialized descriptors") for veth there is a chance after
napi_complete_done() that another CPU can manage start another NAPI
instance running veth_pool(). For NAPI this is correctly handled as the
napi_schedule_prep() check will prevent multiple instances from getting
scheduled, but for the remaining code in veth_pool() this can run
concurrent with the newly started NAPI instance.
The problem/race is that xdp_clear_return_frame_no_direct() isn't
designed to be nested.
Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via
task_struct on PREEMPT_RT.") the temporary BPF net context
bpf_redirect_info was stored per CPU, where this wasn't an issue. Since
this commit the BPF context is stored in 'current' task_struct. When
running veth in threaded-NAPI mode, then the kthread becomes the storage
area. Now a race exists between two concurrent veth_pool() function calls
one exiting NAPI and one running new NAPI, both using the same BPF net
context.
Race is when another CPU gets within the xdp_set_return_frame_no_direct()
section before exiting veth_pool() calls the clear-function
xdp_clear_return_frame_no_direct().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
401cb7dae8130fd34eb84648e02ab4c506df7d5e , < c1ceabcb347d1b0f7e70a7384ec7eff3847b7628
(git)
Affected: 401cb7dae8130fd34eb84648e02ab4c506df7d5e , < d0bd018ad72a8a598ae709588934135017f8af52 (git) Affected: 401cb7dae8130fd34eb84648e02ab4c506df7d5e , < a14602fcae17a3f1cb8a8521bedf31728f9e7e39 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1ceabcb347d1b0f7e70a7384ec7eff3847b7628",
"status": "affected",
"version": "401cb7dae8130fd34eb84648e02ab4c506df7d5e",
"versionType": "git"
},
{
"lessThan": "d0bd018ad72a8a598ae709588934135017f8af52",
"status": "affected",
"version": "401cb7dae8130fd34eb84648e02ab4c506df7d5e",
"versionType": "git"
},
{
"lessThan": "a14602fcae17a3f1cb8a8521bedf31728f9e7e39",
"status": "affected",
"version": "401cb7dae8130fd34eb84648e02ab4c506df7d5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: reduce XDP no_direct return section to fix race\n\nAs explain in commit fa349e396e48 (\"veth: Fix race with AF_XDP exposing\nold or uninitialized descriptors\") for veth there is a chance after\nnapi_complete_done() that another CPU can manage start another NAPI\ninstance running veth_pool(). For NAPI this is correctly handled as the\nnapi_schedule_prep() check will prevent multiple instances from getting\nscheduled, but for the remaining code in veth_pool() this can run\nconcurrent with the newly started NAPI instance.\n\nThe problem/race is that xdp_clear_return_frame_no_direct() isn\u0027t\ndesigned to be nested.\n\nPrior to commit 401cb7dae813 (\"net: Reference bpf_redirect_info via\ntask_struct on PREEMPT_RT.\") the temporary BPF net context\nbpf_redirect_info was stored per CPU, where this wasn\u0027t an issue. Since\nthis commit the BPF context is stored in \u0027current\u0027 task_struct. When\nrunning veth in threaded-NAPI mode, then the kthread becomes the storage\narea. Now a race exists between two concurrent veth_pool() function calls\none exiting NAPI and one running new NAPI, both using the same BPF net\ncontext.\n\nRace is when another CPU gets within the xdp_set_return_frame_no_direct()\nsection before exiting veth_pool() calls the clear-function\nxdp_clear_return_frame_no_direct()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:26.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628"
},
{
"url": "https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52"
},
{
"url": "https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39"
}
],
"title": "veth: reduce XDP no_direct return section to fix race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68341",
"datePublished": "2025-12-23T13:58:26.749Z",
"dateReserved": "2025-12-16T14:48:05.298Z",
"dateUpdated": "2025-12-23T13:58:26.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39843 (GCVE-0-2025-39843)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
mm: slub: avoid wake up kswapd in set_track_prepare
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: slub: avoid wake up kswapd in set_track_prepare
set_track_prepare() can incur lock recursion.
The issue is that it is called from hrtimer_start_range_ns
holding the per_cpu(hrtimer_bases)[n].lock, but when enabled
CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,
and try to hold the per_cpu(hrtimer_bases)[n].lock.
Avoid deadlock caused by implicitly waking up kswapd by passing in
allocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the
debug_objects_fill_pool() case. Inside stack depot they are processed by
gfp_nested_mask().
Since ___slab_alloc() has preemption disabled, we mask out
__GFP_DIRECT_RECLAIM from the flags there.
The oops looks something like:
BUG: spinlock recursion on CPU#3, swapper/3/0
lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3
Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)
Call trace:
spin_bug+0x0
_raw_spin_lock_irqsave+0x80
hrtimer_try_to_cancel+0x94
task_contending+0x10c
enqueue_dl_entity+0x2a4
dl_server_start+0x74
enqueue_task_fair+0x568
enqueue_task+0xac
do_activate_task+0x14c
ttwu_do_activate+0xcc
try_to_wake_up+0x6c8
default_wake_function+0x20
autoremove_wake_function+0x1c
__wake_up+0xac
wakeup_kswapd+0x19c
wake_all_kswapds+0x78
__alloc_pages_slowpath+0x1ac
__alloc_pages_noprof+0x298
stack_depot_save_flags+0x6b0
stack_depot_save+0x14
set_track_prepare+0x5c
___slab_alloc+0xccc
__kmalloc_cache_noprof+0x470
__set_page_owner+0x2bc
post_alloc_hook[jt]+0x1b8
prep_new_page+0x28
get_page_from_freelist+0x1edc
__alloc_pages_noprof+0x13c
alloc_slab_page+0x244
allocate_slab+0x7c
___slab_alloc+0x8e8
kmem_cache_alloc_noprof+0x450
debug_objects_fill_pool+0x22c
debug_object_activate+0x40
enqueue_hrtimer[jt]+0xdc
hrtimer_start_range_ns+0x5f8
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5cf909c553e9efed573811de4b3f5172898d5515 , < 994b03b9605d36d814c611385fbf90ca6db20aa8
(git)
Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < 522ffe298627cfe72539d72167c2e20e72b5e856 (git) Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < 243b705a90ed8449f561a271cf251fd2e939f3db (git) Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab (git) Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < 850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:58.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994b03b9605d36d814c611385fbf90ca6db20aa8",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "522ffe298627cfe72539d72167c2e20e72b5e856",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "243b705a90ed8449f561a271cf251fd2e939f3db",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: avoid wake up kswapd in set_track_prepare\n\nset_track_prepare() can incur lock recursion.\nThe issue is that it is called from hrtimer_start_range_ns\nholding the per_cpu(hrtimer_bases)[n].lock, but when enabled\nCONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,\nand try to hold the per_cpu(hrtimer_bases)[n].lock.\n\nAvoid deadlock caused by implicitly waking up kswapd by passing in\nallocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the\ndebug_objects_fill_pool() case. Inside stack depot they are processed by\ngfp_nested_mask().\nSince ___slab_alloc() has preemption disabled, we mask out\n__GFP_DIRECT_RECLAIM from the flags there.\n\nThe oops looks something like:\n\nBUG: spinlock recursion on CPU#3, swapper/3/0\n lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3\nHardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)\nCall trace:\nspin_bug+0x0\n_raw_spin_lock_irqsave+0x80\nhrtimer_try_to_cancel+0x94\ntask_contending+0x10c\nenqueue_dl_entity+0x2a4\ndl_server_start+0x74\nenqueue_task_fair+0x568\nenqueue_task+0xac\ndo_activate_task+0x14c\nttwu_do_activate+0xcc\ntry_to_wake_up+0x6c8\ndefault_wake_function+0x20\nautoremove_wake_function+0x1c\n__wake_up+0xac\nwakeup_kswapd+0x19c\nwake_all_kswapds+0x78\n__alloc_pages_slowpath+0x1ac\n__alloc_pages_noprof+0x298\nstack_depot_save_flags+0x6b0\nstack_depot_save+0x14\nset_track_prepare+0x5c\n___slab_alloc+0xccc\n__kmalloc_cache_noprof+0x470\n__set_page_owner+0x2bc\npost_alloc_hook[jt]+0x1b8\nprep_new_page+0x28\nget_page_from_freelist+0x1edc\n__alloc_pages_noprof+0x13c\nalloc_slab_page+0x244\nallocate_slab+0x7c\n___slab_alloc+0x8e8\nkmem_cache_alloc_noprof+0x450\ndebug_objects_fill_pool+0x22c\ndebug_object_activate+0x40\nenqueue_hrtimer[jt]+0xdc\nhrtimer_start_range_ns+0x5f8\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:52.386Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994b03b9605d36d814c611385fbf90ca6db20aa8"
},
{
"url": "https://git.kernel.org/stable/c/522ffe298627cfe72539d72167c2e20e72b5e856"
},
{
"url": "https://git.kernel.org/stable/c/243b705a90ed8449f561a271cf251fd2e939f3db"
},
{
"url": "https://git.kernel.org/stable/c/eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab"
},
{
"url": "https://git.kernel.org/stable/c/850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f"
}
],
"title": "mm: slub: avoid wake up kswapd in set_track_prepare",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39843",
"datePublished": "2025-09-19T15:26:17.758Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:58.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40289 (GCVE-0-2025-40289)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM
Otherwise accessing them can cause a crash.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 39a1c8c860e32d775f29917939e87b6a7c08ebb1
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < a67a9f99ce1306898d7129a199d42876bc06a0f0 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 33cc891b56b93cad1a83263eaf2e417436f70c82 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a1c8c860e32d775f29917939e87b6a7c08ebb1",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "a67a9f99ce1306898d7129a199d42876bc06a0f0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "33cc891b56b93cad1a83263eaf2e417436f70c82",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM\n\nOtherwise accessing them can cause a crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:56.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a1c8c860e32d775f29917939e87b6a7c08ebb1"
},
{
"url": "https://git.kernel.org/stable/c/a67a9f99ce1306898d7129a199d42876bc06a0f0"
},
{
"url": "https://git.kernel.org/stable/c/33cc891b56b93cad1a83263eaf2e417436f70c82"
}
],
"title": "drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40289",
"datePublished": "2025-12-06T21:51:15.555Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-20T08:51:56.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40178 (GCVE-0-2025-40178)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
pid: Add a judgment for ns null in pid_nr_ns
Summary
In the Linux kernel, the following vulnerability has been resolved:
pid: Add a judgment for ns null in pid_nr_ns
__task_pid_nr_ns
ns = task_active_pid_ns(current);
pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
if (pid && ns->level <= pid->level) {
Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.
For example:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000
[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000
pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __task_pid_nr_ns+0x74/0xd0
lr : __task_pid_nr_ns+0x24/0xd0
sp : ffffffc08001bd10
x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001
x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31
x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0
x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000
x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc
x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800
x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001
x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449
x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0
Call trace:
__task_pid_nr_ns+0x74/0xd0
...
__handle_irq_event_percpu+0xd4/0x284
handle_irq_event+0x48/0xb0
handle_fasteoi_irq+0x160/0x2d8
generic_handle_domain_irq+0x44/0x60
gic_handle_irq+0x4c/0x114
call_on_irq_stack+0x3c/0x74
do_interrupt_handler+0x4c/0x84
el1_interrupt+0x34/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
account_kernel_stack+0x60/0x144
exit_task_stack_account+0x1c/0x80
do_exit+0x7e4/0xaf8
...
get_signal+0x7bc/0x8d8
do_notify_resume+0x128/0x828
el0_svc+0x6c/0x70
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17cf22c33e1f1b5e435469c84e43872579497653 , < 75dbc029c5359438be4a6f908bfbfdab969af776
(git)
Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < c2d09d724856b6f82ab688f65fc1ce833bb56333 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < c3b654021931dc806ba086c549e8756c3f204a67 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < e10c36a771c5cc910abd9fe4aa9033ee32a47c38 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < 09d227c59d97efda7d5cc878a4335a6b2bb224c2 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < 2076b916bf41be48799d1443df0f8fc75d12ccd0 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < a0212978af1825b37da0b453b94d9b0e5af11478 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < 006568ab4c5ca2309ceb36fa553e390b4aa9c0c7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/pid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75dbc029c5359438be4a6f908bfbfdab969af776",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "c2d09d724856b6f82ab688f65fc1ce833bb56333",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "c3b654021931dc806ba086c549e8756c3f204a67",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "e10c36a771c5cc910abd9fe4aa9033ee32a47c38",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "09d227c59d97efda7d5cc878a4335a6b2bb224c2",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "2076b916bf41be48799d1443df0f8fc75d12ccd0",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "a0212978af1825b37da0b453b94d9b0e5af11478",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "006568ab4c5ca2309ceb36fa553e390b4aa9c0c7",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/pid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: Add a judgment for ns null in pid_nr_ns\n\n__task_pid_nr_ns\n ns = task_active_pid_ns(current);\n pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);\n if (pid \u0026\u0026 ns-\u003elevel \u003c= pid-\u003elevel) {\n\nSometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.\n\nFor example:\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n\tMem abort info:\n\tESR = 0x0000000096000007\n\tEC = 0x25: DABT (current EL), IL = 32 bits\n\tSET = 0, FnV = 0\n\tEA = 0, S1PTW = 0\n\tFSC = 0x07: level 3 translation fault\n\tData abort info:\n\tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n\tCM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000\n\t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000\n\tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n\tpc : __task_pid_nr_ns+0x74/0xd0\n\tlr : __task_pid_nr_ns+0x24/0xd0\n\tsp : ffffffc08001bd10\n\tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001\n\tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31\n\tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0\n\tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000\n\tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc\n\tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800\n\tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001\n\tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449\n\tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc\n\tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0\n\tCall trace:\n\t__task_pid_nr_ns+0x74/0xd0\n\t...\n\t__handle_irq_event_percpu+0xd4/0x284\n\thandle_irq_event+0x48/0xb0\n\thandle_fasteoi_irq+0x160/0x2d8\n\tgeneric_handle_domain_irq+0x44/0x60\n\tgic_handle_irq+0x4c/0x114\n\tcall_on_irq_stack+0x3c/0x74\n\tdo_interrupt_handler+0x4c/0x84\n\tel1_interrupt+0x34/0x58\n\tel1h_64_irq_handler+0x18/0x24\n\tel1h_64_irq+0x68/0x6c\n\taccount_kernel_stack+0x60/0x144\n\texit_task_stack_account+0x1c/0x80\n\tdo_exit+0x7e4/0xaf8\n\t...\n\tget_signal+0x7bc/0x8d8\n\tdo_notify_resume+0x128/0x828\n\tel0_svc+0x6c/0x70\n\tel0t_64_sync_handler+0x68/0xbc\n\tel0t_64_sync+0x1a8/0x1ac\n\tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception in interrupt"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:08.316Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776"
},
{
"url": "https://git.kernel.org/stable/c/c2d09d724856b6f82ab688f65fc1ce833bb56333"
},
{
"url": "https://git.kernel.org/stable/c/c3b654021931dc806ba086c549e8756c3f204a67"
},
{
"url": "https://git.kernel.org/stable/c/e10c36a771c5cc910abd9fe4aa9033ee32a47c38"
},
{
"url": "https://git.kernel.org/stable/c/09d227c59d97efda7d5cc878a4335a6b2bb224c2"
},
{
"url": "https://git.kernel.org/stable/c/2076b916bf41be48799d1443df0f8fc75d12ccd0"
},
{
"url": "https://git.kernel.org/stable/c/a0212978af1825b37da0b453b94d9b0e5af11478"
},
{
"url": "https://git.kernel.org/stable/c/006568ab4c5ca2309ceb36fa553e390b4aa9c0c7"
}
],
"title": "pid: Add a judgment for ns null in pid_nr_ns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40178",
"datePublished": "2025-11-12T21:56:24.051Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2026-01-02T15:33:08.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39944 (GCVE-0-2025-39944)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()
The original code relies on cancel_delayed_work() in otx2_ptp_destroy(),
which does not ensure that the delayed work item synctstamp_work has fully
completed if it was already running. This leads to use-after-free scenarios
where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work
remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().
Furthermore, the synctstamp_work is cyclic, the likelihood of triggering
the bug is nonnegligible.
A typical race condition is illustrated below:
CPU 0 (cleanup) | CPU 1 (delayed work callback)
otx2_remove() |
otx2_ptp_destroy() | otx2_sync_tstamp()
cancel_delayed_work() |
kfree(ptp) |
| ptp = container_of(...); //UAF
| ptp-> //UAF
This is confirmed by a KASAN report:
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800aa09a18 by task bash/136
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? __pfx___run_timer_base.part.0+0x10/0x10
? __pfx_read_tsc+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
run_timer_softirq+0xd1/0x190
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 1:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
otx2_ptp_init+0xb1/0x860
otx2_probe+0x4eb/0xc30
local_pci_probe+0xdc/0x190
pci_device_probe+0x2fe/0x470
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__driver_attach+0xd2/0x310
bus_for_each_dev+0xed/0x170
bus_add_driver+0x208/0x500
driver_register+0x132/0x460
do_one_initcall+0x89/0x300
kernel_init_freeable+0x40d/0x720
kernel_init+0x1a/0x150
ret_from_fork+0x10c/0x1a0
ret_from_fork_asm+0x1a/0x30
Freed by task 136:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
otx2_ptp_destroy+0x38/0x80
otx2_remove+0x10d/0x4c0
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0xf8/0x210
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device_locked+0x15/0x30
remove_store+0xcc/0xe0
kernfs_fop_write_iter+0x2c3/0x440
vfs_write+0x871/0xd70
ksys_write+0xee/0x1c0
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled before the otx2_ptp is
deallocated.
This bug was initially identified through static analysis. To reproduce
and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced
artificial delays within the otx2_sync_tstamp() function to increase the
likelihood of triggering the bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2958d17a898416c6193431676f6130b68a2cb9fc , < 2786879aebf363806a13d41e8d5f99202ddd23d9
(git)
Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < d2cfefa14ce8137b17f99683f968bebf134b6a48 (git) Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < ff27e23b311fed4d25e3852e27ba693416d4c7b3 (git) Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < 5ca20bb7b4bde72110c3ae78423cbfdd0157aa36 (git) Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < f8b4687151021db61841af983f1cb7be6915d4ef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2786879aebf363806a13d41e8d5f99202ddd23d9",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "d2cfefa14ce8137b17f99683f968bebf134b6a48",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "ff27e23b311fed4d25e3852e27ba693416d4c7b3",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "5ca20bb7b4bde72110c3ae78423cbfdd0157aa36",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "f8b4687151021db61841af983f1cb7be6915d4ef",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()\n\nThe original code relies on cancel_delayed_work() in otx2_ptp_destroy(),\nwhich does not ensure that the delayed work item synctstamp_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work\nremains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().\nFurthermore, the synctstamp_work is cyclic, the likelihood of triggering\nthe bug is nonnegligible.\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\notx2_remove() |\n otx2_ptp_destroy() | otx2_sync_tstamp()\n cancel_delayed_work() |\n kfree(ptp) |\n | ptp = container_of(...); //UAF\n | ptp-\u003e //UAF\n\nThis is confirmed by a KASAN report:\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800aa09a18 by task bash/136\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n otx2_ptp_init+0xb1/0x860\n otx2_probe+0x4eb/0xc30\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 136:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n otx2_ptp_destroy+0x38/0x80\n otx2_remove+0x10d/0x4c0\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled before the otx2_ptp is\ndeallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the OcteonTX2 PCI device in QEMU and introduced\nartificial delays within the otx2_sync_tstamp() function to increase the\nlikelihood of triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:06.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2786879aebf363806a13d41e8d5f99202ddd23d9"
},
{
"url": "https://git.kernel.org/stable/c/d2cfefa14ce8137b17f99683f968bebf134b6a48"
},
{
"url": "https://git.kernel.org/stable/c/ff27e23b311fed4d25e3852e27ba693416d4c7b3"
},
{
"url": "https://git.kernel.org/stable/c/5ca20bb7b4bde72110c3ae78423cbfdd0157aa36"
},
{
"url": "https://git.kernel.org/stable/c/f8b4687151021db61841af983f1cb7be6915d4ef"
}
],
"title": "octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39944",
"datePublished": "2025-10-04T07:31:06.339Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:06.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40337 (GCVE-0-2025-40337)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
net: stmmac: Correctly handle Rx checksum offload errors
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Correctly handle Rx checksum offload errors
The stmmac_rx function would previously set skb->ip_summed to
CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled
and the packet was of a known IP ethertype.
However, this logic failed to check if the hardware had actually
reported a checksum error. The hardware status, indicating a header or
payload checksum failure, was being ignored at this stage. This could
cause corrupt packets to be passed up the network stack as valid.
This patch corrects the logic by checking the `csum_none` status flag,
which is set when the hardware reports a checksum error. If this flag
is set, skb->ip_summed is now correctly set to CHECKSUM_NONE,
ensuring the kernel's network stack will perform its own validation and
properly handle the corrupt packet.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 63fbe0e6413279d5ea5842e2423e351ded547683
(git)
Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 719fcdf29051f7471d5d433475af76219019d33d (git) Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 1aa319e0f12d2d761a31556b82a5852c98eb0bea (git) Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < ee0aace5f844ef59335148875d05bec8764e71e8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63fbe0e6413279d5ea5842e2423e351ded547683",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "719fcdf29051f7471d5d433475af76219019d33d",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "1aa319e0f12d2d761a31556b82a5852c98eb0bea",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "ee0aace5f844ef59335148875d05bec8764e71e8",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Correctly handle Rx checksum offload errors\n\nThe stmmac_rx function would previously set skb-\u003eip_summed to\nCHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled\nand the packet was of a known IP ethertype.\n\nHowever, this logic failed to check if the hardware had actually\nreported a checksum error. The hardware status, indicating a header or\npayload checksum failure, was being ignored at this stage. This could\ncause corrupt packets to be passed up the network stack as valid.\n\nThis patch corrects the logic by checking the `csum_none` status flag,\nwhich is set when the hardware reports a checksum error. If this flag\nis set, skb-\u003eip_summed is now correctly set to CHECKSUM_NONE,\nensuring the kernel\u0027s network stack will perform its own validation and\nproperly handle the corrupt packet."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:39.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683"
},
{
"url": "https://git.kernel.org/stable/c/719fcdf29051f7471d5d433475af76219019d33d"
},
{
"url": "https://git.kernel.org/stable/c/1aa319e0f12d2d761a31556b82a5852c98eb0bea"
},
{
"url": "https://git.kernel.org/stable/c/ee0aace5f844ef59335148875d05bec8764e71e8"
}
],
"title": "net: stmmac: Correctly handle Rx checksum offload errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40337",
"datePublished": "2025-12-09T04:09:53.808Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:39.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39932 (GCVE-0-2025-39932)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:30 – Updated: 2025-10-04 07:30
VLAI?
EPSS
Title
smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
In smbd_destroy() we may destroy the memory so we better
wait until post_send_credits_work is no longer pending
and will never be started again.
I actually just hit the case using rxe:
WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]
...
[ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]
[ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30
[ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]
[ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60
[ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]
[ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]
[ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]
[ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10
[ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0
[ 5305.687889] [ T138] process_one_work+0x629/0xf80
[ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30
[ 5305.687933] [ T138] worker_thread+0x87f/0x1570
...
It means rxe_post_recv was called after rdma_destroy_qp().
This happened because put_receive_buffer() was triggered
by ib_drain_qp() and called:
queue_work(info->workqueue, &info->post_send_credits_work);
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f198186aa9bbd60fae7a2061f4feec614d880299 , < 6ae90a2baf923e85eb037b636aa641250bf4220f
(git)
Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < 3fabb1236f2e3ad78d531be0a4ad9f4a4ccdda87 (git) Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < d9dcbbcf9145b68aa85c40947311a6907277e097 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ae90a2baf923e85eb037b636aa641250bf4220f",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
},
{
"lessThan": "3fabb1236f2e3ad78d531be0a4ad9f4a4ccdda87",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
},
{
"lessThan": "d9dcbbcf9145b68aa85c40947311a6907277e097",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: let smbd_destroy() call disable_work_sync(\u0026info-\u003epost_send_credits_work)\n\nIn smbd_destroy() we may destroy the memory so we better\nwait until post_send_credits_work is no longer pending\nand will never be started again.\n\nI actually just hit the case using rxe:\n\nWARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]\n...\n[ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]\n[ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30\n[ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]\n[ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60\n[ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]\n[ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]\n[ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]\n[ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10\n[ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0\n[ 5305.687889] [ T138] process_one_work+0x629/0xf80\n[ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30\n[ 5305.687933] [ T138] worker_thread+0x87f/0x1570\n...\n\nIt means rxe_post_recv was called after rdma_destroy_qp().\nThis happened because put_receive_buffer() was triggered\nby ib_drain_qp() and called:\nqueue_work(info-\u003eworkqueue, \u0026info-\u003epost_send_credits_work);"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:30:56.726Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ae90a2baf923e85eb037b636aa641250bf4220f"
},
{
"url": "https://git.kernel.org/stable/c/3fabb1236f2e3ad78d531be0a4ad9f4a4ccdda87"
},
{
"url": "https://git.kernel.org/stable/c/d9dcbbcf9145b68aa85c40947311a6907277e097"
}
],
"title": "smb: client: let smbd_destroy() call disable_work_sync(\u0026info-\u003epost_send_credits_work)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39932",
"datePublished": "2025-10-04T07:30:56.726Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:30:56.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40206 (GCVE-0-2025-40206)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
netfilter: nft_objref: validate objref and objrefmap expressions
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_objref: validate objref and objrefmap expressions
Referencing a synproxy stateful object from OUTPUT hook causes kernel
crash due to infinite recursive calls:
BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)
[...]
Call Trace:
__find_rr_leaf+0x99/0x230
fib6_table_lookup+0x13b/0x2d0
ip6_pol_route+0xa4/0x400
fib6_rule_lookup+0x156/0x240
ip6_route_output_flags+0xc6/0x150
__nf_ip6_route+0x23/0x50
synproxy_send_tcp_ipv6+0x106/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
nft_synproxy_do_eval+0x263/0x310
nft_do_chain+0x5a8/0x5f0 [nf_tables
nft_do_chain_inet+0x98/0x110
nf_hook_slow+0x43/0xc0
__ip6_local_out+0xf0/0x170
ip6_local_out+0x17/0x70
synproxy_send_tcp_ipv6+0x1a2/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
[...]
Implement objref and objrefmap expression validate functions.
Currently, only NFT_OBJECT_SYNPROXY object type requires validation.
This will also handle a jump to a chain using a synproxy object from the
OUTPUT hook.
Now when trying to reference a synproxy object in the OUTPUT hook, nft
will produce the following error:
synproxy_crash.nft: Error: Could not process rule: Operation not supported
synproxy name mysynproxy
^^^^^^^^^^^^^^^^^^^^^^^^
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < 0028e0134c64d9ed21728341a74fcfc59cd0f944
(git)
Affected: ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < 7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0 (git) Affected: ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < 4c1cf72ec10be5a9ad264650cadffa1fbce6fabd (git) Affected: ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < f359b809d54c6e3dd1d039b97e0b68390b0e53e4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_objref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0028e0134c64d9ed21728341a74fcfc59cd0f944",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "4c1cf72ec10be5a9ad264650cadffa1fbce6fabd",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "f359b809d54c6e3dd1d039b97e0b68390b0e53e4",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_objref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_objref: validate objref and objrefmap expressions\n\nReferencing a synproxy stateful object from OUTPUT hook causes kernel\ncrash due to infinite recursive calls:\n\nBUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)\n[...]\nCall Trace:\n __find_rr_leaf+0x99/0x230\n fib6_table_lookup+0x13b/0x2d0\n ip6_pol_route+0xa4/0x400\n fib6_rule_lookup+0x156/0x240\n ip6_route_output_flags+0xc6/0x150\n __nf_ip6_route+0x23/0x50\n synproxy_send_tcp_ipv6+0x106/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n nft_synproxy_do_eval+0x263/0x310\n nft_do_chain+0x5a8/0x5f0 [nf_tables\n nft_do_chain_inet+0x98/0x110\n nf_hook_slow+0x43/0xc0\n __ip6_local_out+0xf0/0x170\n ip6_local_out+0x17/0x70\n synproxy_send_tcp_ipv6+0x1a2/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n[...]\n\nImplement objref and objrefmap expression validate functions.\n\nCurrently, only NFT_OBJECT_SYNPROXY object type requires validation.\nThis will also handle a jump to a chain using a synproxy object from the\nOUTPUT hook.\n\nNow when trying to reference a synproxy object in the OUTPUT hook, nft\nwill produce the following error:\n\nsynproxy_crash.nft: Error: Could not process rule: Operation not supported\n synproxy name mysynproxy\n ^^^^^^^^^^^^^^^^^^^^^^^^"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:10.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0028e0134c64d9ed21728341a74fcfc59cd0f944"
},
{
"url": "https://git.kernel.org/stable/c/7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0"
},
{
"url": "https://git.kernel.org/stable/c/4c1cf72ec10be5a9ad264650cadffa1fbce6fabd"
},
{
"url": "https://git.kernel.org/stable/c/f359b809d54c6e3dd1d039b97e0b68390b0e53e4"
}
],
"title": "netfilter: nft_objref: validate objref and objrefmap expressions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40206",
"datePublished": "2025-11-12T21:56:35.675Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:10.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36927 (GCVE-0-2024-36927)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:29 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
ipv4: Fix uninit-value access in __ip_make_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix uninit-value access in __ip_make_skb()
KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()
tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
while __ip_make_skb() is running, the function will access icmphdr in the
skb even if it is not included. This causes the issue reported by KMSAN.
Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
on the socket.
Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
are union in struct flowi4 and are implicitly initialized by
flowi4_init_output(), but we should not rely on specific union layout.
Initialize these explicitly in raw_sendmsg().
[1]
BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
__ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
ip_finish_skb include/net/ip.h:243 [inline]
ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x274/0x3c0 net/socket.c:745
__sys_sendto+0x62c/0x7b0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x130/0x200 net/socket.c:2199
do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
__ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x274/0x3c0 net/socket.c:745
__sys_sendto+0x62c/0x7b0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x130/0x200 net/socket.c:2199
do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
566785731c6dd41ef815196ddc36d1ae30a63763 , < 88c66f1879f322f11de34d37b2d3d87497afdcb6
(git)
Affected: a54ec573d9b81b05d368f8e6edc1b3e49f688658 , < 20d3eb00ab81462d554ac6d09691b8d9aa5a5741 (git) Affected: fc60067260c20da8cddcf968bec47416f3e2cde2 , < 55bf541e018b76b3750cb6c6ea18c46e1ac5562e (git) Affected: 99e5acae193e369b71217efe6f1dad42f3f18815 , < 5db08343ddb1b239320612036c398e4e1bb52818 (git) Affected: 99e5acae193e369b71217efe6f1dad42f3f18815 , < f5c603ad4e6fcf42f84053e882ebe20184bb309e (git) Affected: 99e5acae193e369b71217efe6f1dad42f3f18815 , < fc1092f51567277509563800a3c56732070b6aa4 (git) Affected: dc4e3bb0710178c8d03fc43064e0a71fe7440cdd (git) Affected: 022ea4374c319690c804706bda9dc42946d1556d (git) Affected: 27c468ec1af113f6ae94fb5378f65e6038bd16e7 (git) Affected: 32a5a13d556e4f804e5a447a08c70b172d600707 (git) Affected: 9e3c96aed8fe32907e0a4bca05aad457629a820c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T18:44:15.154993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:46.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:11.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_output.c",
"net/ipv4/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88c66f1879f322f11de34d37b2d3d87497afdcb6",
"status": "affected",
"version": "566785731c6dd41ef815196ddc36d1ae30a63763",
"versionType": "git"
},
{
"lessThan": "20d3eb00ab81462d554ac6d09691b8d9aa5a5741",
"status": "affected",
"version": "a54ec573d9b81b05d368f8e6edc1b3e49f688658",
"versionType": "git"
},
{
"lessThan": "55bf541e018b76b3750cb6c6ea18c46e1ac5562e",
"status": "affected",
"version": "fc60067260c20da8cddcf968bec47416f3e2cde2",
"versionType": "git"
},
{
"lessThan": "5db08343ddb1b239320612036c398e4e1bb52818",
"status": "affected",
"version": "99e5acae193e369b71217efe6f1dad42f3f18815",
"versionType": "git"
},
{
"lessThan": "f5c603ad4e6fcf42f84053e882ebe20184bb309e",
"status": "affected",
"version": "99e5acae193e369b71217efe6f1dad42f3f18815",
"versionType": "git"
},
{
"lessThan": "fc1092f51567277509563800a3c56732070b6aa4",
"status": "affected",
"version": "99e5acae193e369b71217efe6f1dad42f3f18815",
"versionType": "git"
},
{
"status": "affected",
"version": "dc4e3bb0710178c8d03fc43064e0a71fe7440cdd",
"versionType": "git"
},
{
"status": "affected",
"version": "022ea4374c319690c804706bda9dc42946d1556d",
"versionType": "git"
},
{
"status": "affected",
"version": "27c468ec1af113f6ae94fb5378f65e6038bd16e7",
"versionType": "git"
},
{
"status": "affected",
"version": "32a5a13d556e4f804e5a447a08c70b172d600707",
"versionType": "git"
},
{
"status": "affected",
"version": "9e3c96aed8fe32907e0a4bca05aad457629a820c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_output.c",
"net/ipv4/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4-\u003eflowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4-\u003efl4_icmp_type and fl4-\u003efl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:47.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88c66f1879f322f11de34d37b2d3d87497afdcb6"
},
{
"url": "https://git.kernel.org/stable/c/20d3eb00ab81462d554ac6d09691b8d9aa5a5741"
},
{
"url": "https://git.kernel.org/stable/c/55bf541e018b76b3750cb6c6ea18c46e1ac5562e"
},
{
"url": "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818"
},
{
"url": "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e"
},
{
"url": "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4"
}
],
"title": "ipv4: Fix uninit-value access in __ip_make_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36927",
"datePublished": "2024-05-30T15:29:20.275Z",
"dateReserved": "2024-05-30T15:25:07.069Z",
"dateUpdated": "2026-01-19T12:17:47.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68816 (GCVE-0-2025-68816)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net/mlx5: fw_tracer, Validate format string parameters
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fw_tracer, Validate format string parameters
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
70dd6fdb8987b14f7b6105f6be0617299e459398 , < 95624b731c490a4b849844269193a233d6d556a0
(git)
Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 768d559f466cdd72849110a7ecd76a21d52dcfe3 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 8ac688c0e430dab19f6a9b70df94b1f635612c1a (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 8c35c2448086870509ede43947845be0833251f0 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < b35966042d20b14e2d83330049f77deec5229749 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95624b731c490a4b849844269193a233d6d556a0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "768d559f466cdd72849110a7ecd76a21d52dcfe3",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8ac688c0e430dab19f6a9b70df94b1f635612c1a",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "45bd283b1d69e2c97cddcb9956f0e0261fc4efd7",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8c35c2448086870509ede43947845be0833251f0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "b35966042d20b14e2d83330049f77deec5229749",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fw_tracer, Validate format string parameters\n\nAdd validation for format string parameters in the firmware tracer to\nprevent potential security vulnerabilities and crashes from malformed\nformat strings received from firmware.\n\nThe firmware tracer receives format strings from the device firmware and\nuses them to format trace messages. Without proper validation, bad\nfirmware could provide format strings with invalid format specifiers\n(e.g., %s, %p, %n) that could lead to crashes, or other undefined\nbehavior.\n\nAdd mlx5_tracer_validate_params() to validate that all format specifiers\nin trace strings are limited to safe integer/hex formats (%x, %d, %i,\n%u, %llx, %lx, etc.). Reject strings containing other format types that\ncould be used to access arbitrary memory or cause crashes.\nInvalid format strings are added to the trace output for visibility with\n\"BAD_FORMAT: \" prefix."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:06.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0"
},
{
"url": "https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3"
},
{
"url": "https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d"
},
{
"url": "https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a"
},
{
"url": "https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7"
},
{
"url": "https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0"
},
{
"url": "https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749"
}
],
"title": "net/mlx5: fw_tracer, Validate format string parameters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68816",
"datePublished": "2026-01-13T15:29:20.464Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:06.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40172 (GCVE-0-2025-40172)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()
Currently, if find_and_map_user_pages() takes a DMA xfer request from the
user with a length field set to 0, or in a rare case, the host receives
QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size
is equal to the requested transaction size, the function will return 0
before allocating an sgt or setting the fields of the dma_xfer struct.
In that case, encode_addr_size_pairs() will try to access the sgt which
will lead to a general protection fault.
Return an EINVAL in case the user provides a zero-sized ALP, or the device
requests continuation after all of the bytes have been transferred.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 48b1d42286bfef7628b1d6c8c28d4e456c90f725
(git)
Affected: 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede (git) Affected: 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6 (git) Affected: 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 11f08c30a3e4157305ba692f1d44cca5fc9a8fca (git) Affected: d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48b1d42286bfef7628b1d6c8c28d4e456c90f725",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"lessThan": "551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"lessThan": "1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"lessThan": "11f08c30a3e4157305ba692f1d44cca5fc9a8fca",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"status": "affected",
"version": "d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()\n\nCurrently, if find_and_map_user_pages() takes a DMA xfer request from the\nuser with a length field set to 0, or in a rare case, the host receives\nQAIC_TRANS_DMA_XFER_CONT from the device where resources-\u003exferred_dma_size\nis equal to the requested transaction size, the function will return 0\nbefore allocating an sgt or setting the fields of the dma_xfer struct.\nIn that case, encode_addr_size_pairs() will try to access the sgt which\nwill lead to a general protection fault.\n\nReturn an EINVAL in case the user provides a zero-sized ALP, or the device\nrequests continuation after all of the bytes have been transferred."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:27.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725"
},
{
"url": "https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede"
},
{
"url": "https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6"
},
{
"url": "https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca"
}
],
"title": "accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40172",
"datePublished": "2025-11-12T10:53:49.245Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:27.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39969 (GCVE-0-2025-39969)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: fix validation of VF state in get resources
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix validation of VF state in get resources
VF state I40E_VF_STATE_ACTIVE is not the only state in which
VF is actually active so it should not be used to determine
if a VF is allowed to obtain resources.
Use I40E_VF_STATE_RESOURCES_LOADED that is set only in
i40e_vc_get_vf_resources_msg() and cleared during reset.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
171527da84149c2c7aa6a60a64b09d24f3546298 , < 185745d56ec958bf8aa773828213237dfcc32f5a
(git)
Affected: eb87117c27e729b0aeef4d72ed40d6a1761b0f68 , < f47876788a23de296c42ef9d505b5c1630f0b4b8 (git) Affected: 2132643b956f553f5abddc9bae20dae267b082e0 , < 8e35c80f8570426fe0f0cc92b151ebd835975f22 (git) Affected: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 , < 6c3981fd59ef11a75005ac9978f034da5a168b6a (git) Affected: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 , < e748f1ee493f88e38b77363a60499f979d42c58a (git) Affected: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 , < 6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7 (git) Affected: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 , < a991dc56d3e9a2c3db87d0c3f03c24f6595400f1 (git) Affected: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 , < 877b7e6ffc23766448236e8732254534c518ba42 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c",
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "185745d56ec958bf8aa773828213237dfcc32f5a",
"status": "affected",
"version": "171527da84149c2c7aa6a60a64b09d24f3546298",
"versionType": "git"
},
{
"lessThan": "f47876788a23de296c42ef9d505b5c1630f0b4b8",
"status": "affected",
"version": "eb87117c27e729b0aeef4d72ed40d6a1761b0f68",
"versionType": "git"
},
{
"lessThan": "8e35c80f8570426fe0f0cc92b151ebd835975f22",
"status": "affected",
"version": "2132643b956f553f5abddc9bae20dae267b082e0",
"versionType": "git"
},
{
"lessThan": "6c3981fd59ef11a75005ac9978f034da5a168b6a",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "e748f1ee493f88e38b77363a60499f979d42c58a",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "a991dc56d3e9a2c3db87d0c3f03c24f6595400f1",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "877b7e6ffc23766448236e8732254534c518ba42",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c",
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix validation of VF state in get resources\n\nVF state I40E_VF_STATE_ACTIVE is not the only state in which\nVF is actually active so it should not be used to determine\nif a VF is allowed to obtain resources.\n\nUse I40E_VF_STATE_RESOURCES_LOADED that is set only in\ni40e_vc_get_vf_resources_msg() and cleared during reset."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:52.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/185745d56ec958bf8aa773828213237dfcc32f5a"
},
{
"url": "https://git.kernel.org/stable/c/f47876788a23de296c42ef9d505b5c1630f0b4b8"
},
{
"url": "https://git.kernel.org/stable/c/8e35c80f8570426fe0f0cc92b151ebd835975f22"
},
{
"url": "https://git.kernel.org/stable/c/6c3981fd59ef11a75005ac9978f034da5a168b6a"
},
{
"url": "https://git.kernel.org/stable/c/e748f1ee493f88e38b77363a60499f979d42c58a"
},
{
"url": "https://git.kernel.org/stable/c/6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7"
},
{
"url": "https://git.kernel.org/stable/c/a991dc56d3e9a2c3db87d0c3f03c24f6595400f1"
},
{
"url": "https://git.kernel.org/stable/c/877b7e6ffc23766448236e8732254534c518ba42"
}
],
"title": "i40e: fix validation of VF state in get resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39969",
"datePublished": "2025-10-15T07:55:52.948Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:52.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-22978 (GCVE-0-2026-22978)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
wifi: avoid kernel-infoleak from struct iw_point
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: avoid kernel-infoleak from struct iw_point
struct iw_point has a 32bit hole on 64bit arches.
struct iw_point {
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
Make sure to zero the structure to avoid disclosing 32bits of kernel data
to user space.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < d943b5f592767b107ba8c12a902f17431350378c
(git)
Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < a3827e310b5a73535646ef4a552d53b3c8bf74f6 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 442ceac0393185e9982323f6682a52a53e8462b1 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 024f71a57d563fbe162e528c8bf2d27e9cac7c7b (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < e3c35177103ead4658b8a62f41e3080d45885464 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 21cbf883d073abbfe09e3924466aa5e0449e7261 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d943b5f592767b107ba8c12a902f17431350378c",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "a3827e310b5a73535646ef4a552d53b3c8bf74f6",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "442ceac0393185e9982323f6682a52a53e8462b1",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "024f71a57d563fbe162e528c8bf2d27e9cac7c7b",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "e3c35177103ead4658b8a62f41e3080d45885464",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "21cbf883d073abbfe09e3924466aa5e0449e7261",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: avoid kernel-infoleak from struct iw_point\n\nstruct iw_point has a 32bit hole on 64bit arches.\n\nstruct iw_point {\n void __user *pointer; /* Pointer to the data (in user space) */\n __u16 length; /* number of fields or size in bytes */\n __u16 flags; /* Optional params */\n};\n\nMake sure to zero the structure to avoid disclosing 32bits of kernel data\nto user space."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:28.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c"
},
{
"url": "https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6"
},
{
"url": "https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1"
},
{
"url": "https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8"
},
{
"url": "https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b"
},
{
"url": "https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464"
},
{
"url": "https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261"
}
],
"title": "wifi: avoid kernel-infoleak from struct iw_point",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22978",
"datePublished": "2026-01-23T15:24:00.482Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:28.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40257 (GCVE-0-2025-40257)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
mptcp: fix a race in mptcp_pm_del_add_timer()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix a race in mptcp_pm_del_add_timer()
mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
while another might have free entry already, as reported by syzbot.
Add RCU protection to fix this issue.
Also change confusing add_timer variable with stop_timer boolean.
syzbot report:
BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: events mptcp_worker
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6079 [inline]
__netif_receive_skb+0x143/0x380 net/core/dev.c:6192
process_backlog+0x31e/0x900 net/core/dev.c:6544
__napi_poll+0xb6/0x540 net/core/dev.c:7594
napi_poll net/core/dev.c:7657 [inline]
net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
__local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 44:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
kmalloc_noprof include/linux/slab.h:957 [inline]
mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
__mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6630:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object m
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17
(git)
Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 385ddc0f008f24d1e7d03be998b3a98a37bd29ff (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < c602cc344b4b8d41515fec3ffa98457ac963ee12 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < bbbd75346c8e6490b19c2ba90f38ea66ccf352b2 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 426358d9be7ce3518966422f87b96f1bad27295f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "385ddc0f008f24d1e7d03be998b3a98a37bd29ff",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "c602cc344b4b8d41515fec3ffa98457ac963ee12",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "bbbd75346c8e6490b19c2ba90f38ea66ccf352b2",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "426358d9be7ce3518966422f87b96f1bad27295f",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix a race in mptcp_pm_del_add_timer()\n\nmptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, \u0026entry-\u003eadd_timer)\nwhile another might have free entry already, as reported by syzbot.\n\nAdd RCU protection to fix this issue.\n\nAlso change confusing add_timer variable with stop_timer boolean.\n\nsyzbot report:\n\nBUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\nRead of size 4 at addr ffff8880311e4150 by task kworker/1:1/44\n\nCPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nWorkqueue: events mptcp_worker\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\n sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631\n mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362\n mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174\n tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361\n tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441\n tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931\n tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374\n ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6079 [inline]\n __netif_receive_skb+0x143/0x380 net/core/dev.c:6192\n process_backlog+0x31e/0x900 net/core/dev.c:6544\n __napi_poll+0xb6/0x540 net/core/dev.c:7594\n napi_poll net/core/dev.c:7657 [inline]\n net_rx_action+0x5f7/0xda0 net/core/dev.c:7784\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302\n mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]\n mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1\n mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 44:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417\n kasan_kmalloc include/linux/kasan.h:262 [inline]\n __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748\n kmalloc_noprof include/linux/slab.h:957 [inline]\n mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385\n mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355\n mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]\n __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529\n mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n\nFreed by task 6630:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object m\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:54.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17"
},
{
"url": "https://git.kernel.org/stable/c/e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b"
},
{
"url": "https://git.kernel.org/stable/c/385ddc0f008f24d1e7d03be998b3a98a37bd29ff"
},
{
"url": "https://git.kernel.org/stable/c/c602cc344b4b8d41515fec3ffa98457ac963ee12"
},
{
"url": "https://git.kernel.org/stable/c/6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7"
},
{
"url": "https://git.kernel.org/stable/c/bbbd75346c8e6490b19c2ba90f38ea66ccf352b2"
},
{
"url": "https://git.kernel.org/stable/c/426358d9be7ce3518966422f87b96f1bad27295f"
}
],
"title": "mptcp: fix a race in mptcp_pm_del_add_timer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40257",
"datePublished": "2025-12-04T16:08:18.433Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:54.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68370 (GCVE-0-2025-68370)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
coresight: tmc: add the handle of the event to the path
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: tmc: add the handle of the event to the path
The handle is essential for retrieving the AUX_EVENT of each CPU and is
required in perf mode. It has been added to the coresight_path so that
dependent devices can access it from the path when needed.
The existing bug can be reproduced with:
perf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null
Showing an oops as follows:
Unable to handle kernel paging request at virtual address 000f6e84934ed19e
Call trace:
tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P)
catu_enable_hw+0xbc/0x3d0 [coresight_catu]
catu_enable+0x70/0xe0 [coresight_catu]
coresight_enable_path+0xb0/0x258 [coresight]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
080ee83cc361451a7de7b5486c7f96ce454f7203 , < faa8f38f7ccb344ace2c1f364efc70e3a12d32f3
(git)
Affected: 080ee83cc361451a7de7b5486c7f96ce454f7203 , < d0c9effd82f2c19b92acd07d357fac5f392d549a (git) Affected: 080ee83cc361451a7de7b5486c7f96ce454f7203 , < aaa5abcc9d44d2c8484f779ab46d242d774cabcb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-etm-perf.c",
"drivers/hwtracing/coresight/coresight-tmc-etr.c",
"include/linux/coresight.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "faa8f38f7ccb344ace2c1f364efc70e3a12d32f3",
"status": "affected",
"version": "080ee83cc361451a7de7b5486c7f96ce454f7203",
"versionType": "git"
},
{
"lessThan": "d0c9effd82f2c19b92acd07d357fac5f392d549a",
"status": "affected",
"version": "080ee83cc361451a7de7b5486c7f96ce454f7203",
"versionType": "git"
},
{
"lessThan": "aaa5abcc9d44d2c8484f779ab46d242d774cabcb",
"status": "affected",
"version": "080ee83cc361451a7de7b5486c7f96ce454f7203",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-etm-perf.c",
"drivers/hwtracing/coresight/coresight-tmc-etr.c",
"include/linux/coresight.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc: add the handle of the event to the path\n\nThe handle is essential for retrieving the AUX_EVENT of each CPU and is\nrequired in perf mode. It has been added to the coresight_path so that\ndependent devices can access it from the path when needed.\n\nThe existing bug can be reproduced with:\nperf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null\n\nShowing an oops as follows:\nUnable to handle kernel paging request at virtual address 000f6e84934ed19e\n\nCall trace:\n tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P)\n catu_enable_hw+0xbc/0x3d0 [coresight_catu]\n catu_enable+0x70/0xe0 [coresight_catu]\n coresight_enable_path+0xb0/0x258 [coresight]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:07.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/faa8f38f7ccb344ace2c1f364efc70e3a12d32f3"
},
{
"url": "https://git.kernel.org/stable/c/d0c9effd82f2c19b92acd07d357fac5f392d549a"
},
{
"url": "https://git.kernel.org/stable/c/aaa5abcc9d44d2c8484f779ab46d242d774cabcb"
}
],
"title": "coresight: tmc: add the handle of the event to the path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68370",
"datePublished": "2025-12-24T10:32:56.149Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:07.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68299 (GCVE-0-2025-68299)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
afs: Fix delayed allocation of a cell's anonymous key
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix delayed allocation of a cell's anonymous key
The allocation of a cell's anonymous key is done in a background thread
along with other cell setup such as doing a DNS upcall. In the reported
bug, this is triggered by afs_parse_source() parsing the device name given
to mount() and calling afs_lookup_cell() with the name of the cell.
The normal key lookup then tries to use the key description on the
anonymous authentication key as the reference for request_key() - but it
may not yet be set and so an oops can happen.
This has been made more likely to happen by the fix for dynamic lookup
failure.
Fix this by firstly allocating a reference name and attaching it to the
afs_cell record when the record is created. It can share the memory
allocation with the cell name (unfortunately it can't just overlap the cell
name by prepending it with "afs@" as the cell name already has a '.'
prepended for other purposes). This reference name is then passed to
request_key().
Secondly, the anon key is now allocated on demand at the point a key is
requested in afs_request_key() if it is not already allocated. A mutex is
used to prevent multiple allocation for a cell.
Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't
yet allocated (if we need it) and then the caller can return -ECHILD to
drop out of RCU-mode and afs_request_key() can be called.
Note that the anonymous key is kind of necessary to make the key lookup
cache work as that doesn't currently cache a negative lookup, but it's
probably worth some investigation to see if NULL can be used instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/cell.c",
"fs/afs/internal.h",
"fs/afs/security.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5613bde937dfac6725e9c3fc766b9d6b8481e55b",
"status": "affected",
"version": "7e33b15d5a6578a99ebf189cea34983270ae92dd",
"versionType": "git"
},
{
"lessThan": "d27c71257825dced46104eefe42e4d9964bd032e",
"status": "affected",
"version": "330e2c514823008b22e6afd2055715bc46dd8d55",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/cell.c",
"fs/afs/internal.h",
"fs/afs/security.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.17.11",
"status": "affected",
"version": "6.17.9",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix delayed allocation of a cell\u0027s anonymous key\n\nThe allocation of a cell\u0027s anonymous key is done in a background thread\nalong with other cell setup such as doing a DNS upcall. In the reported\nbug, this is triggered by afs_parse_source() parsing the device name given\nto mount() and calling afs_lookup_cell() with the name of the cell.\n\nThe normal key lookup then tries to use the key description on the\nanonymous authentication key as the reference for request_key() - but it\nmay not yet be set and so an oops can happen.\n\nThis has been made more likely to happen by the fix for dynamic lookup\nfailure.\n\nFix this by firstly allocating a reference name and attaching it to the\nafs_cell record when the record is created. It can share the memory\nallocation with the cell name (unfortunately it can\u0027t just overlap the cell\nname by prepending it with \"afs@\" as the cell name already has a \u0027.\u0027\nprepended for other purposes). This reference name is then passed to\nrequest_key().\n\nSecondly, the anon key is now allocated on demand at the point a key is\nrequested in afs_request_key() if it is not already allocated. A mutex is\nused to prevent multiple allocation for a cell.\n\nThirdly, make afs_request_key_rcu() return NULL if the anonymous key isn\u0027t\nyet allocated (if we need it) and then the caller can return -ECHILD to\ndrop out of RCU-mode and afs_request_key() can be called.\n\nNote that the anonymous key is kind of necessary to make the key lookup\ncache work as that doesn\u0027t currently cache a negative lookup, but it\u0027s\nprobably worth some investigation to see if NULL can be used instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:18.246Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5613bde937dfac6725e9c3fc766b9d6b8481e55b"
},
{
"url": "https://git.kernel.org/stable/c/d27c71257825dced46104eefe42e4d9964bd032e"
}
],
"title": "afs: Fix delayed allocation of a cell\u0027s anonymous key",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68299",
"datePublished": "2025-12-16T15:06:18.246Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:18.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40240 (GCVE-0-2025-40240)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
sctp: avoid NULL dereference when chunk data buffer is missing
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: avoid NULL dereference when chunk data buffer is missing
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90017accff61ae89283ad9a51f9ac46ca01633fb , < 61cda2777b07d27459f5cac5a047c3edf9c8a1a9
(git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 08165c296597075763130919f2aae59b5822f016 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cb9055ba30306ede4ad920002233d0659982f1cb (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7a832b0f99be19df608cb75c023f8027b1789bd1 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 89b465b54227c245ddc7cc9ed822231af21123ef (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "08165c296597075763130919f2aae59b5822f016",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:29.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
},
{
"url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
},
{
"url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
},
{
"url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
},
{
"url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
},
{
"url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
},
{
"url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
},
{
"url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
}
],
"title": "sctp: avoid NULL dereference when chunk data buffer is missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40240",
"datePublished": "2025-12-04T15:31:29.715Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T15:31:29.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68232 (GCVE-0-2025-68232)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:04 – Updated: 2025-12-16 14:04
VLAI?
EPSS
Title
veth: more robust handing of race to avoid txq getting stuck
Summary
In the Linux kernel, the following vulnerability has been resolved:
veth: more robust handing of race to avoid txq getting stuck
Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to
reduce TX drops") introduced a race condition that can lead to a permanently
stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra
Max).
The race occurs in veth_xmit(). The producer observes a full ptr_ring and
stops the queue (netif_tx_stop_queue()). The subsequent conditional logic,
intended to re-wake the queue if the consumer had just emptied it (if
(__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a
"lost wakeup" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and
traffic halts.
This failure is caused by an incorrect use of the __ptr_ring_empty() API
from the producer side. As noted in kernel comments, this check is not
guaranteed to be correct if a consumer is operating on another CPU. The
empty test is based on ptr_ring->consumer_head, making it reliable only for
the consumer. Using this check from the producer side is fundamentally racy.
This patch fixes the race by adopting the more robust logic from an earlier
version V4 of the patchset, which always flushed the peer:
(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier
are removed. Instead, after stopping the queue, we unconditionally call
__veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled,
making it solely responsible for re-waking the TXQ.
This handles the race where veth_poll() consumes all packets and completes
NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue.
The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule
NAPI.
(2) On the consumer side, the logic for waking the peer TXQ is moved out of
veth_xdp_rcv() and placed at the end of the veth_poll() function. This
placement is part of fixing the race, as the netif_tx_queue_stopped() check
must occur after rx_notify_masked is potentially set to false during NAPI
completion.
This handles the race where veth_poll() consumes all packets, but haven't
finished (rx_notify_masked is still true). The producer veth_xmit() stops the
TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning
not starting NAPI. Then veth_poll() change rx_notify_masked to false and
stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake
it up.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9fe31b3f314534e238aa6d0b6fb492134cbcf8be , < dd419a3f2ebc18cc00bc32c57fd052d7a188b78b
(git)
Affected: dc82a33297fc2c58cb0b2b008d728668d45c0f6a , < 6c8a8b9257a660e622689e23c8fbad4ba2b561b9 (git) Affected: dc82a33297fc2c58cb0b2b008d728668d45c0f6a , < 5442a9da69789741bfda39f34ee7f69552bf0c56 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd419a3f2ebc18cc00bc32c57fd052d7a188b78b",
"status": "affected",
"version": "9fe31b3f314534e238aa6d0b6fb492134cbcf8be",
"versionType": "git"
},
{
"lessThan": "6c8a8b9257a660e622689e23c8fbad4ba2b561b9",
"status": "affected",
"version": "dc82a33297fc2c58cb0b2b008d728668d45c0f6a",
"versionType": "git"
},
{
"lessThan": "5442a9da69789741bfda39f34ee7f69552bf0c56",
"status": "affected",
"version": "dc82a33297fc2c58cb0b2b008d728668d45c0f6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: more robust handing of race to avoid txq getting stuck\n\nCommit dc82a33297fc (\"veth: apply qdisc backpressure on full ptr_ring to\nreduce TX drops\") introduced a race condition that can lead to a permanently\nstalled TXQ. This was observed in production on ARM64 systems (Ampere Altra\nMax).\n\nThe race occurs in veth_xmit(). The producer observes a full ptr_ring and\nstops the queue (netif_tx_stop_queue()). The subsequent conditional logic,\nintended to re-wake the queue if the consumer had just emptied it (if\n(__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a\n\"lost wakeup\" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and\ntraffic halts.\n\nThis failure is caused by an incorrect use of the __ptr_ring_empty() API\nfrom the producer side. As noted in kernel comments, this check is not\nguaranteed to be correct if a consumer is operating on another CPU. The\nempty test is based on ptr_ring-\u003econsumer_head, making it reliable only for\nthe consumer. Using this check from the producer side is fundamentally racy.\n\nThis patch fixes the race by adopting the more robust logic from an earlier\nversion V4 of the patchset, which always flushed the peer:\n\n(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier\nare removed. Instead, after stopping the queue, we unconditionally call\n__veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled,\nmaking it solely responsible for re-waking the TXQ.\n This handles the race where veth_poll() consumes all packets and completes\nNAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue.\nThe __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule\nNAPI.\n\n(2) On the consumer side, the logic for waking the peer TXQ is moved out of\nveth_xdp_rcv() and placed at the end of the veth_poll() function. This\nplacement is part of fixing the race, as the netif_tx_queue_stopped() check\nmust occur after rx_notify_masked is potentially set to false during NAPI\ncompletion.\n This handles the race where veth_poll() consumes all packets, but haven\u0027t\nfinished (rx_notify_masked is still true). The producer veth_xmit() stops the\nTXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning\nnot starting NAPI. Then veth_poll() change rx_notify_masked to false and\nstops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake\nit up."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:04:12.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd419a3f2ebc18cc00bc32c57fd052d7a188b78b"
},
{
"url": "https://git.kernel.org/stable/c/6c8a8b9257a660e622689e23c8fbad4ba2b561b9"
},
{
"url": "https://git.kernel.org/stable/c/5442a9da69789741bfda39f34ee7f69552bf0c56"
}
],
"title": "veth: more robust handing of race to avoid txq getting stuck",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68232",
"datePublished": "2025-12-16T14:04:12.624Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:04:12.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71133 (GCVE-0-2025-71133)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
RDMA/irdma: avoid invalid read in irdma_net_event
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: avoid invalid read in irdma_net_event
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < db93ae6fa66f1c61ae63400191195e3ee58021da
(git)
Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 305c02e541befe4a44ffde30ed374970f41aeb6c (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < fc23d05f0b3fb4d80657e7afebae2cae686b31c8 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < bf197c7c79ef6458d1ee84dd7db251b51784885f (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < d9b9affd103f51b42322da4ed5ac025b560bc354 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db93ae6fa66f1c61ae63400191195e3ee58021da",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "305c02e541befe4a44ffde30ed374970f41aeb6c",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "fc23d05f0b3fb4d80657e7afebae2cae686b31c8",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "bf197c7c79ef6458d1ee84dd7db251b51784885f",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "d9b9affd103f51b42322da4ed5ac025b560bc354",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "6f05611728e9d0ab024832a4f1abb74a5f5d0bb0",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: avoid invalid read in irdma_net_event\n\nirdma_net_event() should not dereference anything from \"neigh\" (alias\n\"ptr\") until it has checked that the event is NETEVENT_NEIGH_UPDATE.\nOther events come with different structures pointed to by \"ptr\" and they\nmay be smaller than struct neighbour.\n\nMove the read of neigh-\u003edev under the NETEVENT_NEIGH_UPDATE case.\n\nThe bug is mostly harmless, but it triggers KASAN on debug kernels:\n\n BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]\n Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x60/0xb0\n print_address_description.constprop.0+0x2c/0x3f0\n print_report+0xb4/0x270\n kasan_report+0x92/0xc0\n irdma_net_event+0x32e/0x3b0 [irdma]\n notifier_call_chain+0x9e/0x180\n atomic_notifier_call_chain+0x5c/0x110\n rt6_do_redirect+0xb91/0x1080\n tcp_v6_err+0xe9b/0x13e0\n icmpv6_notify+0x2b2/0x630\n ndisc_redirect_rcv+0x328/0x530\n icmpv6_rcv+0xc16/0x1360\n ip6_protocol_deliver_rcu+0xb84/0x12e0\n ip6_input_finish+0x117/0x240\n ip6_input+0xc4/0x370\n ipv6_rcv+0x420/0x7d0\n __netif_receive_skb_one_core+0x118/0x1b0\n process_backlog+0xd1/0x5d0\n __napi_poll.constprop.0+0xa3/0x440\n net_rx_action+0x78a/0xba0\n handle_softirqs+0x2d4/0x9c0\n do_softirq+0xad/0xe0\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:29.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da"
},
{
"url": "https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c"
},
{
"url": "https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8"
},
{
"url": "https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f"
},
{
"url": "https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354"
},
{
"url": "https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0"
}
],
"title": "RDMA/irdma: avoid invalid read in irdma_net_event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71133",
"datePublished": "2026-01-14T15:07:48.524Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:29.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40233 (GCVE-0-2025-40233)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
ocfs2: clear extent cache after moving/defragmenting extents
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: clear extent cache after moving/defragmenting extents
The extent map cache can become stale when extents are moved or
defragmented, causing subsequent operations to see outdated extent flags.
This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().
The problem occurs when:
1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED
2. ioctl(FITRIM) triggers ocfs2_move_extents()
3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)
4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()
which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)
5. The extent map cache is not invalidated after the move
6. Later write() operations read stale cached flags (0x2) but disk has
updated flags (0x0), causing a mismatch
7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers
Fix by clearing the extent map cache after each extent move/defrag
operation in __ocfs2_move_extents_range(). This ensures subsequent
operations read fresh extent data from disk.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 93166bc53c0e3587058327a4121daea34b4fecd5
(git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < a7ee72286efba1d407c6f15a0528e43593fb7007 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 93b1ab422f1966b71561158e1aedce4ec100f357 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < e92af7737a94a729225d2a5d180eaaa77fe0bbc1 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < aa6a21409dd6221bb268b56bb410e031c632ff9a (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < bb69928ed578f881e68d26aaf1a8f6e7faab3b44 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < a21750df2f6169af6e039a3bb4893d6c9564e48d (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 78a63493f8e352296dbc7cb7b3f4973105e8679e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93166bc53c0e3587058327a4121daea34b4fecd5",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "a7ee72286efba1d407c6f15a0528e43593fb7007",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "93b1ab422f1966b71561158e1aedce4ec100f357",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "e92af7737a94a729225d2a5d180eaaa77fe0bbc1",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "aa6a21409dd6221bb268b56bb410e031c632ff9a",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "bb69928ed578f881e68d26aaf1a8f6e7faab3b44",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "a21750df2f6169af6e039a3bb4893d6c9564e48d",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "78a63493f8e352296dbc7cb7b3f4973105e8679e",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: clear extent cache after moving/defragmenting extents\n\nThe extent map cache can become stale when extents are moved or\ndefragmented, causing subsequent operations to see outdated extent flags. \nThis triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().\n\nThe problem occurs when:\n1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED\n2. ioctl(FITRIM) triggers ocfs2_move_extents()\n3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)\n4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()\n which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)\n5. The extent map cache is not invalidated after the move\n6. Later write() operations read stale cached flags (0x2) but disk has\n updated flags (0x0), causing a mismatch\n7. BUG_ON(!(rec-\u003ee_flags \u0026 OCFS2_EXT_REFCOUNTED)) triggers\n\nFix by clearing the extent map cache after each extent move/defrag\noperation in __ocfs2_move_extents_range(). This ensures subsequent\noperations read fresh extent data from disk."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:23.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5"
},
{
"url": "https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007"
},
{
"url": "https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357"
},
{
"url": "https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1"
},
{
"url": "https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a"
},
{
"url": "https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44"
},
{
"url": "https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d"
},
{
"url": "https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e"
}
],
"title": "ocfs2: clear extent cache after moving/defragmenting extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40233",
"datePublished": "2025-12-04T15:31:23.891Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:23.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68183 (GCVE-0-2025-68183)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e3ccfe1ad7d895487977ef64eda3441d16c9851a , < d2993a7e98eb70c737c6f5365a190e79c72b8407
(git)
Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < edd824eb45e4f7e05ad3ab090dab6dbdb79cd292 (git) Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 02aa671c08a4834bef5166743a7b88686fbfa023 (git) Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2993a7e98eb70c737c6f5365a190e79c72b8407",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "edd824eb45e4f7e05ad3ab090dab6dbdb79cd292",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "02aa671c08a4834bef5166743a7b88686fbfa023",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr\n\nCurrently when both IMA and EVM are in fix mode, the IMA signature will\nbe reset to IMA hash if a program first stores IMA signature in\nsecurity.ima and then writes/removes some other security xattr for the\nfile.\n\nFor example, on Fedora, after booting the kernel with \"ima_appraise=fix\nevm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima,\ninstalling/reinstalling a package will not make good reference IMA\nsignature generated. Instead IMA hash is generated,\n\n # getfattr -m - -d -e hex /usr/bin/bash\n # file: usr/bin/bash\n security.ima=0x0404...\n\nThis happens because when setting security.selinux, the IMA_DIGSIG flag\nthat had been set early was cleared. As a result, IMA hash is generated\nwhen the file is closed.\n\nSimilarly, IMA signature can be cleared on file close after removing\nsecurity xattr like security.evm or setting/removing ACL.\n\nPrevent replacing the IMA file signature with a file hash, by preventing\nthe IMA_DIGSIG flag from being reset.\n\nHere\u0027s a minimal C reproducer which sets security.selinux as the last\nstep which can also replaced by removing security.evm or setting ACL,\n\n #include \u003cstdio.h\u003e\n #include \u003csys/xattr.h\u003e\n #include \u003cfcntl.h\u003e\n #include \u003cunistd.h\u003e\n #include \u003cstring.h\u003e\n #include \u003cstdlib.h\u003e\n\n int main() {\n const char* file_path = \"/usr/sbin/test_binary\";\n const char* hex_string = \"030204d33204490066306402304\";\n int length = strlen(hex_string);\n char* ima_attr_value;\n int fd;\n\n fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);\n if (fd == -1) {\n perror(\"Error opening file\");\n return 1;\n }\n\n ima_attr_value = (char*)malloc(length / 2 );\n for (int i = 0, j = 0; i \u003c length; i += 2, j++) {\n sscanf(hex_string + i, \"%2hhx\", \u0026ima_attr_value[j]);\n }\n\n if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n const char* selinux_value= \"system_u:object_r:bin_t:s0\";\n if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n close(fd);\n\n return 0;\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:14.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407"
},
{
"url": "https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292"
},
{
"url": "https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023"
},
{
"url": "https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd"
}
],
"title": "ima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68183",
"datePublished": "2025-12-16T13:43:01.178Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-01-02T15:34:14.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39992 (GCVE-0-2025-39992)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
mm: swap: check for stable address space before operating on the VMA
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: swap: check for stable address space before operating on the VMA
It is possible to hit a zero entry while traversing the vmas in unuse_mm()
called from swapoff path and accessing it causes the OOPS:
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000446--> Loading the memory from offset 0x40 on the
XA_ZERO_ENTRY as address.
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
The issue is manifested from the below race between the fork() on a
process and swapoff:
fork(dup_mmap()) swapoff(unuse_mm)
--------------- -----------------
1) Identical mtree is built using
__mt_dup().
2) copy_pte_range()-->
copy_nonpresent_pte():
The dst mm is added into the
mmlist to be visible to the
swapoff operation.
3) Fatal signal is sent to the parent
process(which is the current during the
fork) thus skip the duplication of the
vmas and mark the vma range with
XA_ZERO_ENTRY as a marker for this process
that helps during exit_mmap().
4) swapoff is tried on the
'mm' added to the 'mmlist' as
part of the 2.
5) unuse_mm(), that iterates
through the vma's of this 'mm'
will hit the non-NULL zero entry
and operating on this zero entry
as a vma is resulting into the
oops.
The proper fix would be around not exposing this partially-valid tree to
others when droping the mmap lock, which is being solved with [1]. A
simpler solution would be checking for MMF_UNSTABLE, as it is set if
mm_struct is not fully initialized in dup_mmap().
Thanks to Liam/Lorenzo/David for all the suggestions in fixing this
issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d2406291483775ecddaee929231a39c70c08fda2 , < 4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac
(git)
Affected: d2406291483775ecddaee929231a39c70c08fda2 , < 9cddad3b26dac830407d2d3c0de5205ff6d6dda0 (git) Affected: d2406291483775ecddaee929231a39c70c08fda2 , < e4e99d69b8b8295c501b2eef89e13306b738b667 (git) Affected: d2406291483775ecddaee929231a39c70c08fda2 , < 1367da7eb875d01102d2ed18654b24d261ff5393 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac",
"status": "affected",
"version": "d2406291483775ecddaee929231a39c70c08fda2",
"versionType": "git"
},
{
"lessThan": "9cddad3b26dac830407d2d3c0de5205ff6d6dda0",
"status": "affected",
"version": "d2406291483775ecddaee929231a39c70c08fda2",
"versionType": "git"
},
{
"lessThan": "e4e99d69b8b8295c501b2eef89e13306b738b667",
"status": "affected",
"version": "d2406291483775ecddaee929231a39c70c08fda2",
"versionType": "git"
},
{
"lessThan": "1367da7eb875d01102d2ed18654b24d261ff5393",
"status": "affected",
"version": "d2406291483775ecddaee929231a39c70c08fda2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: check for stable address space before operating on the VMA\n\nIt is possible to hit a zero entry while traversing the vmas in unuse_mm()\ncalled from swapoff path and accessing it causes the OOPS:\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000446--\u003e Loading the memory from offset 0x40 on the\nXA_ZERO_ENTRY as address.\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n\nThe issue is manifested from the below race between the fork() on a\nprocess and swapoff:\nfork(dup_mmap())\t\t\tswapoff(unuse_mm)\n--------------- -----------------\n1) Identical mtree is built using\n __mt_dup().\n\n2) copy_pte_range()--\u003e\n\tcopy_nonpresent_pte():\n The dst mm is added into the\n mmlist to be visible to the\n swapoff operation.\n\n3) Fatal signal is sent to the parent\nprocess(which is the current during the\nfork) thus skip the duplication of the\nvmas and mark the vma range with\nXA_ZERO_ENTRY as a marker for this process\nthat helps during exit_mmap().\n\n\t\t\t\t 4) swapoff is tried on the\n\t\t\t\t\t\u0027mm\u0027 added to the \u0027mmlist\u0027 as\n\t\t\t\t\tpart of the 2.\n\n\t\t\t\t 5) unuse_mm(), that iterates\n\t\t\t\t\tthrough the vma\u0027s of this \u0027mm\u0027\n\t\t\t\t\twill hit the non-NULL zero entry\n\t\t\t\t\tand operating on this zero entry\n\t\t\t\t\tas a vma is resulting into the\n\t\t\t\t\toops.\n\nThe proper fix would be around not exposing this partially-valid tree to\nothers when droping the mmap lock, which is being solved with [1]. A\nsimpler solution would be checking for MMF_UNSTABLE, as it is set if\nmm_struct is not fully initialized in dup_mmap().\n\nThanks to Liam/Lorenzo/David for all the suggestions in fixing this\nissue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:02.393Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac"
},
{
"url": "https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0"
},
{
"url": "https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667"
},
{
"url": "https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393"
}
],
"title": "mm: swap: check for stable address space before operating on the VMA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39992",
"datePublished": "2025-10-15T07:58:17.927Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-12-01T06:16:02.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71082 (GCVE-0-2025-71082)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: revert use of devm_kzalloc in btusb
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < fff9206b0907252a41eb12b7c1407b9347df18b1
(git)
Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < cca0e9206e3bcc63cd3e72193e60149165d493cc (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < c0ecb3e4451fe94f4315e6d09c4046dfbc42090b (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < 1e54c19eaf84ba652c4e376571093e58e144b339 (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < fdf7c640fb8a44a59b0671143d8c2f738bc48003 (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < 252714f1e8bdd542025b16321c790458014d6880 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fff9206b0907252a41eb12b7c1407b9347df18b1",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "cca0e9206e3bcc63cd3e72193e60149165d493cc",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "c0ecb3e4451fe94f4315e6d09c4046dfbc42090b",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "1e54c19eaf84ba652c4e376571093e58e144b339",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "fdf7c640fb8a44a59b0671143d8c2f738bc48003",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "252714f1e8bdd542025b16321c790458014d6880",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: revert use of devm_kzalloc in btusb\n\nThis reverts commit 98921dbd00c4e (\"Bluetooth: Use devm_kzalloc in\nbtusb.c file\").\n\nIn btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This\nties the lifetime of all the btusb data to the binding of a driver to\none interface, INTF. In a driver that binds to other interfaces, ISOC\nand DIAG, this is an accident waiting to happen.\n\nThe issue is revealed in btusb_disconnect(), where calling\nusb_driver_release_interface(\u0026btusb_driver, data-\u003eintf) will have devm\nfree the data that is also being used by the other interfaces of the\ndriver that may not be released yet.\n\nTo fix this, revert the use of devm and go back to freeing memory\nexplicitly."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:33.532Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1"
},
{
"url": "https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc"
},
{
"url": "https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b"
},
{
"url": "https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003"
},
{
"url": "https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880"
}
],
"title": "Bluetooth: btusb: revert use of devm_kzalloc in btusb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71082",
"datePublished": "2026-01-13T15:34:46.301Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:33.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68371 (GCVE-0-2025-68371)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
scsi: smartpqi: Fix device resources accessed after device removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix device resources accessed after device removal
Correct possible race conditions during device removal.
Previously, a scheduled work item to reset a LUN could still execute
after the device was removed, leading to use-after-free and other
resource access issues.
This race condition occurs because the abort handler may schedule a LUN
reset concurrently with device removal via sdev_destroy(), leading to
use-after-free and improper access to freed resources.
- Check in the device reset handler if the device is still present in
the controller's SCSI device list before running; if not, the reset
is skipped.
- Cancel any pending TMF work that has not started in sdev_destroy().
- Ensure device freeing in sdev_destroy() is done while holding the
LUN reset mutex to avoid races with ongoing resets.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2
(git)
Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 6d2390653d82cad0e1ba2676e536dd99678f6ef1 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < eccc02ba1747501d92bb2049e3ce378ba372f641 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 1a5c5a2f88e839af5320216a02ffb075b668596a (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < b518e86d1a70a88f6592a7c396cf1b93493d1aab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "6d2390653d82cad0e1ba2676e536dd99678f6ef1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "eccc02ba1747501d92bb2049e3ce378ba372f641",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "1a5c5a2f88e839af5320216a02ffb075b668596a",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "b518e86d1a70a88f6592a7c396cf1b93493d1aab",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix device resources accessed after device removal\n\nCorrect possible race conditions during device removal.\n\nPreviously, a scheduled work item to reset a LUN could still execute\nafter the device was removed, leading to use-after-free and other\nresource access issues.\n\nThis race condition occurs because the abort handler may schedule a LUN\nreset concurrently with device removal via sdev_destroy(), leading to\nuse-after-free and improper access to freed resources.\n\n - Check in the device reset handler if the device is still present in\n the controller\u0027s SCSI device list before running; if not, the reset\n is skipped.\n\n - Cancel any pending TMF work that has not started in sdev_destroy().\n\n - Ensure device freeing in sdev_destroy() is done while holding the\n LUN reset mutex to avoid races with ongoing resets."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:08.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2"
},
{
"url": "https://git.kernel.org/stable/c/6d2390653d82cad0e1ba2676e536dd99678f6ef1"
},
{
"url": "https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641"
},
{
"url": "https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1"
},
{
"url": "https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a"
},
{
"url": "https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab"
}
],
"title": "scsi: smartpqi: Fix device resources accessed after device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68371",
"datePublished": "2025-12-24T10:33:01.896Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:08.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68176 (GCVE-0-2025-68176)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
PCI: cadence: Check for the existence of cdns_pcie::ops before using it
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: cadence: Check for the existence of cdns_pcie::ops before using it
cdns_pcie::ops might not be populated by all the Cadence glue drivers. This
is going to be true for the upcoming Sophgo platform which doesn't set the
ops.
Hence, add a check to prevent NULL pointer dereference.
[mani: reworded subject and description]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
40d957e6f9eb3a8a585007b8b730340c829afbdb , < d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1
(git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 0d0bb756f002810d249caee51f3f1c309f3cdab5 (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 1810b2fd7375de88a74976dcd402b29088e479ed (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 953eb3796ef06b8ea3bf6bdde14156255bc75866 (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 363448d069e29685ca37a118065121e486387af3 (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/cadence/pcie-cadence-host.c",
"drivers/pci/controller/cadence/pcie-cadence.c",
"drivers/pci/controller/cadence/pcie-cadence.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "0d0bb756f002810d249caee51f3f1c309f3cdab5",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "1810b2fd7375de88a74976dcd402b29088e479ed",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "953eb3796ef06b8ea3bf6bdde14156255bc75866",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "363448d069e29685ca37a118065121e486387af3",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/cadence/pcie-cadence-host.c",
"drivers/pci/controller/cadence/pcie-cadence.c",
"drivers/pci/controller/cadence/pcie-cadence.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: cadence: Check for the existence of cdns_pcie::ops before using it\n\ncdns_pcie::ops might not be populated by all the Cadence glue drivers. This\nis going to be true for the upcoming Sophgo platform which doesn\u0027t set the\nops.\n\nHence, add a check to prevent NULL pointer dereference.\n\n[mani: reworded subject and description]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:04.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1"
},
{
"url": "https://git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed"
},
{
"url": "https://git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5"
},
{
"url": "https://git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ed"
},
{
"url": "https://git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866"
},
{
"url": "https://git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3"
},
{
"url": "https://git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09"
}
],
"title": "PCI: cadence: Check for the existence of cdns_pcie::ops before using it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68176",
"datePublished": "2025-12-16T13:42:55.616Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:04.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39957 (GCVE-0-2025-39957)
Vulnerability from cvelistv5 – Published: 2025-10-09 09:47 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
wifi: mac80211: increase scan_ies_len for S1G
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: increase scan_ies_len for S1G
Currently the S1G capability element is not taken into account
for the scan_ies_len, which leads to a buffer length validation
failure in ieee80211_prep_hw_scan() and subsequent WARN in
__ieee80211_start_scan(). This prevents hw scanning from functioning.
To fix ensure we accommodate for the S1G capability length.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0333a81bc83431d7f90391d38aa09e856c5e5b25 , < 93e063f15e17acb8cd6ac90c8f0802c2624e1a74
(git)
Affected: 0333a81bc83431d7f90391d38aa09e856c5e5b25 , < 32adb020b0c32939da1322dcc87fc0ae2bc935d1 (git) Affected: 0333a81bc83431d7f90391d38aa09e856c5e5b25 , < 0dbad5f5549e54ac269cc04ce89f212892a98cab (git) Affected: 0333a81bc83431d7f90391d38aa09e856c5e5b25 , < 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93e063f15e17acb8cd6ac90c8f0802c2624e1a74",
"status": "affected",
"version": "0333a81bc83431d7f90391d38aa09e856c5e5b25",
"versionType": "git"
},
{
"lessThan": "32adb020b0c32939da1322dcc87fc0ae2bc935d1",
"status": "affected",
"version": "0333a81bc83431d7f90391d38aa09e856c5e5b25",
"versionType": "git"
},
{
"lessThan": "0dbad5f5549e54ac269cc04ce89f212892a98cab",
"status": "affected",
"version": "0333a81bc83431d7f90391d38aa09e856c5e5b25",
"versionType": "git"
},
{
"lessThan": "7e2f3213e85eba00acb4cfe6d71647892d63c3a1",
"status": "affected",
"version": "0333a81bc83431d7f90391d38aa09e856c5e5b25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: increase scan_ies_len for S1G\n\nCurrently the S1G capability element is not taken into account\nfor the scan_ies_len, which leads to a buffer length validation\nfailure in ieee80211_prep_hw_scan() and subsequent WARN in\n__ieee80211_start_scan(). This prevents hw scanning from functioning.\nTo fix ensure we accommodate for the S1G capability length."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:44.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93e063f15e17acb8cd6ac90c8f0802c2624e1a74"
},
{
"url": "https://git.kernel.org/stable/c/32adb020b0c32939da1322dcc87fc0ae2bc935d1"
},
{
"url": "https://git.kernel.org/stable/c/0dbad5f5549e54ac269cc04ce89f212892a98cab"
},
{
"url": "https://git.kernel.org/stable/c/7e2f3213e85eba00acb4cfe6d71647892d63c3a1"
}
],
"title": "wifi: mac80211: increase scan_ies_len for S1G",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39957",
"datePublished": "2025-10-09T09:47:34.933Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2026-01-02T15:32:44.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68363 (GCVE-0-2025-68363)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
The bpf_skb_check_mtu helper needs to use skb->transport_header when
the BPF_MTU_CHK_SEGS flag is used:
bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)
The transport_header is not always set. There is a WARN_ON_ONCE
report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +
bpf_prog_test_run is used:
WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071
skb_gso_validate_network_len
bpf_skb_check_mtu
bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch
bpf_test_run
bpf_prog_test_run_skb
For a normal ingress skb (not test_run), skb_reset_transport_header
is performed but there is plan to avoid setting it as described in
commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").
This patch fixes the bpf helper by checking
skb_transport_header_was_set(). The check is done just before
skb->transport_header is used, to avoid breaking the existing bpf prog.
The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34b2021cc61642d61c3cf943d9e71925b827941b , < b3171a5e4622e915e94599a55f4964078bdec27e
(git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 97b876fa88322625228792cf7a5fd77531815a80 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 30ce906557a21adef4cba5901c8e995dc18263a9 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 1c30e4afc5507f0069cc09bd561e510e4d97fbf7 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < d946f3c98328171fa50ddb908593cf833587f725 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3171a5e4622e915e94599a55f4964078bdec27e",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "97b876fa88322625228792cf7a5fd77531815a80",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "30ce906557a21adef4cba5901c8e995dc18263a9",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "1c30e4afc5507f0069cc09bd561e510e4d97fbf7",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "d946f3c98328171fa50ddb908593cf833587f725",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb-\u003etransport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, \u0026mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb-\u003egso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb-\u003etransport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:58.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e"
},
{
"url": "https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80"
},
{
"url": "https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9"
},
{
"url": "https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7"
},
{
"url": "https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5"
},
{
"url": "https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725"
}
],
"title": "bpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68363",
"datePublished": "2025-12-24T10:32:51.236Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:31:58.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68739 (GCVE-0-2025-68739)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
PM / devfreq: hisi: Fix potential UAF in OPP handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: hisi: Fix potential UAF in OPP handling
Ensure all required data is acquired before calling dev_pm_opp_put(opp)
to maintain correct resource acquisition and release order.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7da2fdaaa1e6062686ac96a9f096c2d7847533e4 , < efb028b07f7b2d141b91c2fab5276b601f0d0dbe
(git)
Affected: 7da2fdaaa1e6062686ac96a9f096c2d7847533e4 , < 469b0b8ce08818f3e4f01d2fa8d0dadeab501e1f (git) Affected: 7da2fdaaa1e6062686ac96a9f096c2d7847533e4 , < 26dd44a40096468396b6438985d8e44e0743f64c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/hisi_uncore_freq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efb028b07f7b2d141b91c2fab5276b601f0d0dbe",
"status": "affected",
"version": "7da2fdaaa1e6062686ac96a9f096c2d7847533e4",
"versionType": "git"
},
{
"lessThan": "469b0b8ce08818f3e4f01d2fa8d0dadeab501e1f",
"status": "affected",
"version": "7da2fdaaa1e6062686ac96a9f096c2d7847533e4",
"versionType": "git"
},
{
"lessThan": "26dd44a40096468396b6438985d8e44e0743f64c",
"status": "affected",
"version": "7da2fdaaa1e6062686ac96a9f096c2d7847533e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/hisi_uncore_freq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: hisi: Fix potential UAF in OPP handling\n\nEnsure all required data is acquired before calling dev_pm_opp_put(opp)\nto maintain correct resource acquisition and release order."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:35.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efb028b07f7b2d141b91c2fab5276b601f0d0dbe"
},
{
"url": "https://git.kernel.org/stable/c/469b0b8ce08818f3e4f01d2fa8d0dadeab501e1f"
},
{
"url": "https://git.kernel.org/stable/c/26dd44a40096468396b6438985d8e44e0743f64c"
}
],
"title": "PM / devfreq: hisi: Fix potential UAF in OPP handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68739",
"datePublished": "2025-12-24T12:09:37.270Z",
"dateReserved": "2025-12-24T10:30:51.029Z",
"dateUpdated": "2026-02-09T08:32:35.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40218 (GCVE-0-2025-40218)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50
VLAI?
EPSS
Title
mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
DAMON's virtual address space operation set implementation (vaddr) calls
pte_offset_map_lock() inside the page table walk callback function. This
is for reading and writing page table accessed bits. If
pte_offset_map_lock() fails, it retries by returning the page table walk
callback function with ACTION_AGAIN.
pte_offset_map_lock() can continuously fail if the target is a pmd
migration entry, though. Hence it could cause an infinite page table walk
if the migration cannot be done until the page table walk is finished.
This indeed caused a soft lockup when CPU hotplugging and DAMON were
running in parallel.
Avoid the infinite loop by simply not retrying the page table walk. DAMON
is promising only a best-effort accuracy, so missing access to such pages
is no problem.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7780d04046a2288ab85d88bedacc60fa4fad9971 , < 677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf
(git)
Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < ac42320ec873bfe726141069cfdd90ee5bc4e885 (git) Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < 0ccd91cf749536d41307a07e60ec14ab0dbf21f5 (git) Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < b93af2cc8e036754c0d9970d9ddc47f43cc94b9f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/vaddr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf",
"status": "affected",
"version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
"versionType": "git"
},
{
"lessThan": "ac42320ec873bfe726141069cfdd90ee5bc4e885",
"status": "affected",
"version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
"versionType": "git"
},
{
"lessThan": "0ccd91cf749536d41307a07e60ec14ab0dbf21f5",
"status": "affected",
"version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
"versionType": "git"
},
{
"lessThan": "b93af2cc8e036754c0d9970d9ddc47f43cc94b9f",
"status": "affected",
"version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/vaddr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr: do not repeat pte_offset_map_lock() until success\n\nDAMON\u0027s virtual address space operation set implementation (vaddr) calls\npte_offset_map_lock() inside the page table walk callback function. This\nis for reading and writing page table accessed bits. If\npte_offset_map_lock() fails, it retries by returning the page table walk\ncallback function with ACTION_AGAIN.\n\npte_offset_map_lock() can continuously fail if the target is a pmd\nmigration entry, though. Hence it could cause an infinite page table walk\nif the migration cannot be done until the page table walk is finished. \nThis indeed caused a soft lockup when CPU hotplugging and DAMON were\nrunning in parallel.\n\nAvoid the infinite loop by simply not retrying the page table walk. DAMON\nis promising only a best-effort accuracy, so missing access to such pages\nis no problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:41.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf"
},
{
"url": "https://git.kernel.org/stable/c/ac42320ec873bfe726141069cfdd90ee5bc4e885"
},
{
"url": "https://git.kernel.org/stable/c/0ccd91cf749536d41307a07e60ec14ab0dbf21f5"
},
{
"url": "https://git.kernel.org/stable/c/b93af2cc8e036754c0d9970d9ddc47f43cc94b9f"
}
],
"title": "mm/damon/vaddr: do not repeat pte_offset_map_lock() until success",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40218",
"datePublished": "2025-12-04T14:50:41.873Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-04T14:50:41.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68225 (GCVE-0-2025-68225)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
lib/test_kho: check if KHO is enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/test_kho: check if KHO is enabled
We must check whether KHO is enabled prior to issuing KHO commands,
otherwise KHO internal data structures are not initialized.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/test_kho.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb3267bedd902ec457643b1326cccddafb82e901",
"status": "affected",
"version": "b753522bed0b7e388a643f58d91bd81d8849ba43",
"versionType": "git"
},
{
"lessThan": "a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05",
"status": "affected",
"version": "b753522bed0b7e388a643f58d91bd81d8849ba43",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/test_kho.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_kho: check if KHO is enabled\n\nWe must check whether KHO is enabled prior to issuing KHO commands,\notherwise KHO internal data structures are not initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:18.346Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb3267bedd902ec457643b1326cccddafb82e901"
},
{
"url": "https://git.kernel.org/stable/c/a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05"
}
],
"title": "lib/test_kho: check if KHO is enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68225",
"datePublished": "2025-12-16T13:57:18.346Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:18.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40347 (GCVE-0-2025-40347)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30
VLAI?
EPSS
Title
net: enetc: fix the deadlock of enetc_mdio_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: enetc: fix the deadlock of enetc_mdio_lock
After applying the workaround for err050089, the LS1028A platform
experiences RCU stalls on RT kernel. This issue is caused by the
recursive acquisition of the read lock enetc_mdio_lock. Here list some
of the call stacks identified under the enetc_poll path that may lead to
a deadlock:
enetc_poll
-> enetc_lock_mdio
-> enetc_clean_rx_ring OR napi_complete_done
-> napi_gro_receive
-> enetc_start_xmit
-> enetc_lock_mdio
-> enetc_map_tx_buffs
-> enetc_unlock_mdio
-> enetc_unlock_mdio
After enetc_poll acquires the read lock, a higher-priority writer attempts
to acquire the lock, causing preemption. The writer detects that a
read lock is already held and is scheduled out. However, readers under
enetc_poll cannot acquire the read lock again because a writer is already
waiting, leading to a thread hang.
Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent
recursive lock acquisition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 2781ca82ce8cad263d80b617addb727e6a84c9e5
(git)
Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 1f92f5bd057a4fad9dab6af17963cdd21e5da6ed (git) Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa (git) Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 50bd33f6b3922a6b760aa30d409cae891cec8fb5 (git) Affected: bf9c564716a13dde6a990d3b02c27cd6e39608bf (git) Affected: ff966263f5f9fdf9740f03fed0762ce73c230a6a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2781ca82ce8cad263d80b617addb727e6a84c9e5",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"lessThan": "1f92f5bd057a4fad9dab6af17963cdd21e5da6ed",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"lessThan": "2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"lessThan": "50bd33f6b3922a6b760aa30d409cae891cec8fb5",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"status": "affected",
"version": "bf9c564716a13dde6a990d3b02c27cd6e39608bf",
"versionType": "git"
},
{
"status": "affected",
"version": "ff966263f5f9fdf9740f03fed0762ce73c230a6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix the deadlock of enetc_mdio_lock\n\nAfter applying the workaround for err050089, the LS1028A platform\nexperiences RCU stalls on RT kernel. This issue is caused by the\nrecursive acquisition of the read lock enetc_mdio_lock. Here list some\nof the call stacks identified under the enetc_poll path that may lead to\na deadlock:\n\nenetc_poll\n -\u003e enetc_lock_mdio\n -\u003e enetc_clean_rx_ring OR napi_complete_done\n -\u003e napi_gro_receive\n -\u003e enetc_start_xmit\n -\u003e enetc_lock_mdio\n -\u003e enetc_map_tx_buffs\n -\u003e enetc_unlock_mdio\n -\u003e enetc_unlock_mdio\n\nAfter enetc_poll acquires the read lock, a higher-priority writer attempts\nto acquire the lock, causing preemption. The writer detects that a\nread lock is already held and is scheduled out. However, readers under\nenetc_poll cannot acquire the read lock again because a writer is already\nwaiting, leading to a thread hang.\n\nCurrently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent\nrecursive lock acquisition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:21.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2781ca82ce8cad263d80b617addb727e6a84c9e5"
},
{
"url": "https://git.kernel.org/stable/c/1f92f5bd057a4fad9dab6af17963cdd21e5da6ed"
},
{
"url": "https://git.kernel.org/stable/c/2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa"
},
{
"url": "https://git.kernel.org/stable/c/50bd33f6b3922a6b760aa30d409cae891cec8fb5"
}
],
"title": "net: enetc: fix the deadlock of enetc_mdio_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40347",
"datePublished": "2025-12-16T13:30:21.539Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:21.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68787 (GCVE-0-2025-68787)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
netrom: Fix memory leak in nr_sendmsg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix memory leak in nr_sendmsg()
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f77e538ac4e3adb1882d5bccb7bfdc111b5963d3
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 09efbf54eeaecebe882af603c9939a4b1bb9567e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 73839497bbde5cd4fd02bbd9c8bc2640780ae65d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 156a0f6341dce634a825db49ca20b48b1ae9bcc1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8d1ccba4b171cd504ecfa47349cb9864fc9d687c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 613d12dd794e078be8ff3cf6b62a6b9acf7f4619 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f77e538ac4e3adb1882d5bccb7bfdc111b5963d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09efbf54eeaecebe882af603c9939a4b1bb9567e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73839497bbde5cd4fd02bbd9c8bc2640780ae65d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "156a0f6341dce634a825db49ca20b48b1ae9bcc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d1ccba4b171cd504ecfa47349cb9864fc9d687c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "613d12dd794e078be8ff3cf6b62a6b9acf7f4619",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix memory leak in nr_sendmsg()\n\nsyzbot reported a memory leak [1].\n\nWhen function sock_alloc_send_skb() return NULL in nr_output(), the\noriginal skb is not freed, which was allocated in nr_sendmsg(). Fix this\nby freeing it before return.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888129f35500 (size 240):\n comm \"syz.0.17\", pid 6119, jiffies 4294944652\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....\n backtrace (crc 1456a3e4):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4983 [inline]\n slab_alloc_node mm/slub.c:5288 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671\n sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965\n sock_alloc_send_skb include/net/sock.h:1859 [inline]\n nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x293/0x2a0 net/socket.c:1195\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0x143/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:34.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3"
},
{
"url": "https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e"
},
{
"url": "https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d"
},
{
"url": "https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1"
},
{
"url": "https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c"
},
{
"url": "https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977"
},
{
"url": "https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619"
}
],
"title": "netrom: Fix memory leak in nr_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68787",
"datePublished": "2026-01-13T15:29:00.344Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:34.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68281 (GCVE-0-2025-68281)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:48 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list
"struct sdca_control" declares "values" field as integer array.
But the memory allocated to it is of char array. This causes
crash for sdca_parse_function API. This patch addresses the
issue by allocating correct data size.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sdca/sdca_functions.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fcd5786b506c51cbabc2560c68e040d8dba22a0d",
"status": "affected",
"version": "50a479527ef01f9b36dde1803a7e81741a222509",
"versionType": "git"
},
{
"lessThan": "eb2d6774cc0d9d6ab8f924825695a85c14b2e0c2",
"status": "affected",
"version": "50a479527ef01f9b36dde1803a7e81741a222509",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sdca/sdca_functions.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list\n\n\"struct sdca_control\" declares \"values\" field as integer array.\nBut the memory allocated to it is of char array. This causes\ncrash for sdca_parse_function API. This patch addresses the\nissue by allocating correct data size."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:45.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fcd5786b506c51cbabc2560c68e040d8dba22a0d"
},
{
"url": "https://git.kernel.org/stable/c/eb2d6774cc0d9d6ab8f924825695a85c14b2e0c2"
}
],
"title": "ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68281",
"datePublished": "2025-12-16T14:48:37.765Z",
"dateReserved": "2025-12-16T14:48:05.291Z",
"dateUpdated": "2026-01-02T15:34:45.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39825 (GCVE-0-2025-39825)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
smb: client: fix race with concurrent opens in rename(2)
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix race with concurrent opens in rename(2)
Besides sending the rename request to the server, the rename process
also involves closing any deferred close, waiting for outstanding I/O
to complete as well as marking all existing open handles as deleted to
prevent them from deferring closes, which increases the race window
for potential concurrent opens on the target file.
Fix this by unhashing the dentry in advance to prevent any concurrent
opens on the target.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
78c09634f7dc061a3bd09704cdbebb3762a45cdf , < c9e7de284da0be5b44dbe79d71573f9f7f9b144c
(git)
Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < 24b9ed739c8c5b464d983e12cf308982f3ae93c2 (git) Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < c9991af5e09924f6f3b3e6996a5e09f9504b4358 (git) Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < 289f945acb20b9b54fe4d13895e44aa58965ddb2 (git) Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < d84291fc7453df7881a970716f8256273aca5747 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:46.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9e7de284da0be5b44dbe79d71573f9f7f9b144c",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "24b9ed739c8c5b464d983e12cf308982f3ae93c2",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "c9991af5e09924f6f3b3e6996a5e09f9504b4358",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "289f945acb20b9b54fe4d13895e44aa58965ddb2",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "d84291fc7453df7881a970716f8256273aca5747",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix race with concurrent opens in rename(2)\n\nBesides sending the rename request to the server, the rename process\nalso involves closing any deferred close, waiting for outstanding I/O\nto complete as well as marking all existing open handles as deleted to\nprevent them from deferring closes, which increases the race window\nfor potential concurrent opens on the target file.\n\nFix this by unhashing the dentry in advance to prevent any concurrent\nopens on the target."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:35.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9e7de284da0be5b44dbe79d71573f9f7f9b144c"
},
{
"url": "https://git.kernel.org/stable/c/24b9ed739c8c5b464d983e12cf308982f3ae93c2"
},
{
"url": "https://git.kernel.org/stable/c/c9991af5e09924f6f3b3e6996a5e09f9504b4358"
},
{
"url": "https://git.kernel.org/stable/c/289f945acb20b9b54fe4d13895e44aa58965ddb2"
},
{
"url": "https://git.kernel.org/stable/c/d84291fc7453df7881a970716f8256273aca5747"
}
],
"title": "smb: client: fix race with concurrent opens in rename(2)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39825",
"datePublished": "2025-09-16T13:00:23.897Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2026-01-02T15:32:35.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68288 (GCVE-0-2025-68288)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
usb: storage: Fix memory leak in USB bulk transport
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: storage: Fix memory leak in USB bulk transport
A kernel memory leak was identified by the 'ioctl_sg01' test from Linux
Test Project (LTP). The following bytes were mainly observed: 0x53425355.
When USB storage devices incorrectly skip the data phase with status data,
the code extracts/validates the CSW from the sg buffer, but fails to clear
it afterwards. This leaves status protocol data in srb's transfer buffer,
such as the US_BULK_CS_SIGN 'USBS' signature observed here. Thus, this can
lead to USB protocols leaks to user space through SCSI generic (/dev/sg*)
interfaces, such as the one seen here when the LTP test requested 512 KiB.
Fix the leak by zeroing the CSW data in srb's transfer buffer immediately
after the validation of devices that skip data phase.
Note: Differently from CVE-2018-1000204, which fixed a big leak by zero-
ing pages at allocation time, this leak occurs after allocation, when USB
protocol data is written to already-allocated sg pages.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < 83f0241959831586d9b6d47f6bd5d3dec8f43bf0
(git)
Affected: a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < 4ba515dfff7eeca369ab85cdbb3f3b231c71720c (git) Affected: a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < 467fec3cefbeb9e3ea80f457da9a5666a71ca0d0 (git) Affected: a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < cb1401b5bcc2feb5b038fc4b512e5968b016e05e (git) Affected: a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < 0f18eac44c5668204bf6eebb01ddb369ac56932b (git) Affected: a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < 5b815ddb3f5560fac35b16de3a2a22d5f81c5993 (git) Affected: a45b599ad808c3c982fdcdc12b0b8611c2f92824 , < 41e99fe2005182139b1058db71f0d241f8f0078c (git) Affected: 582802e7c617cfb07cc15f280c128e6decbc57b8 (git) Affected: 58b7ce6f9ef2367f86384b20458642945993b816 (git) Affected: 93314640426ddb6af618d0802e622f6fa771792c (git) Affected: ad2518320bc440ed3db072e2444a1bb226a9cf7a (git) Affected: d827bea2d18c07ba514f7d48cde49f90da9a1384 (git) Affected: 39169410574503c6e901de1aa6eac5108475e017 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83f0241959831586d9b6d47f6bd5d3dec8f43bf0",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "4ba515dfff7eeca369ab85cdbb3f3b231c71720c",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "467fec3cefbeb9e3ea80f457da9a5666a71ca0d0",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "cb1401b5bcc2feb5b038fc4b512e5968b016e05e",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "0f18eac44c5668204bf6eebb01ddb369ac56932b",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "5b815ddb3f5560fac35b16de3a2a22d5f81c5993",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "41e99fe2005182139b1058db71f0d241f8f0078c",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"status": "affected",
"version": "582802e7c617cfb07cc15f280c128e6decbc57b8",
"versionType": "git"
},
{
"status": "affected",
"version": "58b7ce6f9ef2367f86384b20458642945993b816",
"versionType": "git"
},
{
"status": "affected",
"version": "93314640426ddb6af618d0802e622f6fa771792c",
"versionType": "git"
},
{
"status": "affected",
"version": "ad2518320bc440ed3db072e2444a1bb226a9cf7a",
"versionType": "git"
},
{
"status": "affected",
"version": "d827bea2d18c07ba514f7d48cde49f90da9a1384",
"versionType": "git"
},
{
"status": "affected",
"version": "39169410574503c6e901de1aa6eac5108475e017",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: Fix memory leak in USB bulk transport\n\nA kernel memory leak was identified by the \u0027ioctl_sg01\u0027 test from Linux\nTest Project (LTP). The following bytes were mainly observed: 0x53425355.\n\nWhen USB storage devices incorrectly skip the data phase with status data,\nthe code extracts/validates the CSW from the sg buffer, but fails to clear\nit afterwards. This leaves status protocol data in srb\u0027s transfer buffer,\nsuch as the US_BULK_CS_SIGN \u0027USBS\u0027 signature observed here. Thus, this can\nlead to USB protocols leaks to user space through SCSI generic (/dev/sg*)\ninterfaces, such as the one seen here when the LTP test requested 512 KiB.\n\nFix the leak by zeroing the CSW data in srb\u0027s transfer buffer immediately\nafter the validation of devices that skip data phase.\n\nNote: Differently from CVE-2018-1000204, which fixed a big leak by zero-\ning pages at allocation time, this leak occurs after allocation, when USB\nprotocol data is written to already-allocated sg pages."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:09.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83f0241959831586d9b6d47f6bd5d3dec8f43bf0"
},
{
"url": "https://git.kernel.org/stable/c/4ba515dfff7eeca369ab85cdbb3f3b231c71720c"
},
{
"url": "https://git.kernel.org/stable/c/467fec3cefbeb9e3ea80f457da9a5666a71ca0d0"
},
{
"url": "https://git.kernel.org/stable/c/cb1401b5bcc2feb5b038fc4b512e5968b016e05e"
},
{
"url": "https://git.kernel.org/stable/c/0f18eac44c5668204bf6eebb01ddb369ac56932b"
},
{
"url": "https://git.kernel.org/stable/c/5b815ddb3f5560fac35b16de3a2a22d5f81c5993"
},
{
"url": "https://git.kernel.org/stable/c/41e99fe2005182139b1058db71f0d241f8f0078c"
}
],
"title": "usb: storage: Fix memory leak in USB bulk transport",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68288",
"datePublished": "2025-12-16T15:06:09.654Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:09.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40118 (GCVE-0-2025-40118)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when
device is gone") UBSAN reports:
UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17
index 28 is out of range for type 'pm8001_phy [16]'
on rmmod when using an expander.
For a direct attached device, attached_phy contains the local phy id.
For a device behind an expander, attached_phy contains the remote phy
id, not the local phy id.
I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a
device behind an expander, attached_phy can be much larger than
pm8001_ha->chip->n_phy (depending on the amount of phys of the
expander).
E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the
ports has an expander connected. The expander has 31 phys with phy ids
0-30.
The pm8001_ha->phy array only contains the phys of the HBA. It does not
contain the phys of the expander. Thus, it is wrong to use attached_phy
to index the pm8001_ha->phy array for a device behind an expander.
Thus, we can only clear phy_attached for devices that are directly
attached.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
05b512879eab41faa515b67fa3896d0005e97909 , < d94be0a6ae9ade706d4270e740bdb4f79953a7fc
(git)
Affected: bc2140c8136200b4437e1abc0fb659968cb9baab , < 45acbf154befedd9bc135f5e031fe7855d1e6493 (git) Affected: 1d8f9378cb4800c18e20d80ecd605b2b93e87a03 , < eef5ef400893f8e3dbb09342583be0cdc716d566 (git) Affected: 30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a , < 9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582 (git) Affected: a862d24e1fc3ab1b5e5f20878d2898cea346d0ec , < e62251954a128a2d0fcbc19e5fa39e08935bb628 (git) Affected: 0f9802f174227f553959422f844eeb9ba72467fe , < 9326a1541e1b7ed3efdbab72061b82cf01c6477a (git) Affected: f7b705c238d1483f0a766e2b20010f176e5c0fb7 , < 83ced3c206c292458e47c7fac54223abc7141585 (git) Affected: f7b705c238d1483f0a766e2b20010f176e5c0fb7 , < 251be2f6037fb7ab399f68cd7428ff274133d693 (git) Affected: 722026c010fa75bcf9e2373aff1d7930a3d7e3cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d94be0a6ae9ade706d4270e740bdb4f79953a7fc",
"status": "affected",
"version": "05b512879eab41faa515b67fa3896d0005e97909",
"versionType": "git"
},
{
"lessThan": "45acbf154befedd9bc135f5e031fe7855d1e6493",
"status": "affected",
"version": "bc2140c8136200b4437e1abc0fb659968cb9baab",
"versionType": "git"
},
{
"lessThan": "eef5ef400893f8e3dbb09342583be0cdc716d566",
"status": "affected",
"version": "1d8f9378cb4800c18e20d80ecd605b2b93e87a03",
"versionType": "git"
},
{
"lessThan": "9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582",
"status": "affected",
"version": "30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a",
"versionType": "git"
},
{
"lessThan": "e62251954a128a2d0fcbc19e5fa39e08935bb628",
"status": "affected",
"version": "a862d24e1fc3ab1b5e5f20878d2898cea346d0ec",
"versionType": "git"
},
{
"lessThan": "9326a1541e1b7ed3efdbab72061b82cf01c6477a",
"status": "affected",
"version": "0f9802f174227f553959422f844eeb9ba72467fe",
"versionType": "git"
},
{
"lessThan": "83ced3c206c292458e47c7fac54223abc7141585",
"status": "affected",
"version": "f7b705c238d1483f0a766e2b20010f176e5c0fb7",
"versionType": "git"
},
{
"lessThan": "251be2f6037fb7ab399f68cd7428ff274133d693",
"status": "affected",
"version": "f7b705c238d1483f0a766e2b20010f176e5c0fb7",
"versionType": "git"
},
{
"status": "affected",
"version": "722026c010fa75bcf9e2373aff1d7930a3d7e3cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.136",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n\nSince commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when\ndevice is gone\") UBSAN reports:\n\n UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17\n index 28 is out of range for type \u0027pm8001_phy [16]\u0027\n\non rmmod when using an expander.\n\nFor a direct attached device, attached_phy contains the local phy id.\nFor a device behind an expander, attached_phy contains the remote phy\nid, not the local phy id.\n\nI.e. while pm8001_ha will have pm8001_ha-\u003echip-\u003en_phy local phys, for a\ndevice behind an expander, attached_phy can be much larger than\npm8001_ha-\u003echip-\u003en_phy (depending on the amount of phys of the\nexpander).\n\nE.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the\nports has an expander connected. The expander has 31 phys with phy ids\n0-30.\n\nThe pm8001_ha-\u003ephy array only contains the phys of the HBA. It does not\ncontain the phys of the expander. Thus, it is wrong to use attached_phy\nto index the pm8001_ha-\u003ephy array for a device behind an expander.\n\nThus, we can only clear phy_attached for devices that are directly\nattached."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:22.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc"
},
{
"url": "https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493"
},
{
"url": "https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566"
},
{
"url": "https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582"
},
{
"url": "https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628"
},
{
"url": "https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a"
},
{
"url": "https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585"
},
{
"url": "https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693"
}
],
"title": "scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40118",
"datePublished": "2025-11-12T10:23:18.179Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:22.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68758 (GCVE-0-2025-68758)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
backlight: led-bl: Add devlink to supplier LEDs
Summary
In the Linux kernel, the following vulnerability has been resolved:
backlight: led-bl: Add devlink to supplier LEDs
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 64739adf3eef063b8e2c72b7e919eac8c6480bf0
(git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < cd01a24b3e52d6777b49c917d841f125fe9eebd0 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < e06df738a9ad8417f1c4c7cd6992cda320e9e7ca (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 30cbe4b642745a9488a0f0d78be43afe69d7555c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 0e63ea4378489e09eb5e920c8a50c10caacf563a (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 08c9dc6b0f2c68e5e7c374ac4499e321e435d46c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 9341d6698f4cfdfc374fb6944158d111ebe16a9d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64739adf3eef063b8e2c72b7e919eac8c6480bf0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "cd01a24b3e52d6777b49c917d841f125fe9eebd0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "e06df738a9ad8417f1c4c7cd6992cda320e9e7ca",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "30cbe4b642745a9488a0f0d78be43afe69d7555c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "0e63ea4378489e09eb5e920c8a50c10caacf563a",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "08c9dc6b0f2c68e5e7c374ac4499e321e435d46c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "9341d6698f4cfdfc374fb6944158d111ebe16a9d",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n // An LED driver chip\n pca9632@62 {\n compatible = \"nxp,pca9632\";\n reg = \u003c0x62\u003e;\n\n\t// ...\n\n addon_led_pwm: led-pwm@3 {\n reg = \u003c3\u003e;\n label = \"addon:led:pwm\";\n };\n };\n\n backlight-addon {\n compatible = \"led-backlight\";\n leds = \u003c\u0026addon_led_pwm\u003e;\n brightness-levels = \u003c255\u003e;\n default-brightness-level = \u003c255\u003e;\n };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n ...\n Call trace:\n led_put+0xe0/0x140\n devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:02.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0"
},
{
"url": "https://git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0"
},
{
"url": "https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"
},
{
"url": "https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c"
},
{
"url": "https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"
},
{
"url": "https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"
},
{
"url": "https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"
},
{
"url": "https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"
}
],
"title": "backlight: led-bl: Add devlink to supplier LEDs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68758",
"datePublished": "2026-01-05T09:32:31.399Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:02.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71087 (GCVE-0-2025-71087)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
iavf: fix off-by-one issues in iavf_config_rss_reg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: fix off-by-one issues in iavf_config_rss_reg()
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
43a3d9ba34c9ca313573201d3f45de5ab3494cec , < ceb8459df28d22c225a82d74c0f725f2a935d194
(git)
Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 5bb18bfd505ca1affbca921462c350095a6c798c (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < d7369dc8dd7cbf5cee3a22610028d847b6f02982 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 18de0e41d69d97fab10b91fecf10ae78a5e43232 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < f36de3045d006e6d9be1be495f2ed88d1721e752 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 3095228e1320371e143835d0cebeef1a8a754c66 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 6daa2893f323981c7894c68440823326e93a7d61 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb8459df28d22c225a82d74c0f725f2a935d194",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "5bb18bfd505ca1affbca921462c350095a6c798c",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "d7369dc8dd7cbf5cee3a22610028d847b6f02982",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "18de0e41d69d97fab10b91fecf10ae78a5e43232",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "f36de3045d006e6d9be1be495f2ed88d1721e752",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "3095228e1320371e143835d0cebeef1a8a754c66",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "6daa2893f323981c7894c68440823326e93a7d61",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix off-by-one issues in iavf_config_rss_reg()\n\nThere are off-by-one bugs when configuring RSS hash key and lookup\ntable, causing out-of-bounds reads to memory [1] and out-of-bounds\nwrites to device registers.\n\nBefore commit 43a3d9ba34c9 (\"i40evf: Allow PF driver to configure RSS\"),\nthe loop upper bounds were:\n i \u003c= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX\nwhich is safe since the value is the last valid index.\n\nThat commit changed the bounds to:\n i \u003c= adapter-\u003erss_{key,lut}_size / 4\nwhere `rss_{key,lut}_size / 4` is the number of dwords, so the last\nvalid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `\u003c=`\naccesses one element past the end.\n\nFix the issues by using `\u003c` instead of `\u003c=`, ensuring we do not exceed\nthe bounds.\n\n[1] KASAN splat about rss_key_size off-by-one\n BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800\n Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63\n\n CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: iavf iavf_watchdog_task\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x1a0\n iavf_config_rss+0x619/0x800\n iavf_watchdog_task+0x2be7/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 63:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x246/0x6f0\n iavf_watchdog_task+0x28fc/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n\n The buggy address belongs to the object at ffff888102c50100\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes to the right of\n allocated 52-byte region [ffff888102c50100, ffff888102c50134)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50\n flags: 0x200000000000000(node=0|zone=2)\n page_type: f5(slab)\n raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n \u003effff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ^\n ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc\n ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:38.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194"
},
{
"url": "https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c"
},
{
"url": "https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982"
},
{
"url": "https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232"
},
{
"url": "https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752"
},
{
"url": "https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66"
},
{
"url": "https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61"
}
],
"title": "iavf: fix off-by-one issues in iavf_config_rss_reg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71087",
"datePublished": "2026-01-13T15:34:49.691Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:38.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68724 (GCVE-0-2025-68724)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 60a7be5ee74408147e439164ac067e418ca74bb4
(git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c13c6e9de91d7f1dd7df756b1fa5a1f968839d76 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < dfc1613961828745165aec6552c3818fa14ab725 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 6af753ac5205115e6c310c8c4236c01b59a1c44f (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < b7090a5c153105b9fd221a5a81459ee8cd5babd6 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < df0845cf447ae1556c3440b8b155de0926cbaa56 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60a7be5ee74408147e439164ac067e418ca74bb4",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c13c6e9de91d7f1dd7df756b1fa5a1f968839d76",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:19.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60a7be5ee74408147e439164ac067e418ca74bb4"
},
{
"url": "https://git.kernel.org/stable/c/c13c6e9de91d7f1dd7df756b1fa5a1f968839d76"
},
{
"url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
},
{
"url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
},
{
"url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
},
{
"url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
},
{
"url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
},
{
"url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
}
],
"title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68724",
"datePublished": "2025-12-24T10:33:08.932Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-02-09T08:32:19.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68776 (GCVE-0-2025-68776)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f266a683a4804dc499efc6c2206ef68efed029d0 , < 3ce95a57d8a1f0e20b637cdeddaaed81831ca819
(git)
Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 7be6d25f4d974e44918ba3a5d58ebb9d36879087 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 8f289fa12926aae44347ca7d490e216555d8f255 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 1742974c24a9c1f1fd2e5edca0cbaccb720b397a (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 6220d38a08f8837575cd8f830928b49a3a5a5095 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 188e0fa5a679570ea35474575e724d8211423d17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ce95a57d8a1f0e20b637cdeddaaed81831ca819",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "c851e43b88b40bb7c20176c51cbf4f8c8d960dd9",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "7be6d25f4d974e44918ba3a5d58ebb9d36879087",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "8f289fa12926aae44347ca7d490e216555d8f255",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "1742974c24a9c1f1fd2e5edca0cbaccb720b397a",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "6220d38a08f8837575cd8f830928b49a3a5a5095",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "188e0fa5a679570ea35474575e724d8211423d17",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/hsr: fix NULL pointer dereference in prp_get_untagged_frame()\n\nprp_get_untagged_frame() calls __pskb_copy() to create frame-\u003eskb_std\nbut doesn\u0027t check if the allocation failed. If __pskb_copy() returns\nNULL, skb_clone() is called with a NULL pointer, causing a crash:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041\nCode: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 \u003c43\u003e 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c\nRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207\nRAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480\nRDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000\nRBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee\nR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000\nR13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00\nFS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]\n hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741\n hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84\n __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966\n __netif_receive_skb_one_core net/core/dev.c:6077 [inline]\n __netif_receive_skb+0x72/0x380 net/core/dev.c:6192\n netif_receive_skb_internal net/core/dev.c:6278 [inline]\n netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337\n tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485\n tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0449f8e1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48\nRSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff\nRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8\nRBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001\nR13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003\n \u003c/TASK\u003e\n\nAdd a NULL check immediately after __pskb_copy() to handle allocation\nfailures gracefully."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:21.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819"
},
{
"url": "https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9"
},
{
"url": "https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087"
},
{
"url": "https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255"
},
{
"url": "https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a"
},
{
"url": "https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095"
},
{
"url": "https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17"
}
],
"title": "net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68776",
"datePublished": "2026-01-13T15:28:52.766Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:21.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71102 (GCVE-0-2025-71102)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
scs: fix a wrong parameter in __scs_magic
Summary
In the Linux kernel, the following vulnerability has been resolved:
scs: fix a wrong parameter in __scs_magic
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 1727e8bd69103a68963a5613a0ddb6d8d37df5d3
(git)
Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 57ba40b001be27786d0570dd292289df748b306b (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 062774439d442882b44f5eab8c256ad3423ef284 (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 9ef28943471a16e4f9646bc3e8e2de148e7d8d7b (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 08bd4c46d5e63b78e77f2605283874bbe868ab19 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/scs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1727e8bd69103a68963a5613a0ddb6d8d37df5d3",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "57ba40b001be27786d0570dd292289df748b306b",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "062774439d442882b44f5eab8c256ad3423ef284",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "9ef28943471a16e4f9646bc3e8e2de148e7d8d7b",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "a19fb3611e4c06624fc0f83ef19f4fb8d57d4751",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "08bd4c46d5e63b78e77f2605283874bbe868ab19",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/scs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscs: fix a wrong parameter in __scs_magic\n\n__scs_magic() needs a \u0027void *\u0027 variable, but a \u0027struct task_struct *\u0027 is\ngiven. \u0027task_scs(tsk)\u0027 is the starting address of the task\u0027s shadow call\nstack, and \u0027__scs_magic(task_scs(tsk))\u0027 is the end address of the task\u0027s\nshadow call stack. Here should be \u0027__scs_magic(task_scs(tsk))\u0027.\n\nThe user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE\nis enabled, the shadow call stack usage checking function\n(scs_check_usage) would scan an incorrect memory range. This could lead\n\n1. **Inaccurate stack usage reporting**: The function would calculate\n wrong usage statistics for the shadow call stack, potentially showing\n incorrect value in kmsg.\n\n2. **Potential kernel crash**: If the value of __scs_magic(tsk)is\n greater than that of __scs_magic(task_scs(tsk)), the for loop may\n access unmapped memory, potentially causing a kernel panic. However,\n this scenario is unlikely because task_struct is allocated via the slab\n allocator (which typically returns lower addresses), while the shadow\n call stack returned by task_scs(tsk) is allocated via vmalloc(which\n typically returns higher addresses).\n\nHowever, since this is purely a debugging feature\n(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not\nunaffected. The bug only impacts developers and testers who are actively\ndebugging stack usage with this configuration enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:55.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3"
},
{
"url": "https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c"
},
{
"url": "https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b"
},
{
"url": "https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284"
},
{
"url": "https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b"
},
{
"url": "https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751"
},
{
"url": "https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19"
}
],
"title": "scs: fix a wrong parameter in __scs_magic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71102",
"datePublished": "2026-01-14T15:05:52.389Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:55.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23207 (GCVE-0-2026-23207)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
spi: tegra210-quad: Protect curr_xfer check in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Protect curr_xfer check in IRQ handler
Now that all other accesses to curr_xfer are done under the lock,
protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the
spinlock. Without this protection, the following race can occur:
CPU0 (ISR thread) CPU1 (timeout path)
---------------- -------------------
if (!tqspi->curr_xfer)
// sees non-NULL
spin_lock()
tqspi->curr_xfer = NULL
spin_unlock()
handle_*_xfer()
spin_lock()
t = tqspi->curr_xfer // NULL!
... t->len ... // NULL dereference!
With this patch, all curr_xfer accesses are now properly synchronized.
Although all accesses to curr_xfer are done under the lock, in
tegra_qspi_isr_thread() it checks for NULL, releases the lock and
reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().
There is a potential for an update in between, which could cause a NULL
pointer dereference.
To handle this, add a NULL check inside the handlers after acquiring
the lock. This ensures that if the timeout path has already cleared
curr_xfer, the handler will safely return without dereferencing the
NULL pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01bbf25c767219b14c3235bfa85906b8d2cb8fbc , < 2ac3a105e51496147c0e44e49466eecfcc532d57
(git)
Affected: b4e002d8a7cee3b1d70efad0e222567f92a73000 , < edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e (git) Affected: 88db8bb7ed1bb474618acdf05ebd4f0758d244e2 (git) Affected: 83309dd551cfd60a5a1a98d9cab19f435b44d46d (git) Affected: c934e40246da2c5726d14e94719c514e30840df8 (git) Affected: 551060efb156c50fe33799038ba8145418cfdeef (git) Affected: bb0c58be84f907285af45657c1d4847b960a12bf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ac3a105e51496147c0e44e49466eecfcc532d57",
"status": "affected",
"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"versionType": "git"
},
{
"lessThan": "edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e",
"status": "affected",
"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"versionType": "git"
},
{
"status": "affected",
"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"versionType": "git"
},
{
"status": "affected",
"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"versionType": "git"
},
{
"status": "affected",
"version": "c934e40246da2c5726d14e94719c514e30840df8",
"versionType": "git"
},
{
"status": "affected",
"version": "551060efb156c50fe33799038ba8145418cfdeef",
"versionType": "git"
},
{
"status": "affected",
"version": "bb0c58be84f907285af45657c1d4847b960a12bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer check in IRQ handler\n\nNow that all other accesses to curr_xfer are done under the lock,\nprotect the curr_xfer NULL check in tegra_qspi_isr_thread() with the\nspinlock. Without this protection, the following race can occur:\n\n CPU0 (ISR thread) CPU1 (timeout path)\n ---------------- -------------------\n if (!tqspi-\u003ecurr_xfer)\n // sees non-NULL\n spin_lock()\n tqspi-\u003ecurr_xfer = NULL\n spin_unlock()\n handle_*_xfer()\n spin_lock()\n t = tqspi-\u003ecurr_xfer // NULL!\n ... t-\u003elen ... // NULL dereference!\n\nWith this patch, all curr_xfer accesses are now properly synchronized.\n\nAlthough all accesses to curr_xfer are done under the lock, in\ntegra_qspi_isr_thread() it checks for NULL, releases the lock and\nreacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().\nThere is a potential for an update in between, which could cause a NULL\npointer dereference.\n\nTo handle this, add a NULL check inside the handlers after acquiring\nthe lock. This ensures that if the timeout path has already cleared\ncurr_xfer, the handler will safely return without dereferencing the\nNULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:29.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57"
},
{
"url": "https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e"
}
],
"title": "spi: tegra210-quad: Protect curr_xfer check in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23207",
"datePublished": "2026-02-14T16:27:29.762Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:29.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40159 (GCVE-0-2025-40159)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
xsk: Harden userspace-supplied xdp_desc validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
xsk: Harden userspace-supplied xdp_desc validation
Turned out certain clearly invalid values passed in xdp_desc from
userspace can pass xp_{,un}aligned_validate_desc() and then lead
to UBs or just invalid frames to be queued for xmit.
desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len
can cause positive integer overflow and wraparound, the same way low
enough desc->addr with a non-zero pool->tx_metadata_len can cause
negative integer overflow. Both scenarios can then pass the
validation successfully.
This doesn't happen with valid XSk applications, but can be used
to perform attacks.
Always promote desc->len to ``u64`` first to exclude positive
overflows of it. Use explicit check_{add,sub}_overflow() when
validating desc->addr (which is ``u64`` already).
bloat-o-meter reports a little growth of the code size:
add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)
Function old new delta
xskq_cons_peek_desc 299 330 +31
xsk_tx_peek_release_desc_batch 973 1002 +29
xsk_generic_xmit 3148 3132 -16
but hopefully this doesn't hurt the performance much.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 1463cd066f32efd56ddfd3ac4e3524200f362980
(git)
Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 5b5fffa7c81e55d8c8edf05ad40d811ec7047e21 (git) Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 07ca98f906a403637fc5e513a872a50ef1247f3b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1463cd066f32efd56ddfd3ac4e3524200f362980",
"status": "affected",
"version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
"versionType": "git"
},
{
"lessThan": "5b5fffa7c81e55d8c8edf05ad40d811ec7047e21",
"status": "affected",
"version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
"versionType": "git"
},
{
"lessThan": "07ca98f906a403637fc5e513a872a50ef1247f3b",
"status": "affected",
"version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn\u0027t happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction old new delta\nxskq_cons_peek_desc 299 330 +31\nxsk_tx_peek_release_desc_batch 973 1002 +29\nxsk_generic_xmit 3148 3132 -16\n\nbut hopefully this doesn\u0027t hurt the performance much."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:10.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"
},
{
"url": "https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"
},
{
"url": "https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"
}
],
"title": "xsk: Harden userspace-supplied xdp_desc validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40159",
"datePublished": "2025-11-12T10:24:36.104Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:10.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40249 (GCVE-0-2025-40249)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
gpio: cdev: make sure the cdev fd is still active before emitting events
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: cdev: make sure the cdev fd is still active before emitting events
With the final call to fput() on a file descriptor, the release action
may be deferred and scheduled on a work queue. The reference count of
that descriptor is still zero and it must not be used. It's possible
that a GPIO change, we want to notify the user-space about, happens
AFTER the reference count on the file descriptor associated with the
character device went down to zero but BEFORE the .release() callback
was called from the workqueue and so BEFORE we unregistered from the
notifier.
Using the regular get_file() routine in this situation triggers the
following warning:
struct file::f_count incremented from zero; use-after-free condition present!
So use the get_file_active() variant that will return NULL on file
descriptors that have been or are being released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dccc6daa8afa0f64c432e4c867f275747e3415e1",
"status": "affected",
"version": "40b7c49950bd56c984b1f6722f865b922879260e",
"versionType": "git"
},
{
"lessThan": "d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64",
"status": "affected",
"version": "40b7c49950bd56c984b1f6722f865b922879260e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: make sure the cdev fd is still active before emitting events\n\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It\u0027s possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\n\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\n\n struct file::f_count incremented from zero; use-after-free condition present!\n\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:12.206Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1"
},
{
"url": "https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64"
}
],
"title": "gpio: cdev: make sure the cdev fd is still active before emitting events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40249",
"datePublished": "2025-12-04T16:08:12.206Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T16:08:12.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40282 (GCVE-0-2025-40282)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local
header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW
Add missing skb_reset_mac_header() for uncompressed ipv6 RX path.
For the compressed one, it is done in lowpan_header_decompress().
Log: (BlueZ 6lowpan-tester Client Recv Raw - Success)
------
kernel BUG at net/core/skbuff.c:212!
Call Trace:
<IRQ>
...
packet_rcv (net/packet/af_packet.c:2152)
...
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
netif_rx (net/core/dev.c:5648)
chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)
------
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18722c247023035b9e2e2a08a887adec2a9a6e49 , < ea46a1d217bc82e01cf3d0424e50ebfe251e34bf
(git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 973e0271754c77db3e1b6b69adf2de85a79a4c8b (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < d566e9a2bfc848941b091ffd5f4e12c4e889d818 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 4ebb90c3c309e6375dc3e841af92e2a039843e62 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < c24ac6cfe4f9a47180a65592c47e7a310d2f9d93 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 11cd7e068381666f842ad41d1cc58eecd0c75237 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 70d84e7c3a44b81020a3c3d650a64c63593405bd (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 3b78f50918276ab28fb22eac9aa49401ac436a3b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/6lowpan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea46a1d217bc82e01cf3d0424e50ebfe251e34bf",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "973e0271754c77db3e1b6b69adf2de85a79a4c8b",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "d566e9a2bfc848941b091ffd5f4e12c4e889d818",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "4ebb90c3c309e6375dc3e841af92e2a039843e62",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "c24ac6cfe4f9a47180a65592c47e7a310d2f9d93",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "11cd7e068381666f842ad41d1cc58eecd0c75237",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "70d84e7c3a44b81020a3c3d650a64c63593405bd",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "3b78f50918276ab28fb22eac9aa49401ac436a3b",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/6lowpan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: 6lowpan: reset link-local header on ipv6 recv path\n\nBluetooth 6lowpan.c netdev has header_ops, so it must set link-local\nheader for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW\n\nAdd missing skb_reset_mac_header() for uncompressed ipv6 RX path.\n\nFor the compressed one, it is done in lowpan_header_decompress().\n\nLog: (BlueZ 6lowpan-tester Client Recv Raw - Success)\n------\nkernel BUG at net/core/skbuff.c:212!\nCall Trace:\n\u003cIRQ\u003e\n...\npacket_rcv (net/packet/af_packet.c:2152)\n...\n\u003cTASK\u003e\n__local_bh_enable_ip (kernel/softirq.c:407)\nnetif_rx (net/core/dev.c:5648)\nchan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)\n------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:06.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf"
},
{
"url": "https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b"
},
{
"url": "https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818"
},
{
"url": "https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62"
},
{
"url": "https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93"
},
{
"url": "https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237"
},
{
"url": "https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd"
},
{
"url": "https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b"
}
],
"title": "Bluetooth: 6lowpan: reset link-local header on ipv6 recv path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40282",
"datePublished": "2025-12-06T21:51:06.287Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:06.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68774 (GCVE-0-2025-68774)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b0fc7af50b896d0f3d104e70787ba1973bc0b56
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 39e149d58ef4d7883cbf87448d39d51292fd342d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b68dc4134b18a3922cd33439ec614aad4172bc86 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 457f795e7abd7770de10216d7f9994a3f12a56d6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5882e7c8cdbb5e254a69628b780acff89c78071e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 152af114287851583cf7e0abc10129941f19466a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b0fc7af50b896d0f3d104e70787ba1973bc0b56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39e149d58ef4d7883cbf87448d39d51292fd342d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b68dc4134b18a3922cd33439ec614aad4172bc86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9d1c6bb5f19460074ce9862cb80be86b5fb0a50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "457f795e7abd7770de10216d7f9994a3f12a56d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5882e7c8cdbb5e254a69628b780acff89c78071e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "152af114287851583cf7e0abc10129941f19466a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n hfsplus_write_inode()\n -\u003e hfsplus_write_system_inode()\n -\u003e hfs_btree_write()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nThread B:\n hfsplus_create_cat()\n -\u003e hfs_brec_insert()\n -\u003e hfs_bnode_split()\n -\u003e hfs_bmap_alloc()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) { \u003c- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode-\u003enext_hash = tree-\u003enode_hash[hash];\n\t\ttree-\u003enode_hash[hash] = node;\n\t\ttree-\u003enode_hash_cnt++;\n\t} else { \u003c- Thread B\n\t\tspin_unlock(\u0026tree-\u003ehash_lock);\n\t\tkfree(node);\n\t\twait_event(node2-\u003elock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, \u0026node2-\u003eflags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(\u0026node-\u003erefcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:19.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56"
},
{
"url": "https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d"
},
{
"url": "https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86"
},
{
"url": "https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50"
},
{
"url": "https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6"
},
{
"url": "https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e"
},
{
"url": "https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a"
}
],
"title": "hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68774",
"datePublished": "2026-01-13T15:28:51.379Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:19.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68361 (GCVE-0-2025-68361)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
erofs: limit the level of fs stacking for file-backed mounts
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: limit the level of fs stacking for file-backed mounts
Otherwise, it could cause potential kernel stack overflow (e.g., EROFS
mounting itself).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 34447aeedbaea8f9aad3da5b07030a1c0e124639
(git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < b4911825348a494e894e6ccfcf88d99e9425f129 (git) Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4 (git) Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < d53cd891f0e4311889349fff3a784dc552f814b9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34447aeedbaea8f9aad3da5b07030a1c0e124639",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "b4911825348a494e894e6ccfcf88d99e9425f129",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "d53cd891f0e4311889349fff3a784dc552f814b9",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: limit the level of fs stacking for file-backed mounts\n\nOtherwise, it could cause potential kernel stack overflow (e.g., EROFS\nmounting itself)."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:56.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34447aeedbaea8f9aad3da5b07030a1c0e124639"
},
{
"url": "https://git.kernel.org/stable/c/b4911825348a494e894e6ccfcf88d99e9425f129"
},
{
"url": "https://git.kernel.org/stable/c/620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4"
},
{
"url": "https://git.kernel.org/stable/c/d53cd891f0e4311889349fff3a784dc552f814b9"
}
],
"title": "erofs: limit the level of fs stacking for file-backed mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68361",
"datePublished": "2025-12-24T10:32:49.792Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2026-02-09T08:31:56.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40306 (GCVE-0-2025-40306)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
orangefs: fix xattr related buffer overflow...
Summary
In the Linux kernel, the following vulnerability has been resolved:
orangefs: fix xattr related buffer overflow...
Willy Tarreau <w@1wt.eu> forwarded me a message from
Disclosure <disclosure@aisle.com> with the following
warning:
> The helper `xattr_key()` uses the pointer variable in the loop condition
> rather than dereferencing it. As `key` is incremented, it remains non-NULL
> (until it runs into unmapped memory), so the loop does not terminate on
> valid C strings and will walk memory indefinitely, consuming CPU or hanging
> the thread.
I easily reproduced this with setfattr and getfattr, causing a kernel
oops, hung user processes and corrupted orangefs files. Disclosure
sent along a diff (not a patch) with a suggested fix, which I based
this patch on.
After xattr_key started working right, xfstest generic/069 exposed an
xattr related memory leak that lead to OOM. xattr_key returns
a hashed key. When adding xattrs to the orangefs xattr cache, orangefs
used hash_add, a kernel hashing macro. hash_add also hashes the key using
hash_log which resulted in additions to the xattr cache going to the wrong
hash bucket. generic/069 tortures a single file and orangefs does a
getattr for the xattr "security.capability" every time. Orangefs
negative caches on xattrs which includes a kmalloc. Since adds to the
xattr cache were going to the wrong bucket, every getattr for
"security.capability" resulted in another kmalloc, none of which were
ever freed.
I changed the two uses of hash_add to hlist_add_head instead
and the memory leak ceased and generic/069 quit throwing furniture.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < c6564ff6b53c9a8dc786b6f1c51ae7688273f931
(git)
Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < ef892d2bf4f3fa2c8de1677dd307e678bdd3d865 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 15afebb9597449c444801d1ff0b8d8b311f950ab (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < bc812574de633cf9a9ad6974490e45f6a4bb5126 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < e09a096104fc65859422817fb2211f35855983fe (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 9127d1e90c90e5960c8bc72a4ce2c209691a7021 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < c2ca015ac109fd743fdde27933d59dc5ad46658e (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 025e880759c279ec64d0f754fe65bf45961da864 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/orangefs/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6564ff6b53c9a8dc786b6f1c51ae7688273f931",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "ef892d2bf4f3fa2c8de1677dd307e678bdd3d865",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "15afebb9597449c444801d1ff0b8d8b311f950ab",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "bc812574de633cf9a9ad6974490e45f6a4bb5126",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "e09a096104fc65859422817fb2211f35855983fe",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "9127d1e90c90e5960c8bc72a4ce2c209691a7021",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "c2ca015ac109fd743fdde27933d59dc5ad46658e",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "025e880759c279ec64d0f754fe65bf45961da864",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/orangefs/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix xattr related buffer overflow...\n\nWilly Tarreau \u003cw@1wt.eu\u003e forwarded me a message from\nDisclosure \u003cdisclosure@aisle.com\u003e with the following\nwarning:\n\n\u003e The helper `xattr_key()` uses the pointer variable in the loop condition\n\u003e rather than dereferencing it. As `key` is incremented, it remains non-NULL\n\u003e (until it runs into unmapped memory), so the loop does not terminate on\n\u003e valid C strings and will walk memory indefinitely, consuming CPU or hanging\n\u003e the thread.\n\nI easily reproduced this with setfattr and getfattr, causing a kernel\noops, hung user processes and corrupted orangefs files. Disclosure\nsent along a diff (not a patch) with a suggested fix, which I based\nthis patch on.\n\nAfter xattr_key started working right, xfstest generic/069 exposed an\nxattr related memory leak that lead to OOM. xattr_key returns\na hashed key. When adding xattrs to the orangefs xattr cache, orangefs\nused hash_add, a kernel hashing macro. hash_add also hashes the key using\nhash_log which resulted in additions to the xattr cache going to the wrong\nhash bucket. generic/069 tortures a single file and orangefs does a\ngetattr for the xattr \"security.capability\" every time. Orangefs\nnegative caches on xattrs which includes a kmalloc. Since adds to the\nxattr cache were going to the wrong bucket, every getattr for\n\"security.capability\" resulted in another kmalloc, none of which were\never freed.\n\nI changed the two uses of hash_add to hlist_add_head instead\nand the memory leak ceased and generic/069 quit throwing furniture."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:57.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931"
},
{
"url": "https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865"
},
{
"url": "https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab"
},
{
"url": "https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126"
},
{
"url": "https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe"
},
{
"url": "https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021"
},
{
"url": "https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e"
},
{
"url": "https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864"
}
],
"title": "orangefs: fix xattr related buffer overflow...",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40306",
"datePublished": "2025-12-08T00:46:31.514Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:51:57.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68346 (GCVE-0-2025-68346)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ALSA: dice: fix buffer overflow in detect_stream_formats()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: dice: fix buffer overflow in detect_stream_formats()
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < d6280a5b00cad37d9a9a875849e5bf7ed2fe4950
(git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 3cf854cec0eb371da47ff5fe56eab189d7fa623a (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 932aa1e80b022419cf9710e970739b7a8794f27c (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 324f3e03e8a85931ce0880654e3c3eb38b0f0bba (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6280a5b00cad37d9a9a875849e5bf7ed2fe4950",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "3cf854cec0eb371da47ff5fe56eab189d7fa623a",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "932aa1e80b022419cf9710e970739b7a8794f27c",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "324f3e03e8a85931ce0880654e3c3eb38b0f0bba",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:35.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6280a5b00cad37d9a9a875849e5bf7ed2fe4950"
},
{
"url": "https://git.kernel.org/stable/c/3cf854cec0eb371da47ff5fe56eab189d7fa623a"
},
{
"url": "https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4"
},
{
"url": "https://git.kernel.org/stable/c/dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0"
},
{
"url": "https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6"
},
{
"url": "https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c"
},
{
"url": "https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9"
},
{
"url": "https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba"
}
],
"title": "ALSA: dice: fix buffer overflow in detect_stream_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68346",
"datePublished": "2025-12-24T10:32:39.101Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:35.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68198 (GCVE-0-2025-68198)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
crash: fix crashkernel resource shrink
Summary
In the Linux kernel, the following vulnerability has been resolved:
crash: fix crashkernel resource shrink
When crashkernel is configured with a high reservation, shrinking its
value below the low crashkernel reservation causes two issues:
1. Invalid crashkernel resource objects
2. Kernel crash if crashkernel shrinking is done twice
For example, with crashkernel=200M,high, the kernel reserves 200MB of high
memory and some default low memory (say 256MB). The reservation appears
as:
cat /proc/iomem | grep -i crash
af000000-beffffff : Crash kernel
433000000-43f7fffff : Crash kernel
If crashkernel is then shrunk to 50MB (echo 52428800 >
/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:
af000000-beffffff : Crash kernel
Instead, it should show 50MB:
af000000-b21fffff : Crash kernel
Further shrinking crashkernel to 40MB causes a kernel crash with the
following trace (x86):
BUG: kernel NULL pointer dereference, address: 0000000000000038
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
<snip...>
Call Trace: <TASK>
? __die_body.cold+0x19/0x27
? page_fault_oops+0x15a/0x2f0
? search_module_extables+0x19/0x60
? search_bpf_extables+0x5f/0x80
? exc_page_fault+0x7e/0x180
? asm_exc_page_fault+0x26/0x30
? __release_resource+0xd/0xb0
release_resource+0x26/0x40
__crash_shrink_memory+0xe5/0x110
crash_shrink_memory+0x12a/0x190
kexec_crash_size_store+0x41/0x80
kernfs_fop_write_iter+0x141/0x1f0
vfs_write+0x294/0x460
ksys_write+0x6d/0xf0
<snip...>
This happens because __crash_shrink_memory()/kernel/crash_core.c
incorrectly updates the crashk_res resource object even when
crashk_low_res should be updated.
Fix this by ensuring the correct crashkernel resource object is updated
when shrinking crashkernel memory.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
16c6006af4d4e70ecef93977a5314409d931020b , < f01f9c348d76d40bf104a94449e3ce4057fdefee
(git)
Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < f89c5e7077f63e45e8ba5a77b7cf0803130367e6 (git) Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618 (git) Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < 00fbff75c5acb4755f06f08bd1071879c63940c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/crash_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f01f9c348d76d40bf104a94449e3ce4057fdefee",
"status": "affected",
"version": "16c6006af4d4e70ecef93977a5314409d931020b",
"versionType": "git"
},
{
"lessThan": "f89c5e7077f63e45e8ba5a77b7cf0803130367e6",
"status": "affected",
"version": "16c6006af4d4e70ecef93977a5314409d931020b",
"versionType": "git"
},
{
"lessThan": "a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618",
"status": "affected",
"version": "16c6006af4d4e70ecef93977a5314409d931020b",
"versionType": "git"
},
{
"lessThan": "00fbff75c5acb4755f06f08bd1071879c63940c5",
"status": "affected",
"version": "16c6006af4d4e70ecef93977a5314409d931020b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/crash_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrash: fix crashkernel resource shrink\n\nWhen crashkernel is configured with a high reservation, shrinking its\nvalue below the low crashkernel reservation causes two issues:\n\n1. Invalid crashkernel resource objects\n2. Kernel crash if crashkernel shrinking is done twice\n\nFor example, with crashkernel=200M,high, the kernel reserves 200MB of high\nmemory and some default low memory (say 256MB). The reservation appears\nas:\n\ncat /proc/iomem | grep -i crash\naf000000-beffffff : Crash kernel\n433000000-43f7fffff : Crash kernel\n\nIf crashkernel is then shrunk to 50MB (echo 52428800 \u003e\n/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:\naf000000-beffffff : Crash kernel\n\nInstead, it should show 50MB:\naf000000-b21fffff : Crash kernel\n\nFurther shrinking crashkernel to 40MB causes a kernel crash with the\nfollowing trace (x86):\n\nBUG: kernel NULL pointer dereference, address: 0000000000000038\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\n\u003csnip...\u003e\nCall Trace: \u003cTASK\u003e\n? __die_body.cold+0x19/0x27\n? page_fault_oops+0x15a/0x2f0\n? search_module_extables+0x19/0x60\n? search_bpf_extables+0x5f/0x80\n? exc_page_fault+0x7e/0x180\n? asm_exc_page_fault+0x26/0x30\n? __release_resource+0xd/0xb0\nrelease_resource+0x26/0x40\n__crash_shrink_memory+0xe5/0x110\ncrash_shrink_memory+0x12a/0x190\nkexec_crash_size_store+0x41/0x80\nkernfs_fop_write_iter+0x141/0x1f0\nvfs_write+0x294/0x460\nksys_write+0x6d/0xf0\n\u003csnip...\u003e\n\nThis happens because __crash_shrink_memory()/kernel/crash_core.c\nincorrectly updates the crashk_res resource object even when\ncrashk_low_res should be updated.\n\nFix this by ensuring the correct crashkernel resource object is updated\nwhen shrinking crashkernel memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:26.998Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f01f9c348d76d40bf104a94449e3ce4057fdefee"
},
{
"url": "https://git.kernel.org/stable/c/f89c5e7077f63e45e8ba5a77b7cf0803130367e6"
},
{
"url": "https://git.kernel.org/stable/c/a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618"
},
{
"url": "https://git.kernel.org/stable/c/00fbff75c5acb4755f06f08bd1071879c63940c5"
}
],
"title": "crash: fix crashkernel resource shrink",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68198",
"datePublished": "2025-12-16T13:48:26.998Z",
"dateReserved": "2025-12-16T13:41:40.254Z",
"dateUpdated": "2025-12-16T13:48:26.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68356 (GCVE-0-2025-68356)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
gfs2: Prevent recursive memory reclaim
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Prevent recursive memory reclaim
Function new_inode() returns a new inode with inode->i_mapping->gfp_mask
set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so
allocations in that address space can recurse into filesystem memory
reclaim. We don't want that to happen because it can consume a
significant amount of stack memory.
Worse than that is that it can also deadlock: for example, in several
places, gfs2_unstuff_dinode() is called inside filesystem transactions.
This calls filemap_grab_folio(), which can allocate a new folio, which
can trigger memory reclaim. If memory reclaim recurses into the
filesystem and starts another transaction, a deadlock will ensue.
To fix these kinds of problems, prevent memory reclaim from recursing
into filesystem code by making sure that the gfp_mask of inode address
spaces doesn't include __GFP_FS.
The "meta" and resource group address spaces were already using GFP_NOFS
as their gfp_mask (which doesn't include __GFP_FS). The default value
of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To
avoid being overly limiting, use the default value and only knock off
the __GFP_FS flag. I'm not sure if this will actually make a
difference, but it also shouldn't hurt.
This patch is loosely based on commit ad22c7a043c2 ("xfs: prevent stack
overflows from page cache allocation").
Fixes xfstest generic/273.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < edb2b255618621dc83d0ec23150e16b2c697077f
(git)
Affected: dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < 9c0960ed112398bdb6c60ccf6e6b583bc59acede (git) Affected: dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < 49e7347f4644d031306d56cb4d51e467cbdcbc69 (git) Affected: dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < 2c5f4a53476e3cab70adc77b38942c066bd2c17c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/glock.c",
"fs/gfs2/inode.c",
"fs/gfs2/inode.h",
"fs/gfs2/ops_fstype.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "edb2b255618621dc83d0ec23150e16b2c697077f",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
},
{
"lessThan": "9c0960ed112398bdb6c60ccf6e6b583bc59acede",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
},
{
"lessThan": "49e7347f4644d031306d56cb4d51e467cbdcbc69",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
},
{
"lessThan": "2c5f4a53476e3cab70adc77b38942c066bd2c17c",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/glock.c",
"fs/gfs2/inode.c",
"fs/gfs2/inode.h",
"fs/gfs2/ops_fstype.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Prevent recursive memory reclaim\n\nFunction new_inode() returns a new inode with inode-\u003ei_mapping-\u003egfp_mask\nset to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so\nallocations in that address space can recurse into filesystem memory\nreclaim. We don\u0027t want that to happen because it can consume a\nsignificant amount of stack memory.\n\nWorse than that is that it can also deadlock: for example, in several\nplaces, gfs2_unstuff_dinode() is called inside filesystem transactions.\nThis calls filemap_grab_folio(), which can allocate a new folio, which\ncan trigger memory reclaim. If memory reclaim recurses into the\nfilesystem and starts another transaction, a deadlock will ensue.\n\nTo fix these kinds of problems, prevent memory reclaim from recursing\ninto filesystem code by making sure that the gfp_mask of inode address\nspaces doesn\u0027t include __GFP_FS.\n\nThe \"meta\" and resource group address spaces were already using GFP_NOFS\nas their gfp_mask (which doesn\u0027t include __GFP_FS). The default value\nof GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To\navoid being overly limiting, use the default value and only knock off\nthe __GFP_FS flag. I\u0027m not sure if this will actually make a\ndifference, but it also shouldn\u0027t hurt.\n\nThis patch is loosely based on commit ad22c7a043c2 (\"xfs: prevent stack\noverflows from page cache allocation\").\n\nFixes xfstest generic/273."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:52.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/edb2b255618621dc83d0ec23150e16b2c697077f"
},
{
"url": "https://git.kernel.org/stable/c/9c0960ed112398bdb6c60ccf6e6b583bc59acede"
},
{
"url": "https://git.kernel.org/stable/c/49e7347f4644d031306d56cb4d51e467cbdcbc69"
},
{
"url": "https://git.kernel.org/stable/c/2c5f4a53476e3cab70adc77b38942c066bd2c17c"
}
],
"title": "gfs2: Prevent recursive memory reclaim",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68356",
"datePublished": "2025-12-24T10:32:46.275Z",
"dateReserved": "2025-12-16T14:48:05.301Z",
"dateUpdated": "2026-02-09T08:31:52.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40013 (GCVE-0-2025-40013)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:29 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
ASoC: qcom: audioreach: fix potential null pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: audioreach: fix potential null pointer dereference
It is possible that the topology parsing function
audioreach_widget_load_module_common() could return NULL or an error
pointer. Add missing NULL check so that we do not dereference it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
36ad9bf1d93d66b901342eab9f8ed6c1537655a6 , < 9c1ad4192f3d2fc85339718a6252cb3337848f7b
(git)
Affected: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 , < 70e1e5fe9f7e05ff831b56ebc02543e7811b8e18 (git) Affected: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 , < 4dda55d04caac3b4102c26e29b1c27fa35636be3 (git) Affected: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 , < 8f9c9fafc0e7a73bbff58954d171c016ddee1734 (git) Affected: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 , < ef08ce6304d30b5778035d07b04514cb70839983 (git) Affected: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 , < 8318e04ab2526b155773313b66a1542476ce1106 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c1ad4192f3d2fc85339718a6252cb3337848f7b",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "70e1e5fe9f7e05ff831b56ebc02543e7811b8e18",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "4dda55d04caac3b4102c26e29b1c27fa35636be3",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "8f9c9fafc0e7a73bbff58954d171c016ddee1734",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "ef08ce6304d30b5778035d07b04514cb70839983",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "8318e04ab2526b155773313b66a1542476ce1106",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: audioreach: fix potential null pointer dereference\n\nIt is possible that the topology parsing function\naudioreach_widget_load_module_common() could return NULL or an error\npointer. Add missing NULL check so that we do not dereference it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:18.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c1ad4192f3d2fc85339718a6252cb3337848f7b"
},
{
"url": "https://git.kernel.org/stable/c/70e1e5fe9f7e05ff831b56ebc02543e7811b8e18"
},
{
"url": "https://git.kernel.org/stable/c/4dda55d04caac3b4102c26e29b1c27fa35636be3"
},
{
"url": "https://git.kernel.org/stable/c/8f9c9fafc0e7a73bbff58954d171c016ddee1734"
},
{
"url": "https://git.kernel.org/stable/c/ef08ce6304d30b5778035d07b04514cb70839983"
},
{
"url": "https://git.kernel.org/stable/c/8318e04ab2526b155773313b66a1542476ce1106"
}
],
"title": "ASoC: qcom: audioreach: fix potential null pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40013",
"datePublished": "2025-10-20T15:29:09.076Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:18.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40026 (GCVE-0-2025-40026)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
When completing emulation of instruction that generated a userspace exit
for I/O, don't recheck L1 intercepts as KVM has already finished that
phase of instruction execution, i.e. has already committed to allowing L2
to perform I/O. If L1 (or host userspace) modifies the I/O permission
bitmaps during the exit to userspace, KVM will treat the access as being
intercepted despite already having emulated the I/O access.
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
intended "recipient") can reach the code in question. gp_interception()'s
use is mutually exclusive with is_guest_mode(), and
complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
EMULTYPE_SKIP.
The bad behavior was detected by a syzkaller program that toggles port I/O
interception during the userspace I/O exit, ultimately resulting in a WARN
on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
of the I/O instruction.
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
Modules linked in: kvm_intel kvm irqbypass
CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
PKRU: 55555554
Call Trace:
<TASK>
kvm_fast_pio+0xd6/0x1d0 [kvm]
vmx_handle_exit+0x149/0x610 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0x5d/0xc60
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < a908eca437789589dd4624da428614c1275064dc
(git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 00338255bb1f422642fb2798ebe92e93b6e4209b (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e0ce3ed1048a47986d15aef1a98ebda25560d257 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < ba35a5d775799ce5ad60230be97336f2fefd518e (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 3d3abf3f7e8b1abb082070a343de82d7efc80523 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e7177c7e32cb806f348387b7f4faafd4a5b32054 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 3a062a5c55adc5507600b9ae6d911e247e2f1d6e (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 7366830642505683bbe905a2ba5d18d6e4b512b8 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e750f85391286a4c8100275516973324b621a269 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/emulate.c",
"arch/x86/kvm/kvm_emulate.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a908eca437789589dd4624da428614c1275064dc",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "00338255bb1f422642fb2798ebe92e93b6e4209b",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e0ce3ed1048a47986d15aef1a98ebda25560d257",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "ba35a5d775799ce5ad60230be97336f2fefd518e",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "3d3abf3f7e8b1abb082070a343de82d7efc80523",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e7177c7e32cb806f348387b7f4faafd4a5b32054",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "3a062a5c55adc5507600b9ae6d911e247e2f1d6e",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "7366830642505683bbe905a2ba5d18d6e4b512b8",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e750f85391286a4c8100275516973324b621a269",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/emulate.c",
"arch/x86/kvm/kvm_emulate.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don\u0027t recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O. If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace, KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question. gp_interception()\u0027s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu-\u003earch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n kvm_fast_pio+0xd6/0x1d0 [kvm]\n vmx_handle_exit+0x149/0x610 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0x5d/0xc60\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:28.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc"
},
{
"url": "https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b"
},
{
"url": "https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257"
},
{
"url": "https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e"
},
{
"url": "https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523"
},
{
"url": "https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054"
},
{
"url": "https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e"
},
{
"url": "https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8"
},
{
"url": "https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269"
}
],
"title": "KVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40026",
"datePublished": "2025-10-28T09:32:33.075Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:28.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40071 (GCVE-0-2025-40071)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
tty: n_gsm: Don't block input queue by waiting MSC
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: Don't block input queue by waiting MSC
Currently gsm_queue() processes incoming frames and when opening
a DLC channel it calls gsm_dlci_open() which calls gsm_modem_update().
If basic mode is used it calls gsm_modem_upd_via_msc() and it
cannot block the input queue by waiting the response to come
into the same input queue.
Instead allow sending Modem Status Command without waiting for remote
end to respond. Define a new function gsm_modem_send_initial_msc()
for this purpose. As MSC is only valid for basic encoding, it does
not do anything for advanced or when convergence layer type 2 is used.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
48473802506d2d6151f59e0e764932b33b53cb3b , < c36785f9de03df56ff9b8eca30fa681a12b2310d
(git)
Affected: 48473802506d2d6151f59e0e764932b33b53cb3b , < 5416e89b81b00443cb03c88df8da097ae091a141 (git) Affected: 48473802506d2d6151f59e0e764932b33b53cb3b , < c5a2791a7f11939f05f95c01f0aec0c55bbf28d5 (git) Affected: 48473802506d2d6151f59e0e764932b33b53cb3b , < 3cf0b3c243e56bc43be560617416c1d9f301f44c (git) Affected: 920e849b7d23ced84c9d11e11e2449e34973cfb8 (git) Affected: e83b4e1540469babeffcfd44a605cf8a61542598 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c36785f9de03df56ff9b8eca30fa681a12b2310d",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"lessThan": "5416e89b81b00443cb03c88df8da097ae091a141",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"lessThan": "c5a2791a7f11939f05f95c01f0aec0c55bbf28d5",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"lessThan": "3cf0b3c243e56bc43be560617416c1d9f301f44c",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"status": "affected",
"version": "920e849b7d23ced84c9d11e11e2449e34973cfb8",
"versionType": "git"
},
{
"status": "affected",
"version": "e83b4e1540469babeffcfd44a605cf8a61542598",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: Don\u0027t block input queue by waiting MSC\n\nCurrently gsm_queue() processes incoming frames and when opening\na DLC channel it calls gsm_dlci_open() which calls gsm_modem_update().\nIf basic mode is used it calls gsm_modem_upd_via_msc() and it\ncannot block the input queue by waiting the response to come\ninto the same input queue.\n\nInstead allow sending Modem Status Command without waiting for remote\nend to respond. Define a new function gsm_modem_send_initial_msc()\nfor this purpose. As MSC is only valid for basic encoding, it does\nnot do anything for advanced or when convergence layer type 2 is used."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:26.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c36785f9de03df56ff9b8eca30fa681a12b2310d"
},
{
"url": "https://git.kernel.org/stable/c/5416e89b81b00443cb03c88df8da097ae091a141"
},
{
"url": "https://git.kernel.org/stable/c/c5a2791a7f11939f05f95c01f0aec0c55bbf28d5"
},
{
"url": "https://git.kernel.org/stable/c/3cf0b3c243e56bc43be560617416c1d9f301f44c"
}
],
"title": "tty: n_gsm: Don\u0027t block input queue by waiting MSC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40071",
"datePublished": "2025-10-28T11:48:39.417Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:26.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40331 (GCVE-0-2025-40331)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
sctp: Prevent TOCTOU out-of-bounds write
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Prevent TOCTOU out-of-bounds write
For the following path not holding the sock lock,
sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f840e47f190cbe61a96945c13e9551048d42cef , < b106a68df0650b694b254427cd9250c04500edd3
(git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 3006959371007fc2eae4a078f823c680fa52de1a (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 72e3fea68eac8d088e44c3dd954e843478e9240e (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 584307275b2048991b2e8984962189b6cc0a9b85 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 2fe08fcaacb7eb019fa9c81db39b2214de216677 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 89eac1e150dbd42963e13d23828cb8c4e0763196 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 95aef86ab231f047bb8085c70666059b58f53c09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b106a68df0650b694b254427cd9250c04500edd3",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "3006959371007fc2eae4a078f823c680fa52de1a",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "72e3fea68eac8d088e44c3dd954e843478e9240e",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "584307275b2048991b2e8984962189b6cc0a9b85",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "c9119f243d9c0da3c3b5f577a328de3e7ffd1b42",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "2fe08fcaacb7eb019fa9c81db39b2214de216677",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "89eac1e150dbd42963e13d23828cb8c4e0763196",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "95aef86ab231f047bb8085c70666059b58f53c09",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n sctp_diag_dump() -\u003e sctp_for_each_endpoint() -\u003e sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:48.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3"
},
{
"url": "https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a"
},
{
"url": "https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e"
},
{
"url": "https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85"
},
{
"url": "https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42"
},
{
"url": "https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677"
},
{
"url": "https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196"
},
{
"url": "https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09"
}
],
"title": "sctp: Prevent TOCTOU out-of-bounds write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40331",
"datePublished": "2025-12-09T04:09:48.196Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:48.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40038 (GCVE-0-2025-40038)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
Skip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP
isn't valid, e.g. because KVM is running with nrips=false. SVM must
decode and emulate to skip the instruction if the CPU doesn't provide the
next RIP, and getting the instruction bytes to decode requires reading
guest memory. Reading guest memory through the emulator can fault, i.e.
can sleep, which is disallowed since the fastpath handlers run with IRQs
disabled.
BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu
preempt_count: 1, expected: 0
INFO: lockdep is turned off.
irq event stamp: 30580
hardirqs last enabled at (30579): [<ffffffffc08b2527>] vcpu_run+0x1787/0x1db0 [kvm]
hardirqs last disabled at (30580): [<ffffffffb4f62e32>] __schedule+0x1e2/0xed0
softirqs last enabled at (30570): [<ffffffffb4247a64>] fpu_swap_kvm_fpstate+0x44/0x210
softirqs last disabled at (30568): [<ffffffffb4247a64>] fpu_swap_kvm_fpstate+0x44/0x210
CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE
Tainted: [U]=USER
Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025
Call Trace:
<TASK>
dump_stack_lvl+0x7d/0xb0
__might_resched+0x271/0x290
__might_fault+0x28/0x80
kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]
kvm_fetch_guest_virt+0x92/0xc0 [kvm]
__do_insn_fetch_bytes+0xf3/0x1e0 [kvm]
x86_decode_insn+0xd1/0x1010 [kvm]
x86_emulate_instruction+0x105/0x810 [kvm]
__svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]
handle_fastpath_invd+0xc4/0x1a0 [kvm]
vcpu_run+0x11a1/0x1db0 [kvm]
kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]
kvm_vcpu_ioctl+0x578/0x6a0 [kvm]
__se_sys_ioctl+0x6d/0xb0
do_syscall_64+0x8a/0x2c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f479d57a94b
</TASK>
Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM:
Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"), but with
different justification (KVM now grabs SRCU when skipping the instruction
for other reasons).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b439eb8ab578557263815ba8581d02c1b730e348 , < cd3efb93677c4b0cf76348882fb429165fee33fd
(git)
Affected: b439eb8ab578557263815ba8581d02c1b730e348 , < f994e9c790ce97d3cf01af4d0a1b9add0c955aee (git) Affected: b439eb8ab578557263815ba8581d02c1b730e348 , < da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70 (git) Affected: b439eb8ab578557263815ba8581d02c1b730e348 , < 0910dd7c9ad45a2605c45fd2bf3d1bcac087687c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd3efb93677c4b0cf76348882fb429165fee33fd",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
},
{
"lessThan": "f994e9c790ce97d3cf01af4d0a1b9add0c955aee",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
},
{
"lessThan": "da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
},
{
"lessThan": "0910dd7c9ad45a2605c45fd2bf3d1bcac087687c",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn\u0027t valid\n\nSkip the WRMSR and HLT fastpaths in SVM\u0027s VM-Exit handler if the next RIP\nisn\u0027t valid, e.g. because KVM is running with nrips=false. SVM must\ndecode and emulate to skip the instruction if the CPU doesn\u0027t provide the\nnext RIP, and getting the instruction bytes to decode requires reading\nguest memory. Reading guest memory through the emulator can fault, i.e.\ncan sleep, which is disallowed since the fastpath handlers run with IRQs\ndisabled.\n\n BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu\n preempt_count: 1, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 30580\n hardirqs last enabled at (30579): [\u003cffffffffc08b2527\u003e] vcpu_run+0x1787/0x1db0 [kvm]\n hardirqs last disabled at (30580): [\u003cffffffffb4f62e32\u003e] __schedule+0x1e2/0xed0\n softirqs last enabled at (30570): [\u003cffffffffb4247a64\u003e] fpu_swap_kvm_fpstate+0x44/0x210\n softirqs last disabled at (30568): [\u003cffffffffb4247a64\u003e] fpu_swap_kvm_fpstate+0x44/0x210\n CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE\n Tainted: [U]=USER\n Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7d/0xb0\n __might_resched+0x271/0x290\n __might_fault+0x28/0x80\n kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]\n kvm_fetch_guest_virt+0x92/0xc0 [kvm]\n __do_insn_fetch_bytes+0xf3/0x1e0 [kvm]\n x86_decode_insn+0xd1/0x1010 [kvm]\n x86_emulate_instruction+0x105/0x810 [kvm]\n __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]\n handle_fastpath_invd+0xc4/0x1a0 [kvm]\n vcpu_run+0x11a1/0x1db0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]\n kvm_vcpu_ioctl+0x578/0x6a0 [kvm]\n __se_sys_ioctl+0x6d/0xb0\n do_syscall_64+0x8a/0x2c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f479d57a94b\n \u003c/TASK\u003e\n\nNote, this is essentially a reapply of commit 5c30e8101e8d (\"KVM: SVM:\nSkip WRMSR fastpath on VM-Exit if next RIP isn\u0027t valid\"), but with\ndifferent justification (KVM now grabs SRCU when skipping the instruction\nfor other reasons)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:42.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd3efb93677c4b0cf76348882fb429165fee33fd"
},
{
"url": "https://git.kernel.org/stable/c/f994e9c790ce97d3cf01af4d0a1b9add0c955aee"
},
{
"url": "https://git.kernel.org/stable/c/da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70"
},
{
"url": "https://git.kernel.org/stable/c/0910dd7c9ad45a2605c45fd2bf3d1bcac087687c"
}
],
"title": "KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn\u0027t valid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40038",
"datePublished": "2025-10-28T11:48:18.889Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40106 (GCVE-0-2025-40106)
Vulnerability from cvelistv5 – Published: 2025-10-31 09:41 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
comedi: fix divide-by-zero in comedi_buf_munge()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: fix divide-by-zero in comedi_buf_munge()
The comedi_buf_munge() function performs a modulo operation
`async->munge_chan %= async->cmd.chanlist_len` without first
checking if chanlist_len is zero. If a user program submits a command with
chanlist_len set to zero, this causes a divide-by-zero error when the device
processes data in the interrupt handler path.
Add a check for zero chanlist_len at the beginning of the
function, similar to the existing checks for !map and
CMDF_RAWDATA flag. When chanlist_len is zero, update
munge_count and return early, indicating the data was
handled without munging.
This prevents potential kernel panics from malformed user commands.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 4ffea48c69cb2b96a281cb7e5e42d706996631db
(git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 2670932f2465793fea1ef073e40883e8390fa4d9 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 6db19822512396be1a3e1e20c16c97270285ba1a (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < d4854eff25efb06d0d84c13e7129bbdba4125f8c (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < a4bb5d1bc2f238461bcbe5303eb500466690bb2c (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 55520f65fd447e04099a2c44185453c18ea73b7e (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 87b318ba81dda2ee7b603f4f6c55e78ec3e95974 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_buf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ffea48c69cb2b96a281cb7e5e42d706996631db",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "2670932f2465793fea1ef073e40883e8390fa4d9",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "6db19822512396be1a3e1e20c16c97270285ba1a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "d4854eff25efb06d0d84c13e7129bbdba4125f8c",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "a4bb5d1bc2f238461bcbe5303eb500466690bb2c",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "55520f65fd447e04099a2c44185453c18ea73b7e",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "87b318ba81dda2ee7b603f4f6c55e78ec3e95974",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_buf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix divide-by-zero in comedi_buf_munge()\n\nThe comedi_buf_munge() function performs a modulo operation\n`async-\u003emunge_chan %= async-\u003ecmd.chanlist_len` without first\nchecking if chanlist_len is zero. If a user program submits a command with\nchanlist_len set to zero, this causes a divide-by-zero error when the device\nprocesses data in the interrupt handler path.\n\nAdd a check for zero chanlist_len at the beginning of the\nfunction, similar to the existing checks for !map and\nCMDF_RAWDATA flag. When chanlist_len is zero, update\nmunge_count and return early, indicating the data was\nhandled without munging.\n\nThis prevents potential kernel panics from malformed user commands."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:02.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ffea48c69cb2b96a281cb7e5e42d706996631db"
},
{
"url": "https://git.kernel.org/stable/c/8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c"
},
{
"url": "https://git.kernel.org/stable/c/2670932f2465793fea1ef073e40883e8390fa4d9"
},
{
"url": "https://git.kernel.org/stable/c/6db19822512396be1a3e1e20c16c97270285ba1a"
},
{
"url": "https://git.kernel.org/stable/c/d4854eff25efb06d0d84c13e7129bbdba4125f8c"
},
{
"url": "https://git.kernel.org/stable/c/a4bb5d1bc2f238461bcbe5303eb500466690bb2c"
},
{
"url": "https://git.kernel.org/stable/c/55520f65fd447e04099a2c44185453c18ea73b7e"
},
{
"url": "https://git.kernel.org/stable/c/87b318ba81dda2ee7b603f4f6c55e78ec3e95974"
}
],
"title": "comedi: fix divide-by-zero in comedi_buf_munge()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40106",
"datePublished": "2025-10-31T09:41:46.740Z",
"dateReserved": "2025-04-16T07:20:57.166Z",
"dateUpdated": "2026-01-02T15:33:02.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22990 (GCVE-0-2026-22990)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 9aa0b0c14cefece078286d78b97d4c09685e372d
(git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 4b106fbb1c7b841cd402abd83eb2447164c799ea (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6afd2a4213524bc742b709599a3663aeaf77193c (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < d3613770e2677683e65d062da5e31f48c409abe9 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6c6cec3db3b418c4fdf815731bc39e46dff75e1b (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6348d70af847b79805374fe628d3809a63fd7df3 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < e00c3f71b5cf75681dbd74ee3f982a99cb690c2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9aa0b0c14cefece078286d78b97d4c09685e372d",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "4b106fbb1c7b841cd402abd83eb2447164c799ea",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6afd2a4213524bc742b709599a3663aeaf77193c",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "d3613770e2677683e65d062da5e31f48c409abe9",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6c6cec3db3b418c4fdf815731bc39e46dff75e1b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6348d70af847b79805374fe628d3809a63fd7df3",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "e00c3f71b5cf75681dbd74ee3f982a99cb690c2b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:41.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d"
},
{
"url": "https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea"
},
{
"url": "https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c"
},
{
"url": "https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9"
},
{
"url": "https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b"
},
{
"url": "https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3"
},
{
"url": "https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b"
}
],
"title": "libceph: replace overzealous BUG_ON in osdmap_apply_incremental()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22990",
"datePublished": "2026-01-23T15:24:11.332Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:41.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40141 (GCVE-0-2025-40141)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
Bluetooth: ISO: Fix possible UAF on iso_conn_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix possible UAF on iso_conn_free
This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ccf74f2390d60a2f9a75ef496d2564abb478f46a , < eba6d787ec117a5d2c60f9644e0a39c18542b6be
(git)
Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 5319145a07d8bf5b0782b25cb3115825689d42bb (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 80689777919f02328eb873769de4647c9dd3e371 (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < c92ad1a155ccfa38b87bd1d998287e1c0a24248d (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eba6d787ec117a5d2c60f9644e0a39c18542b6be",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "5319145a07d8bf5b0782b25cb3115825689d42bb",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "80689777919f02328eb873769de4647c9dd3e371",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "c92ad1a155ccfa38b87bd1d998287e1c0a24248d",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix possible UAF on iso_conn_free\n\nThis attempt to fix similar issue to sco_conn_free where if the\nconn-\u003esk is not set to NULL may lead to UAF on iso_conn_free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:49.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eba6d787ec117a5d2c60f9644e0a39c18542b6be"
},
{
"url": "https://git.kernel.org/stable/c/5319145a07d8bf5b0782b25cb3115825689d42bb"
},
{
"url": "https://git.kernel.org/stable/c/80689777919f02328eb873769de4647c9dd3e371"
},
{
"url": "https://git.kernel.org/stable/c/c92ad1a155ccfa38b87bd1d998287e1c0a24248d"
},
{
"url": "https://git.kernel.org/stable/c/9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8"
}
],
"title": "Bluetooth: ISO: Fix possible UAF on iso_conn_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40141",
"datePublished": "2025-11-12T10:23:24.856Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:49.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38129 (GCVE-0-2025-38129)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
page_pool: Fix use-after-free in page_pool_recycle_in_ring
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: Fix use-after-free in page_pool_recycle_in_ring
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826
page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036
skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242
kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
page_pool_recycle_in_ring
ptr_ring_produce
spin_lock(&r->producer_lock);
WRITE_ONCE(r->queue[r->producer++], ptr)
//recycle last page to pool
page_pool_release
page_pool_scrub
page_pool_empty_ring
ptr_ring_consume
page_pool_return_page //release all page
__page_pool_destroy
free_percpu(pool->recycle_stats);
free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool, ring);
page_pool can be free while page pool recycle the last page in ring.
Add producer-lock barrier to page_pool_release to prevent the page
pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not
enabled, which will trigger Wempty-body build warning. Add definition
for pool stat macro to fix warning.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8
(git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 1a8c0b61d4cb55c5440583ec9e7f86a730369e32 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 4914c0a166540e534a0c1d43affd329d95fb56fd (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < e869a85acc2e60dc554579b910826a4919d8cd98 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 4ab8c0f8905c9c4d05e7f437e65a9a365573ff02 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 271683bb2cf32e5126c592b5d5e6a756fa374fd9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "1a8c0b61d4cb55c5440583ec9e7f86a730369e32",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "4914c0a166540e534a0c1d43affd329d95fb56fd",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "e869a85acc2e60dc554579b910826a4919d8cd98",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "271683bb2cf32e5126c592b5d5e6a756fa374fd9",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n ptr_ring_produce\n spin_lock(\u0026r-\u003eproducer_lock);\n WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t page_pool_scrub\n\t\t\t\t page_pool_empty_ring\n\t\t\t\t ptr_ring_consume\n\t\t\t\t page_pool_return_page //release all page\n\t\t\t\t __page_pool_destroy\n\t\t\t\t free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t free(pool) //free\n\n spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:00.706Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"
},
{
"url": "https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32"
},
{
"url": "https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd"
},
{
"url": "https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"
},
{
"url": "https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"
},
{
"url": "https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"
}
],
"title": "page_pool: Fix use-after-free in page_pool_recycle_in_ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38129",
"datePublished": "2025-07-03T08:35:33.728Z",
"dateReserved": "2025-04-16T04:51:23.987Z",
"dateUpdated": "2026-01-19T12:18:00.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68312 (GCVE-0-2025-68312)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
EPSS
Title
usbnet: Prevents free active kevent
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are:
1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
put the kevent work in global workqueue. However, the kevent has not yet
been scheduled when the usbnet device is unregistered. Therefore, executing
free_netdev() results in the "free active object (kevent)" error reported
here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing
free_netdev().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b4588b8b00b299be16a35be67b331d8fdba03f3 , < 285d4b953f2ca03c358f986718dd89ee9bde632e
(git)
Affected: 135199a2edd459d2b123144efcd7f9bcd95128e4 , < 88a38b135d69f5db9024ff6527232f1b51be8915 (git) Affected: 635fd8953e4309b54ca6a81bed1d4a87668694f4 , < 43005002b60ef3424719ecda16d124714b45da3b (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 3a10619fdefd3051aeb14860e4d4335529b4e94d (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 9a579d6a39513069d298eee70770bbac8a148565 (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 2ce1de32e05445d77fc056f6ff8339cfb78a5f84 (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 5158fb8da162e3982940f30cd01ed77bdf42c6fc (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 420c84c330d1688b8c764479e5738bbdbf0a33de (git) Affected: d2d6b530d89b0a912148018027386aa049f0a309 (git) Affected: e2a521a7dcc463c5017b4426ca0804e151faeff7 (git) Affected: 7f77dcbc030c2faa6d8e8a594985eeb34018409e (git) Affected: d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f (git) Affected: db3b738ae5f726204876f4303c49cfdf4311403f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "285d4b953f2ca03c358f986718dd89ee9bde632e",
"status": "affected",
"version": "8b4588b8b00b299be16a35be67b331d8fdba03f3",
"versionType": "git"
},
{
"lessThan": "88a38b135d69f5db9024ff6527232f1b51be8915",
"status": "affected",
"version": "135199a2edd459d2b123144efcd7f9bcd95128e4",
"versionType": "git"
},
{
"lessThan": "43005002b60ef3424719ecda16d124714b45da3b",
"status": "affected",
"version": "635fd8953e4309b54ca6a81bed1d4a87668694f4",
"versionType": "git"
},
{
"lessThan": "3a10619fdefd3051aeb14860e4d4335529b4e94d",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "9a579d6a39513069d298eee70770bbac8a148565",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "2ce1de32e05445d77fc056f6ff8339cfb78a5f84",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "5158fb8da162e3982940f30cd01ed77bdf42c6fc",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "420c84c330d1688b8c764479e5738bbdbf0a33de",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d6b530d89b0a912148018027386aa049f0a309",
"versionType": "git"
},
{
"status": "affected",
"version": "e2a521a7dcc463c5017b4426ca0804e151faeff7",
"versionType": "git"
},
{
"status": "affected",
"version": "7f77dcbc030c2faa6d8e8a594985eeb34018409e",
"versionType": "git"
},
{
"status": "affected",
"version": "d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f",
"versionType": "git"
},
{
"status": "affected",
"version": "db3b738ae5f726204876f4303c49cfdf4311403f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()-\u003eunregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:43.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e"
},
{
"url": "https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915"
},
{
"url": "https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b"
},
{
"url": "https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d"
},
{
"url": "https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565"
},
{
"url": "https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84"
},
{
"url": "https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc"
},
{
"url": "https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de"
}
],
"title": "usbnet: Prevents free active kevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68312",
"datePublished": "2025-12-16T15:39:43.174Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:43.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71108 (GCVE-0-2025-71108)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
usb: typec: ucsi: Handle incorrect num_connectors capability
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Handle incorrect num_connectors capability
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 07c8d2a109d847775b3b4e2c3294c8e1eea75432
(git)
Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 58941bbb0050e365a98c64f1fc4a9a0ac127dba6 (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < f72f97d0aee4a993a35f2496bca5efd24827235d (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 914605b0de8128434eafc9582445306830748b93 (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 3042a57a8e8bce4a3100c3f6f03dc372aab24943 (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 132fe187e0d940f388f839fe2cde9b84106ad20d (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 30cd2cb1abf4c4acdb1ddb468c946f68939819fb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07c8d2a109d847775b3b4e2c3294c8e1eea75432",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "58941bbb0050e365a98c64f1fc4a9a0ac127dba6",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "f72f97d0aee4a993a35f2496bca5efd24827235d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "914605b0de8128434eafc9582445306830748b93",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "3042a57a8e8bce4a3100c3f6f03dc372aab24943",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "132fe187e0d940f388f839fe2cde9b84106ad20d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "30cd2cb1abf4c4acdb1ddb468c946f68939819fb",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Handle incorrect num_connectors capability\n\nThe UCSI spec states that the num_connectors field is 7 bits, and the\n8th bit is reserved and should be set to zero.\nSome buggy FW has been known to set this bit, and it can lead to a\nsystem not booting.\nFlag that the FW is not behaving correctly, and auto-fix the value\nso that the system boots correctly.\n\nFound on Lenovo P1 G8 during Linux enablement program. The FW will\nbe fixed, but seemed worth addressing in case it hit platforms that\naren\u0027t officially Linux supported."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:02.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432"
},
{
"url": "https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6"
},
{
"url": "https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d"
},
{
"url": "https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93"
},
{
"url": "https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943"
},
{
"url": "https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d"
},
{
"url": "https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb"
}
],
"title": "usb: typec: ucsi: Handle incorrect num_connectors capability",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71108",
"datePublished": "2026-01-14T15:05:56.553Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-02-09T08:35:02.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40096 (GCVE-0-2025-40096)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
When adding dependencies with drm_sched_job_add_dependency(), that
function consumes the fence reference both on success and failure, so in
the latter case the dma_fence_put() on the error path (xarray failed to
expand) is a double free.
Interestingly this bug appears to have been present ever since
commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code
back then looked like this:
drm_sched_job_add_implicit_dependencies():
...
for (i = 0; i < fence_count; i++) {
ret = drm_sched_job_add_dependency(job, fences[i]);
if (ret)
break;
}
for (; i < fence_count; i++)
dma_fence_put(fences[i]);
Which means for the failing 'i' the dma_fence_put was already a double
free. Possibly there were no users at that time, or the test cases were
insufficient to hit it.
The bug was then only noticed and fixed after
commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2")
landed, with its fixup of
commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").
At that point it was a slightly different flavour of a double free, which
commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder")
noticed and attempted to fix.
But it only moved the double free from happening inside the
drm_sched_job_add_dependency(), when releasing the reference not yet
obtained, to the caller, when releasing the reference already released by
the former in the failure case.
As such it is not easy to identify the right target for the fixes tag so
lets keep it simple and just continue the chain.
While fixing we also improve the comment and explain the reason for taking
the reference and not dropping it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
963d0b3569354230f6e2c36a286ef270a8901878 , < 4c38a63ae12ecc9370a7678077bde2d61aa80e9c
(git)
Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < 57239762aa90ad768dac055021f27705dae73344 (git) Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11 (git) Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < fdfb47e85af1e11ec822c82739dde2dd8dff5115 (git) Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < 5801e65206b065b0b2af032f7f1eef222aa2fd83 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c38a63ae12ecc9370a7678077bde2d61aa80e9c",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "57239762aa90ad768dac055021f27705dae73344",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "fdfb47e85af1e11ec822c82739dde2dd8dff5115",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "5801e65206b065b0b2af032f7f1eef222aa2fd83",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies\n\nWhen adding dependencies with drm_sched_job_add_dependency(), that\nfunction consumes the fence reference both on success and failure, so in\nthe latter case the dma_fence_put() on the error path (xarray failed to\nexpand) is a double free.\n\nInterestingly this bug appears to have been present ever since\ncommit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code\nback then looked like this:\n\ndrm_sched_job_add_implicit_dependencies():\n...\n for (i = 0; i \u003c fence_count; i++) {\n ret = drm_sched_job_add_dependency(job, fences[i]);\n if (ret)\n break;\n }\n\n for (; i \u003c fence_count; i++)\n dma_fence_put(fences[i]);\n\nWhich means for the failing \u0027i\u0027 the dma_fence_put was already a double\nfree. Possibly there were no users at that time, or the test cases were\ninsufficient to hit it.\n\nThe bug was then only noticed and fixed after\ncommit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\")\nlanded, with its fixup of\ncommit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\").\n\nAt that point it was a slightly different flavour of a double free, which\ncommit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\")\nnoticed and attempted to fix.\n\nBut it only moved the double free from happening inside the\ndrm_sched_job_add_dependency(), when releasing the reference not yet\nobtained, to the caller, when releasing the reference already released by\nthe former in the failure case.\n\nAs such it is not easy to identify the right target for the fixes tag so\nlets keep it simple and just continue the chain.\n\nWhile fixing we also improve the comment and explain the reason for taking\nthe reference and not dropping it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:56.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c38a63ae12ecc9370a7678077bde2d61aa80e9c"
},
{
"url": "https://git.kernel.org/stable/c/57239762aa90ad768dac055021f27705dae73344"
},
{
"url": "https://git.kernel.org/stable/c/e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11"
},
{
"url": "https://git.kernel.org/stable/c/fdfb47e85af1e11ec822c82739dde2dd8dff5115"
},
{
"url": "https://git.kernel.org/stable/c/5801e65206b065b0b2af032f7f1eef222aa2fd83"
}
],
"title": "drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40096",
"datePublished": "2025-10-30T09:48:03.954Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:56.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71078 (GCVE-0-2025-71078)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary cont
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5434ae74629af58ad0fc27143a9ea435f7734410 , < 01324c0328181b94cf390bda22ff91c75126ea57
(git)
Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 2e9a95d60f1df7b57618fd5ef057aef331575bd2 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < c9f865022a1823d814032a09906e91e4701a35fc (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < b13a3dbfa196af68eae2031f209743735ad416bf (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 895123c309a34d2cfccf7812b41e17261a3a6f37 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 4ae1e46d8a290319f33f71a2710a1382ba5431e8 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 00312419f0863964625d6dcda8183f96849412c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01324c0328181b94cf390bda22ff91c75126ea57",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "2e9a95d60f1df7b57618fd5ef057aef331575bd2",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "c9f865022a1823d814032a09906e91e4701a35fc",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "b13a3dbfa196af68eae2031f209743735ad416bf",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "895123c309a34d2cfccf7812b41e17261a3a6f37",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "4ae1e46d8a290319f33f71a2710a1382ba5431e8",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "00312419f0863964625d6dcda8183f96849412c6",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction \u2014 typically after every 256 context\nswitches \u2014 to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don\u0027t call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:29.368Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57"
},
{
"url": "https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2"
},
{
"url": "https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc"
},
{
"url": "https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf"
},
{
"url": "https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37"
},
{
"url": "https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8"
},
{
"url": "https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6"
}
],
"title": "powerpc/64s/slb: Fix SLB multihit issue during SLB preload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71078",
"datePublished": "2026-01-13T15:34:43.437Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:29.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40016 (GCVE-0-2025-40016)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:29 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
unique ID.
```
Each Unit and Terminal within the video function is assigned a unique
identification number, the Unit ID (UID) or Terminal ID (TID), contained in
the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
reserved for undefined ID,
```
If we add a new entity with id 0 or a duplicated ID, it will be marked
as UVC_INVALID_ENTITY_ID.
In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require
entities to have a non-zero unique ID"), we ignored all the invalid units,
this broke a lot of non-compatible cameras. Hopefully we are more lucky
this time.
This also prevents some syzkaller reproducers from triggering warnings due
to a chain of entities referring to themselves. In one particular case, an
Output Unit is connected to an Input Unit, both with the same ID of 1. But
when looking up for the source ID of the Output Unit, that same entity is
found instead of the input entity, which leads to such warnings.
In another case, a backward chain was considered finished as the source ID
was 0. Later on, that entity was found, but its pads were not valid.
Here is a sample stack trace for one of those cases.
[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
[ 20.833501] usb 1-1: config 0 descriptor??
[ 21.038518] usb 1-1: string descriptor 0 read error: -71
[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
[ 21.042218] ------------[ cut here ]------------
[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
[ 21.043195] Modules linked in:
[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 21.044639] Workqueue: usb_hub_wq hub_event
[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
[ 21.051136] PKRU: 55555554
[ 21.051331] Call Trace:
[ 21.051480] <TASK>
[ 21.051611] ? __warn+0xc4/0x210
[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
[ 21.052252] ? report_bug+0x11b/0x1a0
[ 21.052540] ? trace_hardirqs_on+0x31/0x40
[ 21.052901] ? handle_bug+0x3d/0x70
[ 21.053197] ? exc_invalid_op+0x1a/0x50
[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
[ 21.053924] ? media_create_pad_link+0x91/0x2e0
[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
[ 21.054834] ? media_create_pad_link+0x91/0x2e0
[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
[ 21.055837] uvc_mc_register_entities+0x358/0x400
[ 21.056144] uvc_register_chains+0x1
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < f617d515d66c05e9aebc787a8fe48b7163fc7b70
(git)
Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 000b2a6bed7f30e0aadfb19bce9af6458d879304 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 15c0e136bd8cd70a1136a11c7876d6aae0eef8c8 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 0f140cede24334b3ee55e3e1127071266cbb8287 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 0e2ee70291e64a30fe36960c85294726d34a103e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f617d515d66c05e9aebc787a8fe48b7163fc7b70",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "000b2a6bed7f30e0aadfb19bce9af6458d879304",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "15c0e136bd8cd70a1136a11c7876d6aae0eef8c8",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "0f140cede24334b3ee55e3e1127071266cbb8287",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "0e2ee70291e64a30fe36960c85294726d34a103e",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID\n\nPer UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero\nunique ID.\n\n```\nEach Unit and Terminal within the video function is assigned a unique\nidentification number, the Unit ID (UID) or Terminal ID (TID), contained in\nthe bUnitID or bTerminalID field of the descriptor. The value 0x00 is\nreserved for undefined ID,\n```\n\nIf we add a new entity with id 0 or a duplicated ID, it will be marked\nas UVC_INVALID_ENTITY_ID.\n\nIn a previous attempt commit 3dd075fe8ebb (\"media: uvcvideo: Require\nentities to have a non-zero unique ID\"), we ignored all the invalid units,\nthis broke a lot of non-compatible cameras. Hopefully we are more lucky\nthis time.\n\nThis also prevents some syzkaller reproducers from triggering warnings due\nto a chain of entities referring to themselves. In one particular case, an\nOutput Unit is connected to an Input Unit, both with the same ID of 1. But\nwhen looking up for the source ID of the Output Unit, that same entity is\nfound instead of the input entity, which leads to such warnings.\n\nIn another case, a backward chain was considered finished as the source ID\nwas 0. Later on, that entity was found, but its pads were not valid.\n\nHere is a sample stack trace for one of those cases.\n\n[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd\n[ 20.830206] usb 1-1: Using ep0 maxpacket: 8\n[ 20.833501] usb 1-1: config 0 descriptor??\n[ 21.038518] usb 1-1: string descriptor 0 read error: -71\n[ 21.038893] usb 1-1: Found UVC 0.00 device \u003cunnamed\u003e (2833:0201)\n[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!\n[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!\n[ 21.042218] ------------[ cut here ]------------\n[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0\n[ 21.043195] Modules linked in:\n[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444\n[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 21.044639] Workqueue: usb_hub_wq hub_event\n[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0\n[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 \u003c0f\u003e 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00\n[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246\n[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1\n[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290\n[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000\n[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003\n[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000\n[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000\n[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0\n[ 21.051136] PKRU: 55555554\n[ 21.051331] Call Trace:\n[ 21.051480] \u003cTASK\u003e\n[ 21.051611] ? __warn+0xc4/0x210\n[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.052252] ? report_bug+0x11b/0x1a0\n[ 21.052540] ? trace_hardirqs_on+0x31/0x40\n[ 21.052901] ? handle_bug+0x3d/0x70\n[ 21.053197] ? exc_invalid_op+0x1a/0x50\n[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20\n[ 21.053924] ? media_create_pad_link+0x91/0x2e0\n[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.054834] ? media_create_pad_link+0x91/0x2e0\n[ 21.055131] ? _raw_spin_unlock+0x1e/0x40\n[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210\n[ 21.055837] uvc_mc_register_entities+0x358/0x400\n[ 21.056144] uvc_register_chains+0x1\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:21.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f617d515d66c05e9aebc787a8fe48b7163fc7b70"
},
{
"url": "https://git.kernel.org/stable/c/000b2a6bed7f30e0aadfb19bce9af6458d879304"
},
{
"url": "https://git.kernel.org/stable/c/15c0e136bd8cd70a1136a11c7876d6aae0eef8c8"
},
{
"url": "https://git.kernel.org/stable/c/0f140cede24334b3ee55e3e1127071266cbb8287"
},
{
"url": "https://git.kernel.org/stable/c/0e2ee70291e64a30fe36960c85294726d34a103e"
}
],
"title": "media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40016",
"datePublished": "2025-10-20T15:29:10.376Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:21.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22991 (GCVE-0-2026-22991)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: make free_choose_arg_map() resilient to partial allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make free_choose_arg_map() resilient to partial allocation
free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.
For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.
To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5cf9c4a9959b6273675310d14a834ef14fbca37c , < 9b3730dabcf3764bfe3ff07caf55e641a0b45234
(git)
Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < 851241d3f78a5505224dc21c03d8692f530256b4 (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < ec1850f663da64842614c86b20fe734be070c2ba (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < 8081faaf089db5280c3be820948469f7c58ef8dd (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < f21c3fdb96833aac2f533506899fe38c19cf49d5 (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < e3fe30e57649c551757a02e1cad073c47e1e075e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b3730dabcf3764bfe3ff07caf55e641a0b45234",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "851241d3f78a5505224dc21c03d8692f530256b4",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "ec1850f663da64842614c86b20fe734be070c2ba",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "8081faaf089db5280c3be820948469f7c58ef8dd",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "f21c3fdb96833aac2f533506899fe38c19cf49d5",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "e3fe30e57649c551757a02e1cad073c47e1e075e",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map-\u003eargs\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map-\u003esize is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map-\u003eargs and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:42.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"
},
{
"url": "https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"
},
{
"url": "https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"
},
{
"url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"
},
{
"url": "https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"
},
{
"url": "https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"
},
{
"url": "https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"
}
],
"title": "libceph: make free_choose_arg_map() resilient to partial allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22991",
"datePublished": "2026-01-23T15:24:12.191Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:42.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71091 (GCVE-0-2025-71091)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
team: fix check for port enabled in team_queue_override_port_prio_changed()
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: fix check for port enabled in team_queue_override_port_prio_changed()
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 25029e813c4aae5fcf7118e8dd5c56e382b9a1a3
(git)
Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < f820e438b8ec2a8354e70e75145f05fe45500d97 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 53a727a8bfd78c739e130a781192d0f6f8e03d39 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 6bfb62b6010a16112dcae52f490e5e0e6abe12a3 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 107d245f84cb4f55f597d31eda34b42a2b7d6952 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < b71187648ef2349254673d0523fdf96d1fe3d758 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 932ac51d9953eaf77a1252f79b656d4ca86163c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25029e813c4aae5fcf7118e8dd5c56e382b9a1a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "f820e438b8ec2a8354e70e75145f05fe45500d97",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "53a727a8bfd78c739e130a781192d0f6f8e03d39",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "6bfb62b6010a16112dcae52f490e5e0e6abe12a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "107d245f84cb4f55f597d31eda34b42a2b7d6952",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "b71187648ef2349254673d0523fdf96d1fe3d758",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "932ac51d9953eaf77a1252f79b656d4ca86163c6",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix check for port enabled in team_queue_override_port_prio_changed()\n\nThere has been a syzkaller bug reported recently with the following\ntrace:\n\nlist_del corruption, ffff888058bea080-\u003eprev is LIST_POISON2 (dead000000000122)\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:59!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59\nCode: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 \u003c0f\u003e 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d49f370 EFLAGS: 00010286\nRAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000\nRDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005\nRBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230\nR13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480\nFS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n __list_del_entry_valid include/linux/list.h:132 [inline]\n __list_del_entry include/linux/list.h:223 [inline]\n list_del_rcu include/linux/rculist.h:178 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]\n team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]\n team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534\n team_option_set drivers/net/team/team_core.c:376 [inline]\n team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653\n genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684\n __sys_sendmsg+0x16d/0x220 net/socket.c:2716\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe problem is in this flow:\n1) Port is enabled, queue_id != 0, in qom_list\n2) Port gets disabled\n -\u003e team_port_disable()\n -\u003e team_queue_override_port_del()\n -\u003e del (removed from list)\n3) Port is disabled, queue_id != 0, not in any list\n4) Priority changes\n -\u003e team_queue_override_port_prio_changed()\n -\u003e checks: port disabled \u0026\u0026 queue_id != 0\n -\u003e calls del - hits the BUG as it is removed already\n\nTo fix this, change the check in team_queue_override_port_prio_changed()\nso it returns early if port is not enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:43.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3"
},
{
"url": "https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97"
},
{
"url": "https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39"
},
{
"url": "https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3"
},
{
"url": "https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952"
},
{
"url": "https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758"
},
{
"url": "https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6"
}
],
"title": "team: fix check for port enabled in team_queue_override_port_prio_changed()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71091",
"datePublished": "2026-01-13T15:34:52.431Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:43.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40020 (GCVE-0-2025-40020)
Vulnerability from cvelistv5 – Published: 2025-10-24 12:24 – Updated: 2025-10-24 12:24
VLAI?
EPSS
Title
can: peak_usb: fix shift-out-of-bounds issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: peak_usb: fix shift-out-of-bounds issue
Explicitly uses a 64-bit constant when the number of bits used for its
shifting is 32 (which is the case for PC CAN FD interfaces supported by
this driver).
[mkl: update subject, apply manually]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < 572c656802781cc57f4a3231eefa83547e75ed78
(git)
Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < 61b1dd4c614935169d12bdecc26906e37b508618 (git) Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < 48822a59ecc47d353400d38b1941d3ae7591ffff (git) Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < 176c81cbf9c4e348610a421aad800087c0401f60 (git) Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < 17edec1830e48c0becd61642d0e40bc753243b16 (git) Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < eb79ed970670344380e77d62f8188e8015648d94 (git) Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < 394c58017e5f41043584c345106cae16a4613710 (git) Affected: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d , < c443be70aaee42c2d1d251e0329e0a69dd96ae54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "572c656802781cc57f4a3231eefa83547e75ed78",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "61b1dd4c614935169d12bdecc26906e37b508618",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "48822a59ecc47d353400d38b1941d3ae7591ffff",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "176c81cbf9c4e348610a421aad800087c0401f60",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "17edec1830e48c0becd61642d0e40bc753243b16",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "eb79ed970670344380e77d62f8188e8015648d94",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "394c58017e5f41043584c345106cae16a4613710",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "c443be70aaee42c2d1d251e0329e0a69dd96ae54",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_usb: fix shift-out-of-bounds issue\n\nExplicitly uses a 64-bit constant when the number of bits used for its\nshifting is 32 (which is the case for PC CAN FD interfaces supported by\nthis driver).\n\n[mkl: update subject, apply manually]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:56.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/572c656802781cc57f4a3231eefa83547e75ed78"
},
{
"url": "https://git.kernel.org/stable/c/61b1dd4c614935169d12bdecc26906e37b508618"
},
{
"url": "https://git.kernel.org/stable/c/48822a59ecc47d353400d38b1941d3ae7591ffff"
},
{
"url": "https://git.kernel.org/stable/c/176c81cbf9c4e348610a421aad800087c0401f60"
},
{
"url": "https://git.kernel.org/stable/c/17edec1830e48c0becd61642d0e40bc753243b16"
},
{
"url": "https://git.kernel.org/stable/c/eb79ed970670344380e77d62f8188e8015648d94"
},
{
"url": "https://git.kernel.org/stable/c/394c58017e5f41043584c345106cae16a4613710"
},
{
"url": "https://git.kernel.org/stable/c/c443be70aaee42c2d1d251e0329e0a69dd96ae54"
}
],
"title": "can: peak_usb: fix shift-out-of-bounds issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40020",
"datePublished": "2025-10-24T12:24:56.311Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:56.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-22977 (GCVE-0-2026-22977)
Vulnerability from cvelistv5 – Published: 2026-01-21 13:08 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net: sock: fix hardened usercopy panic in sock_recv_errqueue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sock: fix hardened usercopy panic in sock_recv_errqueue
skbuff_fclone_cache was created without defining a usercopy region,
[1] unlike skbuff_head_cache which properly whitelists the cb[] field.
[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is
enabled and the kernel attempts to copy sk_buff.cb data to userspace
via sock_recv_errqueue() -> put_cmsg().
The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()
(from skbuff_fclone_cache) [1]
2. The skb is cloned via skb_clone() using the pre-allocated fclone
[3] 3. The cloned skb is queued to sk_error_queue for timestamp
reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)
5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb
[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no
usercopy whitelist [5]
When cloned skbs allocated from skbuff_fclone_cache are used in the
socket error queue, accessing the sock_exterr_skb structure in skb->cb
via put_cmsg() triggers a usercopy hardening violation:
[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)!
[ 5.382796] kernel BUG at mm/usercopy.c:102!
[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7
[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80
[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490
[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246
[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74
[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0
[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74
[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001
[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00
[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000
[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0
[ 5.384903] PKRU: 55555554
[ 5.384903] Call Trace:
[ 5.384903] <TASK>
[ 5.384903] __check_heap_object+0x9a/0xd0
[ 5.384903] __check_object_size+0x46c/0x690
[ 5.384903] put_cmsg+0x129/0x5e0
[ 5.384903] sock_recv_errqueue+0x22f/0x380
[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? schedule+0x6d/0x270
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? mutex_unlock+0x81/0xd0
[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10
[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10
[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0
[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
The crash offset 296 corresponds to skb2->cb within skbuff_fclones:
- sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -
offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =
272 + 24 (inside sock_exterr_skb.ee)
This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.
[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885
[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104
[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566
[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491
[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d07d1cd300f4c7e16005f881fea388164999cc8 , < 88dd6be7ebb3153b662c2cebcb06e032a92857f5
(git)
Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < c655d2167bf014d4c61b4faeca59b60ff9b9f6b1 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 8c6901aa29626e35045130bac09b75f791acca85 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 582a5e922a9652fcbb7d0165c95d5b20aa37575d (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 005671c60fcf1dbdb8bddf12a62568fd5e4ec391 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < e00b169eaac5f7cdbf710c354c8fa76d02009115 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88dd6be7ebb3153b662c2cebcb06e032a92857f5",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "c655d2167bf014d4c61b4faeca59b60ff9b9f6b1",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "8c6901aa29626e35045130bac09b75f791acca85",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "582a5e922a9652fcbb7d0165c95d5b20aa37575d",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "005671c60fcf1dbdb8bddf12a62568fd5e4ec391",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "e00b169eaac5f7cdbf710c354c8fa76d02009115",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sock: fix hardened usercopy panic in sock_recv_errqueue\n\nskbuff_fclone_cache was created without defining a usercopy region,\n[1] unlike skbuff_head_cache which properly whitelists the cb[] field.\n[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is\nenabled and the kernel attempts to copy sk_buff.cb data to userspace\nvia sock_recv_errqueue() -\u003e put_cmsg().\n\nThe crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()\n (from skbuff_fclone_cache) [1]\n2. The skb is cloned via skb_clone() using the pre-allocated fclone\n[3] 3. The cloned skb is queued to sk_error_queue for timestamp\nreporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)\n5. sock_recv_errqueue() calls put_cmsg() to copy serr-\u003eee from skb-\u003ecb\n[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no\n usercopy whitelist [5]\n\nWhen cloned skbs allocated from skbuff_fclone_cache are used in the\nsocket error queue, accessing the sock_exterr_skb structure in skb-\u003ecb\nvia put_cmsg() triggers a usercopy hardening violation:\n\n[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object \u0027skbuff_fclone_cache\u0027 (offset 296, size 16)!\n[ 5.382796] kernel BUG at mm/usercopy.c:102!\n[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7\n[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80\n[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff \u003c0f\u003e 0b 490\n[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246\n[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74\n[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0\n[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74\n[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001\n[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00\n[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000\n[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0\n[ 5.384903] PKRU: 55555554\n[ 5.384903] Call Trace:\n[ 5.384903] \u003cTASK\u003e\n[ 5.384903] __check_heap_object+0x9a/0xd0\n[ 5.384903] __check_object_size+0x46c/0x690\n[ 5.384903] put_cmsg+0x129/0x5e0\n[ 5.384903] sock_recv_errqueue+0x22f/0x380\n[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? schedule+0x6d/0x270\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? mutex_unlock+0x81/0xd0\n[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10\n[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10\n[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0\n[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n\nThe crash offset 296 corresponds to skb2-\u003ecb within skbuff_fclones:\n - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -\n offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =\n 272 + 24 (inside sock_exterr_skb.ee)\n\nThis patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.\n\n[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885\n[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104\n[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566\n[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491\n[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:27.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5"
},
{
"url": "https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1"
},
{
"url": "https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85"
},
{
"url": "https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d"
},
{
"url": "https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391"
},
{
"url": "https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115"
},
{
"url": "https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20"
}
],
"title": "net: sock: fix hardened usercopy panic in sock_recv_errqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22977",
"datePublished": "2026-01-21T13:08:54.858Z",
"dateReserved": "2026-01-13T15:37:45.935Z",
"dateUpdated": "2026-02-09T08:36:27.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68744 (GCVE-0-2025-68744)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
bpf: Free special fields when update [lru_,]percpu_hash maps
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free special fields when update [lru_,]percpu_hash maps
As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing
calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the
memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the
map gets freed.
Fix this by calling 'bpf_obj_free_fields()' after
'copy_map_value[,_long]()' in 'pcpu_copy_value()'.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 994d6303ed0b84cbc795bb5becf7ed6de40d3f3c
(git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 3bf1378747e251571e0de15e7e0a6bf2919044e7 (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 96a5cb7072cabbac5c66ac9318242c3bdceebb68 (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 4a03d69cece145e4fb527464be29c3806aa3221e (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 6af6e49a76c9af7d42eb923703e7648cb2bf401a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994d6303ed0b84cbc795bb5becf7ed6de40d3f3c",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "3bf1378747e251571e0de15e7e0a6bf2919044e7",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "96a5cb7072cabbac5c66ac9318242c3bdceebb68",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "4a03d69cece145e4fb527464be29c3806aa3221e",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "6af6e49a76c9af7d42eb923703e7648cb2bf401a",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free special fields when update [lru_,]percpu_hash maps\n\nAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing\ncalls to \u0027bpf_obj_free_fields()\u0027 in \u0027pcpu_copy_value()\u0027 could cause the\nmemory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the\nmap gets freed.\n\nFix this by calling \u0027bpf_obj_free_fields()\u0027 after\n\u0027copy_map_value[,_long]()\u0027 in \u0027pcpu_copy_value()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:48.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994d6303ed0b84cbc795bb5becf7ed6de40d3f3c"
},
{
"url": "https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7"
},
{
"url": "https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68"
},
{
"url": "https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e"
},
{
"url": "https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a"
}
],
"title": "bpf: Free special fields when update [lru_,]percpu_hash maps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68744",
"datePublished": "2025-12-24T12:09:40.839Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-02-09T08:32:48.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71131 (GCVE-0-2025-71131)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
As soon as crypto_aead_encrypt is called, the underlying request
may be freed by an asynchronous completion. Thus dereferencing
req->iv after it returns is invalid.
Instead of checking req->iv against info, create a new variable
unaligned_info and use it for that purpose instead.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 18202537856e0fae079fed2c9308780bcff2bb9d
(git)
Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < baf0e2d1e03ddb04781dfe7f22a654d3611f69b2 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 50f196d2bbaee4ab2494bb1b0d294deba292951a (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 0279978adec6f1296af66b642cce641c6580be46 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < ccbb96434d88e32358894c879457b33f7508e798 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 5476f7f8a311236604b78fcc5b2a63b3a61b0169 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 50fdb78b7c0bcc550910ef69c0984e751cac72fa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18202537856e0fae079fed2c9308780bcff2bb9d",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "baf0e2d1e03ddb04781dfe7f22a654d3611f69b2",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "50f196d2bbaee4ab2494bb1b0d294deba292951a",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "0279978adec6f1296af66b642cce641c6580be46",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "ccbb96434d88e32358894c879457b33f7508e798",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "5476f7f8a311236604b78fcc5b2a63b3a61b0169",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "50fdb78b7c0bcc550910ef69c0984e751cac72fa",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt\n\nAs soon as crypto_aead_encrypt is called, the underlying request\nmay be freed by an asynchronous completion. Thus dereferencing\nreq-\u003eiv after it returns is invalid.\n\nInstead of checking req-\u003eiv against info, create a new variable\nunaligned_info and use it for that purpose instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:27.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d"
},
{
"url": "https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2"
},
{
"url": "https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a"
},
{
"url": "https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46"
},
{
"url": "https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798"
},
{
"url": "https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169"
},
{
"url": "https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa"
}
],
"title": "crypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71131",
"datePublished": "2026-01-14T15:07:47.194Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:27.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40125 (GCVE-0-2025-40125)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
In __blk_mq_update_nr_hw_queues() the return value of
blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx
fails, later changing the number of hw_queues or removing disk will
trigger the following warning:
kernfs: can not remove 'nr_tags', no directory
WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160
Call Trace:
remove_files.isra.1+0x38/0xb0
sysfs_remove_group+0x4d/0x100
sysfs_remove_groups+0x31/0x60
__kobject_del+0x23/0xf0
kobject_del+0x17/0x40
blk_mq_unregister_hctx+0x5d/0x80
blk_mq_sysfs_unregister_hctxs+0x94/0xd0
blk_mq_update_nr_hw_queues+0x124/0x760
nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
nullb_device_submit_queues_store+0x92/0x120 [null_blk]
kobjct_del() was called unconditionally even if sysfs creation failed.
Fix it by checkig the kobject creation statusbefore deleting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
477e19dedc9d3e1f4443a1d4ae00572a988120ea , < a8c53553f1833cc2d14175d2d72cf37193a01898
(git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < cc14ea21c4e658814d737ed4dedde6cd626a15ad (git) Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 4b97e99b87a773d52699521d40864f3ec888e9a6 (git) Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 6e7dadc5763c48eb3b9b91265a21f312599ebb2c (git) Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 06c4826b1d900611096e4621e93133db57e13911 (git) Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < babc634e9fe2803962dba98a07587e835dbc0731 (git) Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < d5ddd76ee52bdc16e9f8b1e7791291e785dab032 (git) Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8c53553f1833cc2d14175d2d72cf37193a01898",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "cc14ea21c4e658814d737ed4dedde6cd626a15ad",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "4b97e99b87a773d52699521d40864f3ec888e9a6",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "6e7dadc5763c48eb3b9b91265a21f312599ebb2c",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "06c4826b1d900611096e4621e93133db57e13911",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "babc634e9fe2803962dba98a07587e835dbc0731",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "d5ddd76ee52bdc16e9f8b1e7791291e785dab032",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx\n\nIn __blk_mq_update_nr_hw_queues() the return value of\nblk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx\nfails, later changing the number of hw_queues or removing disk will\ntrigger the following warning:\n\n kernfs: can not remove \u0027nr_tags\u0027, no directory\n WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160\n Call Trace:\n remove_files.isra.1+0x38/0xb0\n sysfs_remove_group+0x4d/0x100\n sysfs_remove_groups+0x31/0x60\n __kobject_del+0x23/0xf0\n kobject_del+0x17/0x40\n blk_mq_unregister_hctx+0x5d/0x80\n blk_mq_sysfs_unregister_hctxs+0x94/0xd0\n blk_mq_update_nr_hw_queues+0x124/0x760\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x92/0x120 [null_blk]\n\nkobjct_del() was called unconditionally even if sysfs creation failed.\nFix it by checkig the kobject creation statusbefore deleting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:30.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898"
},
{
"url": "https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad"
},
{
"url": "https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6"
},
{
"url": "https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c"
},
{
"url": "https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911"
},
{
"url": "https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731"
},
{
"url": "https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032"
},
{
"url": "https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed"
}
],
"title": "blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40125",
"datePublished": "2025-11-12T10:23:20.180Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:30.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68305 (GCVE-0-2025-68305)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write
iter. bind may free the same cmd via mgmt_pending before write iter sends
the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the
UAF mentioned in [1].
[1]
syzbot reported:
BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
Read of size 8 at addr ffff888077164818 by task syz.0.17/5989
Call Trace:
mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989:
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991:
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bdd56875c6926d8009914f427df71797693e90d4 , < fe68510fc99bb4b88c9c611f83699749002d515a
(git)
Affected: 4e83f2dbb2bf677e614109df24426c4dded472d4 , < e90c05fc5bbea956450a05cc3b36b8fa29cf195e (git) Affected: 6fe26f694c824b8a4dbf50c635bee1302e3f099c , < 69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7 (git) Affected: 6fe26f694c824b8a4dbf50c635bee1302e3f099c , < 89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392 (git) Affected: d7882db79135c829a922daf3571f33ea1e056ae3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe68510fc99bb4b88c9c611f83699749002d515a",
"status": "affected",
"version": "bdd56875c6926d8009914f427df71797693e90d4",
"versionType": "git"
},
{
"lessThan": "e90c05fc5bbea956450a05cc3b36b8fa29cf195e",
"status": "affected",
"version": "4e83f2dbb2bf677e614109df24426c4dded472d4",
"versionType": "git"
},
{
"lessThan": "69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7",
"status": "affected",
"version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"versionType": "git"
},
{
"lessThan": "89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392",
"status": "affected",
"version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"versionType": "git"
},
{
"status": "affected",
"version": "d7882db79135c829a922daf3571f33ea1e056ae3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "6.6.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Prevent race in socket write iter and sock bind\n\nThere is a potential race condition between sock bind and socket write\niter. bind may free the same cmd via mgmt_pending before write iter sends\nthe cmd, just as syzbot reported in UAF[1].\n\nHere we use hci_dev_lock to synchronize the two, thereby avoiding the\nUAF mentioned in [1].\n\n[1]\nsyzbot reported:\nBUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\nRead of size 8 at addr ffff888077164818 by task syz.0.17/5989\nCall Trace:\n mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\n set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nAllocated by task 5989:\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nFreed by task 5991:\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:22.812Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a"
},
{
"url": "https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e"
},
{
"url": "https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7"
},
{
"url": "https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392"
}
],
"title": "Bluetooth: hci_sock: Prevent race in socket write iter and sock bind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68305",
"datePublished": "2025-12-16T15:06:22.812Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:22.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40215 (GCVE-0-2025-40215)
Vulnerability from cvelistv5 – Published: 2025-12-04 12:38 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
xfrm: delete x->tunnel as we delete x
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: delete x->tunnel as we delete x
The ipcomp fallback tunnels currently get deleted (from the various
lists and hashtables) as the last user state that needed that fallback
is destroyed (not deleted). If a reference to that user state still
exists, the fallback state will remain on the hashtables/lists,
triggering the WARN in xfrm_state_fini. Because of those remaining
references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path") is not complete.
We recently fixed one such situation in TCP due to defered freeing of
skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we
currently drop dst")). This can also happen due to IP reassembly: skbs
with a secpath remain on the reassembly queue until netns
destruction. If we can't guarantee that the queues are flushed by the
time xfrm_state_fini runs, there may still be references to a (user)
xfrm_state, preventing the timely deletion of the corresponding
fallback state.
Instead of chasing each instance of skbs holding a secpath one by one,
this patch fixes the issue directly within xfrm, by deleting the
fallback state as soon as the last user state depending on it has been
deleted. Destruction will still happen when the final reference is
dropped.
A separate lockdep class for the fallback state is required since
we're going to lock x->tunnel while x is locked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 1b28a7fae0128fa140a7dccd995182ff6cd1c67b
(git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 0da961fa46da1b37ef868d9b603bd202136f8f8e (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < d0e0d1097118461463b76562c7ebaabaa5b90b13 (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < dc3636912d41770466543623cb76e7b88fdb42c7 (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < b441cf3f8c4b8576639d20c8eb4aa32917602ecd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "dc3636912d41770466543623cb76e7b88fdb42c7",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete x-\u003etunnel as we delete x\n\nThe ipcomp fallback tunnels currently get deleted (from the various\nlists and hashtables) as the last user state that needed that fallback\nis destroyed (not deleted). If a reference to that user state still\nexists, the fallback state will remain on the hashtables/lists,\ntriggering the WARN in xfrm_state_fini. Because of those remaining\nreferences, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state\nsynchronously on net exit path\") is not complete.\n\nWe recently fixed one such situation in TCP due to defered freeing of\nskbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we\ncurrently drop dst\")). This can also happen due to IP reassembly: skbs\nwith a secpath remain on the reassembly queue until netns\ndestruction. If we can\u0027t guarantee that the queues are flushed by the\ntime xfrm_state_fini runs, there may still be references to a (user)\nxfrm_state, preventing the timely deletion of the corresponding\nfallback state.\n\nInstead of chasing each instance of skbs holding a secpath one by one,\nthis patch fixes the issue directly within xfrm, by deleting the\nfallback state as soon as the last user state depending on it has been\ndeleted. Destruction will still happen when the final reference is\ndropped.\n\nA separate lockdep class for the fallback state is required since\nwe\u0027re going to lock x-\u003etunnel while x is locked."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:05.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b28a7fae0128fa140a7dccd995182ff6cd1c67b"
},
{
"url": "https://git.kernel.org/stable/c/4b2c17d0f9be8b58bb30468bc81a4b61c985b04e"
},
{
"url": "https://git.kernel.org/stable/c/0da961fa46da1b37ef868d9b603bd202136f8f8e"
},
{
"url": "https://git.kernel.org/stable/c/d0e0d1097118461463b76562c7ebaabaa5b90b13"
},
{
"url": "https://git.kernel.org/stable/c/dc3636912d41770466543623cb76e7b88fdb42c7"
},
{
"url": "https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd"
}
],
"title": "xfrm: delete x-\u003etunnel as we delete x",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40215",
"datePublished": "2025-12-04T12:38:32.517Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-01-19T12:18:05.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39876 (GCVE-0-2025-39876)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
The function of_phy_find_device may return NULL, so we need to take
care before dereferencing phy_dev.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9e70485b40c8306298adea8bdc867ca27f88955a , < 8c60d12bba14dc655d2d948b1dbf390b3ae39cb8
(git)
Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < 20a3433d31c2d2bf70ab0abec75f3136b42ae66c (git) Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < 93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f (git) Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < 5f1bb554a131e59b28482abad21f691390651752 (git) Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < fe78891f296ac05bf4e5295c9829ef822f3c32e7 (git) Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < 4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5 (git) Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < eb148d85e126c47d65be34f2a465d69432ca5541 (git) Affected: 64a632da538a6827fad0ea461925cedb9899ebe2 , < 03e79de4608bdd48ad6eec272e196124cefaf798 (git) Affected: c068e505f229ca5f778f825f1401817ce818e917 (git) Affected: 8a6ab151443cd71e2aa5e8b7014e3453dbd51935 (git) Affected: ce88b5f42868ef4964c497d4dfcd25e88fd60c5b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:21.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c60d12bba14dc655d2d948b1dbf390b3ae39cb8",
"status": "affected",
"version": "9e70485b40c8306298adea8bdc867ca27f88955a",
"versionType": "git"
},
{
"lessThan": "20a3433d31c2d2bf70ab0abec75f3136b42ae66c",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "5f1bb554a131e59b28482abad21f691390651752",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "fe78891f296ac05bf4e5295c9829ef822f3c32e7",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "eb148d85e126c47d65be34f2a465d69432ca5541",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "03e79de4608bdd48ad6eec272e196124cefaf798",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"status": "affected",
"version": "c068e505f229ca5f778f825f1401817ce818e917",
"versionType": "git"
},
{
"status": "affected",
"version": "8a6ab151443cd71e2aa5e8b7014e3453dbd51935",
"versionType": "git"
},
{
"status": "affected",
"version": "ce88b5f42868ef4964c497d4dfcd25e88fd60c5b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n\nThe function of_phy_find_device may return NULL, so we need to take\ncare before dereferencing phy_dev."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:16.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c60d12bba14dc655d2d948b1dbf390b3ae39cb8"
},
{
"url": "https://git.kernel.org/stable/c/20a3433d31c2d2bf70ab0abec75f3136b42ae66c"
},
{
"url": "https://git.kernel.org/stable/c/93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f"
},
{
"url": "https://git.kernel.org/stable/c/5f1bb554a131e59b28482abad21f691390651752"
},
{
"url": "https://git.kernel.org/stable/c/fe78891f296ac05bf4e5295c9829ef822f3c32e7"
},
{
"url": "https://git.kernel.org/stable/c/4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5"
},
{
"url": "https://git.kernel.org/stable/c/eb148d85e126c47d65be34f2a465d69432ca5541"
},
{
"url": "https://git.kernel.org/stable/c/03e79de4608bdd48ad6eec272e196124cefaf798"
}
],
"title": "net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39876",
"datePublished": "2025-09-23T06:00:47.731Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:21.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39877 (GCVE-0-2025-39877)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mm/damon/sysfs: fix use-after-free in state_show()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: fix use-after-free in state_show()
state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock.
This allows a use-after-free race:
CPU 0 CPU 1
----- -----
state_show() damon_sysfs_turn_damon_on()
ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock);
damon_destroy_ctx(kdamond->damon_ctx);
kdamond->damon_ctx = NULL;
mutex_unlock(&damon_sysfs_lock);
damon_is_running(ctx); /* ctx is freed */
mutex_lock(&ctx->kdamond_lock); /* UAF */
(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and
damon_sysfs_kdamond_release(), which free or replace the context under
damon_sysfs_lock.)
Fix by taking damon_sysfs_lock before dereferencing the context, mirroring
the locking used in pid_show().
The bug has existed since state_show() first accessed kdamond->damon_ctx.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a61ea561c87139992fe32afdee48a6f6b85d824a , < 3858c44341ad49dc7544b19cc9f9ecffaa7cc50e
(git)
Affected: a61ea561c87139992fe32afdee48a6f6b85d824a , < 60d7a3d2b985a395318faa1d88da6915fad11c19 (git) Affected: a61ea561c87139992fe32afdee48a6f6b85d824a , < 26d29b2ac87a2989071755f9828ebf839b560d4c (git) Affected: a61ea561c87139992fe32afdee48a6f6b85d824a , < 4e87f461d61959647464a94d11ae15c011be58ce (git) Affected: a61ea561c87139992fe32afdee48a6f6b85d824a , < 3260a3f0828e06f5f13fac69fb1999a6d60d9cff (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:22.015Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3858c44341ad49dc7544b19cc9f9ecffaa7cc50e",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "60d7a3d2b985a395318faa1d88da6915fad11c19",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "26d29b2ac87a2989071755f9828ebf839b560d4c",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "4e87f461d61959647464a94d11ae15c011be58ce",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "3260a3f0828e06f5f13fac69fb1999a6d60d9cff",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix use-after-free in state_show()\n\nstate_show() reads kdamond-\u003edamon_ctx without holding damon_sysfs_lock. \nThis allows a use-after-free race:\n\nCPU 0 CPU 1\n----- -----\nstate_show() damon_sysfs_turn_damon_on()\nctx = kdamond-\u003edamon_ctx; mutex_lock(\u0026damon_sysfs_lock);\n damon_destroy_ctx(kdamond-\u003edamon_ctx);\n kdamond-\u003edamon_ctx = NULL;\n mutex_unlock(\u0026damon_sysfs_lock);\ndamon_is_running(ctx); /* ctx is freed */\nmutex_lock(\u0026ctx-\u003ekdamond_lock); /* UAF */\n\n(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and\ndamon_sysfs_kdamond_release(), which free or replace the context under\ndamon_sysfs_lock.)\n\nFix by taking damon_sysfs_lock before dereferencing the context, mirroring\nthe locking used in pid_show().\n\nThe bug has existed since state_show() first accessed kdamond-\u003edamon_ctx."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:35.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3858c44341ad49dc7544b19cc9f9ecffaa7cc50e"
},
{
"url": "https://git.kernel.org/stable/c/60d7a3d2b985a395318faa1d88da6915fad11c19"
},
{
"url": "https://git.kernel.org/stable/c/26d29b2ac87a2989071755f9828ebf839b560d4c"
},
{
"url": "https://git.kernel.org/stable/c/4e87f461d61959647464a94d11ae15c011be58ce"
},
{
"url": "https://git.kernel.org/stable/c/3260a3f0828e06f5f13fac69fb1999a6d60d9cff"
}
],
"title": "mm/damon/sysfs: fix use-after-free in state_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39877",
"datePublished": "2025-09-23T06:00:48.317Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:22.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40156 (GCVE-0-2025-40156)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()
The drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which
would lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check
that the pointer is valid.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 9cc23e221f392304b7b8aad213812564ddf6517e
(git)
Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 80eab6a9df7e1107dc334434dbacd05297703377 (git) Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 44e32104cf7e670e3d683c97b52350d8fac23322 (git) Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0 (git) Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < fc33bf0e097c6834646b98a7b3da0ae5b617f0f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/mtk-cci-devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9cc23e221f392304b7b8aad213812564ddf6517e",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "80eab6a9df7e1107dc334434dbacd05297703377",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "44e32104cf7e670e3d683c97b52350d8fac23322",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "fc33bf0e097c6834646b98a7b3da0ae5b617f0f9",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/mtk-cci-devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()\n\nThe drv-\u003esram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which\nwould lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check\nthat the pointer is valid."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:07.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9cc23e221f392304b7b8aad213812564ddf6517e"
},
{
"url": "https://git.kernel.org/stable/c/80eab6a9df7e1107dc334434dbacd05297703377"
},
{
"url": "https://git.kernel.org/stable/c/44e32104cf7e670e3d683c97b52350d8fac23322"
},
{
"url": "https://git.kernel.org/stable/c/24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0"
},
{
"url": "https://git.kernel.org/stable/c/fc33bf0e097c6834646b98a7b3da0ae5b617f0f9"
}
],
"title": "PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40156",
"datePublished": "2025-11-12T10:23:28.994Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:07.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68332 (GCVE-0-2025-68332)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
comedi: c6xdigio: Fix invalid PNP driver unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: c6xdigio: Fix invalid PNP driver unregistration
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_sys
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2c89e159cd2f386285e9522d6476dd7e801bee22 , < 407b25bb9284d69c27309e691ab1e02f9e1c46ac
(git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < f7fa1f4670c3c358a451546f0b80b9231952912d (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < e8110402b0c24d822b0b933d87d50870d59667ef (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72b3627b0d3b819de49b29c2c8cb1c64d54536b9 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 698149d797d0178162f394c55d4ed52aa0e0b7f6 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 888f7e2847bcb9df8257e656e1e837828942c53b (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72262330f7b3ad2130e800cecf02adcce3c32c77 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "407b25bb9284d69c27309e691ab1e02f9e1c46ac",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "f7fa1f4670c3c358a451546f0b80b9231952912d",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "e8110402b0c24d822b0b933d87d50870d59667ef",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72b3627b0d3b819de49b29c2c8cb1c64d54536b9",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device. When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value. (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.) The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored). In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\". This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver. (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time. Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:28.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/407b25bb9284d69c27309e691ab1e02f9e1c46ac"
},
{
"url": "https://git.kernel.org/stable/c/f7fa1f4670c3c358a451546f0b80b9231952912d"
},
{
"url": "https://git.kernel.org/stable/c/e8110402b0c24d822b0b933d87d50870d59667ef"
},
{
"url": "https://git.kernel.org/stable/c/72b3627b0d3b819de49b29c2c8cb1c64d54536b9"
},
{
"url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
},
{
"url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
},
{
"url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
},
{
"url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
}
],
"title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68332",
"datePublished": "2025-12-22T16:14:10.146Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:28.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68741 (GCVE-0-2025-68741)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
scsi: qla2xxx: Fix improper freeing of purex item
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix improper freeing of purex item
In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().
The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().
An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.
Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
875386b98857822b77ac7f95bdf367b70af5b78c , < 4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9
(git)
Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 8e9f0a0717ba31d5842721627ade1e62d7aec012 (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < cfe3e2f768d248fd3d965d561d0768a56dd0b9f8 (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 5fa1c8226b4532ad7011d295d3ab4ad45df105ae (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 78b1a242fe612a755f2158fd206ee6bb577d18ca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "8e9f0a0717ba31d5842721627ade1e62d7aec012",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "cfe3e2f768d248fd3d965d561d0768a56dd0b9f8",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "5fa1c8226b4532ad7011d295d3ab4ad45df105ae",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "78b1a242fe612a755f2158fd206ee6bb577d18ca",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix improper freeing of purex item\n\nIn qla2xxx_process_purls_iocb(), an item is allocated via\nqla27xx_copy_multiple_pkt(), which internally calls\nqla24xx_alloc_purex_item().\n\nThe qla24xx_alloc_purex_item() function may return a pre-allocated item\nfrom a per-adapter pool for small allocations, instead of dynamically\nallocating memory with kzalloc().\n\nAn error handling path in qla2xxx_process_purls_iocb() incorrectly uses\nkfree() to release the item. If the item was from the pre-allocated\npool, calling kfree() on it is a bug that can lead to memory corruption.\n\nFix this by using the correct deallocation function,\nqla24xx_free_purex_item(), which properly handles both dynamically\nallocated and pre-allocated items."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:45.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9"
},
{
"url": "https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012"
},
{
"url": "https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8"
},
{
"url": "https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae"
},
{
"url": "https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca"
}
],
"title": "scsi: qla2xxx: Fix improper freeing of purex item",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68741",
"datePublished": "2025-12-24T12:09:38.655Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:45.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68330 (GCVE-0-2025-68330)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2026-01-02 15:35
VLAI?
EPSS
Title
iio: accel: bmc150: Fix irq assumption regression
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: bmc150: Fix irq assumption regression
The code in bmc150-accel-core.c unconditionally calls
bmc150_accel_set_interrupt() in the iio_buffer_setup_ops,
such as on the runtime PM resume path giving a kernel
splat like this if the device has no interrupts:
Unable to handle kernel NULL pointer dereference at virtual
address 00000001 when read
PC is at bmc150_accel_set_interrupt+0x98/0x194
LR is at __pm_runtime_resume+0x5c/0x64
(...)
Call trace:
bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108
bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc
__iio_update_buffers from enable_store+0x84/0xc8
enable_store from kernfs_fop_write_iter+0x154/0x1b4
This bug seems to have been in the driver since the beginning,
but it only manifests recently, I do not know why.
Store the IRQ number in the state struct, as this is a common
pattern in other drivers, then use this to determine if we have
IRQ support or not.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c16bff4844ffa678ba0c9d077e9797506924ccdd , < aad9d048a3211c48ec02efa405bf462856feb862
(git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < c891f504bb66604c822e7985e093cf39b97fdeb0 (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < cdd4a9e98004bd7c7488311951fa6dbae38b2b80 (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 65ad4ed983fd9ee0259d86391d6a53f78203918c (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3 (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 3aa385a9c75c09b59dcab2ff76423439d23673ab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aad9d048a3211c48ec02efa405bf462856feb862",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "c891f504bb66604c822e7985e093cf39b97fdeb0",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "cdd4a9e98004bd7c7488311951fa6dbae38b2b80",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "65ad4ed983fd9ee0259d86391d6a53f78203918c",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "3aa385a9c75c09b59dcab2ff76423439d23673ab",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: bmc150: Fix irq assumption regression\n\nThe code in bmc150-accel-core.c unconditionally calls\nbmc150_accel_set_interrupt() in the iio_buffer_setup_ops,\nsuch as on the runtime PM resume path giving a kernel\nsplat like this if the device has no interrupts:\n\nUnable to handle kernel NULL pointer dereference at virtual\n address 00000001 when read\n\nPC is at bmc150_accel_set_interrupt+0x98/0x194\nLR is at __pm_runtime_resume+0x5c/0x64\n(...)\nCall trace:\nbmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108\nbmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc\n__iio_update_buffers from enable_store+0x84/0xc8\nenable_store from kernfs_fop_write_iter+0x154/0x1b4\n\nThis bug seems to have been in the driver since the beginning,\nbut it only manifests recently, I do not know why.\n\nStore the IRQ number in the state struct, as this is a common\npattern in other drivers, then use this to determine if we have\nIRQ support or not."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:09.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862"
},
{
"url": "https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0"
},
{
"url": "https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80"
},
{
"url": "https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c"
},
{
"url": "https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3"
},
{
"url": "https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab"
}
],
"title": "iio: accel: bmc150: Fix irq assumption regression",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68330",
"datePublished": "2025-12-22T16:12:23.864Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-01-02T15:35:09.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47666 (GCVE-0-2024-47666)
Vulnerability from cvelistv5 – Published: 2024-10-09 14:13 – Updated: 2026-01-05 10:53
VLAI?
EPSS
Title
scsi: pm80xx: Set phy->enable_completion only when we wait for it
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Set phy->enable_completion only when we wait for it
pm8001_phy_control() populates the enable_completion pointer with a stack
address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and
returns. The problem arises when a phy control response comes late. After
300 ms the pm8001_phy_control() function returns and the passed
enable_completion stack address is no longer valid. Late phy control
response invokes complete() on a dangling enable_completion pointer which
leads to a kernel crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
869ddbdcae3b4fb83b99889abae31544c149b210 , < ddc501f4130f4baa787cb6cfa309af697179f475
(git)
Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < a5d954802bda1aabcba49633cd94bad91c94113f (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < e23ee0cc5bded07e700553aecc333bb20c768546 (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < 7b1d779647afaea9185fa2f150b1721e7c1aae89 (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < f14d3e1aa613311c744af32d75125e95fc8ffb84 (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < e4f949ef1516c0d74745ee54a0f4882c1f6c7aea (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T13:21:42.621552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T13:21:56.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddc501f4130f4baa787cb6cfa309af697179f475",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "a5d954802bda1aabcba49633cd94bad91c94113f",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "e23ee0cc5bded07e700553aecc333bb20c768546",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "7b1d779647afaea9185fa2f150b1721e7c1aae89",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "f14d3e1aa613311c744af32d75125e95fc8ffb84",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "e4f949ef1516c0d74745ee54a0f4882c1f6c7aea",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Set phy-\u003eenable_completion only when we wait for it\n\npm8001_phy_control() populates the enable_completion pointer with a stack\naddress, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and\nreturns. The problem arises when a phy control response comes late. After\n300 ms the pm8001_phy_control() function returns and the passed\nenable_completion stack address is no longer valid. Late phy control\nresponse invokes complete() on a dangling enable_completion pointer which\nleads to a kernel crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:53:49.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddc501f4130f4baa787cb6cfa309af697179f475"
},
{
"url": "https://git.kernel.org/stable/c/a5d954802bda1aabcba49633cd94bad91c94113f"
},
{
"url": "https://git.kernel.org/stable/c/e23ee0cc5bded07e700553aecc333bb20c768546"
},
{
"url": "https://git.kernel.org/stable/c/7b1d779647afaea9185fa2f150b1721e7c1aae89"
},
{
"url": "https://git.kernel.org/stable/c/f14d3e1aa613311c744af32d75125e95fc8ffb84"
},
{
"url": "https://git.kernel.org/stable/c/e4f949ef1516c0d74745ee54a0f4882c1f6c7aea"
}
],
"title": "scsi: pm80xx: Set phy-\u003eenable_completion only when we wait for it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47666",
"datePublished": "2024-10-09T14:13:58.849Z",
"dateReserved": "2024-09-30T16:00:12.936Z",
"dateUpdated": "2026-01-05T10:53:49.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40048 (GCVE-0-2025-40048)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
uio_hv_generic: Let userspace take care of interrupt mask
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Let userspace take care of interrupt mask
Remove the logic to set interrupt mask by default in uio_hv_generic
driver as the interrupt mask value is supposed to be controlled
completely by the user space. If the mask bit gets changed
by the driver, concurrently with user mode operating on the ring,
the mask bit may be set when it is supposed to be clear, and the
user-mode driver will miss an interrupt which will cause a hang.
For eg- when the driver sets inbound ring buffer interrupt mask to 1,
the host does not interrupt the guest on the UIO VMBus channel.
However, setting the mask does not prevent the host from putting a
message in the inbound ring buffer. So let’s assume that happens,
the host puts a message into the ring buffer but does not interrupt.
Subsequently, the user space code in the guest sets the inbound ring
buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
User space code then calls pread() to wait for an interrupt.
Then one of two things happens:
* The host never sends another message. So the pread() waits forever.
* The host does send another message. But because there’s already a
message in the ring buffer, it doesn’t generate an interrupt.
This is the correct behavior, because the host should only send an
interrupt when the inbound ring buffer transitions from empty to
not-empty. Adding an additional message to a ring buffer that is not
empty is not supposed to generate an interrupt on the guest.
Since the guest is waiting in pread() and not removing messages from
the ring buffer, the pread() waits forever.
This could be easily reproduced in hv_fcopy_uio_daemon if we delay
setting interrupt mask to 0.
Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
there’s a race condition. Once user space empties the inbound ring
buffer, but before user space sets interrupt_mask to 0, the host could
put another message in the ring buffer but it wouldn’t interrupt.
Then the next pread() would hang.
Fix these by removing all instances where interrupt_mask is changed,
while keeping the one in set_event() unchanged to enable userspace
control the interrupt mask by writing 0/1 to /dev/uioX.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95096f2fbd10186d3e78a328b327afc71428f65f , < 540aac117eaea5723cef5e4cbf3035c4ac654d92
(git)
Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 65d40acd911c7011745cbbd2aaac34eb5266d11e (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < a44f61f878f32071d6378e8dd7c2d47f9490c8f7 (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 01ce972e6f9974a7c76943bcb7e93746917db83a (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 2af39ab5e6dc46b835a52e80a22d0cad430985e3 (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 37bd91f22794dc05436130d6983302cb90ecfe7e (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < e29587c07537929684faa365027f4b0d87521e1b (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < b15b7d2a1b09ef5428a8db260251897405a19496 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "540aac117eaea5723cef5e4cbf3035c4ac654d92",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "65d40acd911c7011745cbbd2aaac34eb5266d11e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "a44f61f878f32071d6378e8dd7c2d47f9490c8f7",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "01ce972e6f9974a7c76943bcb7e93746917db83a",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "2af39ab5e6dc46b835a52e80a22d0cad430985e3",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "37bd91f22794dc05436130d6983302cb90ecfe7e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "e29587c07537929684faa365027f4b0d87521e1b",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "b15b7d2a1b09ef5428a8db260251897405a19496",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Let userspace take care of interrupt mask\n\nRemove the logic to set interrupt mask by default in uio_hv_generic\ndriver as the interrupt mask value is supposed to be controlled\ncompletely by the user space. If the mask bit gets changed\nby the driver, concurrently with user mode operating on the ring,\nthe mask bit may be set when it is supposed to be clear, and the\nuser-mode driver will miss an interrupt which will cause a hang.\n\nFor eg- when the driver sets inbound ring buffer interrupt mask to 1,\nthe host does not interrupt the guest on the UIO VMBus channel.\nHowever, setting the mask does not prevent the host from putting a\nmessage in the inbound ring buffer.\u00a0So let\u2019s assume that happens,\nthe host puts a message into the ring buffer but does not interrupt.\n\nSubsequently, the user space code in the guest sets the inbound ring\nbuffer interrupt mask to 0, saying \u201cHey, I\u2019m ready for interrupts\u201d.\nUser space code then calls pread() to wait for an interrupt.\nThen one of two things happens:\n\n* The host never sends another message. So the pread() waits forever.\n* The host does send another message. But because there\u2019s already a\n message in the ring buffer, it doesn\u2019t generate an interrupt.\n This is the correct behavior, because the host should only send an\n interrupt when the inbound ring buffer transitions from empty to\n not-empty. Adding an additional message to a ring buffer that is not\n empty is not supposed to generate an interrupt on the guest.\n Since the guest is waiting in pread() and not removing messages from\n the ring buffer, the pread() waits forever.\n\nThis could be easily reproduced in hv_fcopy_uio_daemon if we delay\nsetting interrupt mask to 0.\n\nSimilarly if hv_uio_channel_cb() sets the interrupt_mask to 1,\nthere\u2019s a race condition. Once user space empties the inbound ring\nbuffer, but before user space sets interrupt_mask to 0, the host could\nput another message in the ring buffer but it wouldn\u2019t interrupt.\nThen the next pread() would hang.\n\nFix these by removing all instances where interrupt_mask is changed,\nwhile keeping the one in set_event() unchanged to enable userspace\ncontrol the interrupt mask by writing 0/1 to /dev/uioX."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:53.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/540aac117eaea5723cef5e4cbf3035c4ac654d92"
},
{
"url": "https://git.kernel.org/stable/c/65d40acd911c7011745cbbd2aaac34eb5266d11e"
},
{
"url": "https://git.kernel.org/stable/c/a44f61f878f32071d6378e8dd7c2d47f9490c8f7"
},
{
"url": "https://git.kernel.org/stable/c/01ce972e6f9974a7c76943bcb7e93746917db83a"
},
{
"url": "https://git.kernel.org/stable/c/2af39ab5e6dc46b835a52e80a22d0cad430985e3"
},
{
"url": "https://git.kernel.org/stable/c/37bd91f22794dc05436130d6983302cb90ecfe7e"
},
{
"url": "https://git.kernel.org/stable/c/e29587c07537929684faa365027f4b0d87521e1b"
},
{
"url": "https://git.kernel.org/stable/c/b15b7d2a1b09ef5428a8db260251897405a19496"
}
],
"title": "uio_hv_generic: Let userspace take care of interrupt mask",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40048",
"datePublished": "2025-10-28T11:48:25.220Z",
"dateReserved": "2025-04-16T07:20:57.156Z",
"dateUpdated": "2025-12-01T06:16:53.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40317 (GCVE-0-2025-40317)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
regmap: slimbus: fix bus_context pointer in regmap init calls
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: slimbus: fix bus_context pointer in regmap init calls
Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in
wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap.
That commit breaks audio playback, for instance, on sdm845 Thundercomm
Dragonboard 845c board:
Unable to handle kernel paging request at virtual address ffff8000847cbad4
...
CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT
Hardware name: Thundercomm Dragonboard 845c (DT)
...
Call trace:
slim_xfer_msg+0x24/0x1ac [slimbus] (P)
slim_read+0x48/0x74 [slimbus]
regmap_slimbus_read+0x18/0x24 [regmap_slimbus]
_regmap_raw_read+0xe8/0x174
_regmap_bus_read+0x44/0x80
_regmap_read+0x60/0xd8
_regmap_update_bits+0xf4/0x140
_regmap_select_page+0xa8/0x124
_regmap_raw_write_impl+0x3b8/0x65c
_regmap_bus_raw_write+0x60/0x80
_regmap_write+0x58/0xc0
regmap_write+0x4c/0x80
wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]
snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]
__soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]
dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]
dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]
snd_pcm_hw_params+0x124/0x464 [snd_pcm]
snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]
snd_pcm_ioctl+0x34/0x4c [snd_pcm]
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x104
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xec
el0t_64_sync_handler+0xa0/0xf0
el0t_64_sync+0x198/0x19c
The __devm_regmap_init_slimbus() started to be used instead of
__regmap_init_slimbus() after the commit mentioned above and turns out
the incorrect bus_context pointer (3rd argument) was used in
__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal
to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or
the first user of devm_regmap_init_slimbus() but we should fix it till
the point where __devm_regmap_init_slimbus() was introduced therefore
two "Fixes" tags.
While at this, also correct the same argument in __regmap_init_slimbus().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d6f7fb053ad543da74119df3c4cd7bb46220471 , < c0f05129e5734ff3fd14b2c242709314d9ca5433
(git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1 (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < d979639f099c6e51f06ce4dd8d8e56364d6c17ba (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 8143e4075d131c528540417a51966f6697be14eb (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < a16e92f8d7dc7371e68f17a9926cb92d2244be7b (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < b65f3303349eaee333e47d2a99045aa12fa0c3a7 (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 434f7349a1f00618a620b316f091bd13a12bc8d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0f05129e5734ff3fd14b2c242709314d9ca5433",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "d979639f099c6e51f06ce4dd8d8e56364d6c17ba",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "8143e4075d131c528540417a51966f6697be14eb",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "a16e92f8d7dc7371e68f17a9926cb92d2244be7b",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "b65f3303349eaee333e47d2a99045aa12fa0c3a7",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "434f7349a1f00618a620b316f091bd13a12bc8d2",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: slimbus: fix bus_context pointer in regmap init calls\n\nCommit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in\nwcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap.\nThat commit breaks audio playback, for instance, on sdm845 Thundercomm\nDragonboard 845c board:\n\n Unable to handle kernel paging request at virtual address ffff8000847cbad4\n ...\n CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT\n Hardware name: Thundercomm Dragonboard 845c (DT)\n ...\n Call trace:\n slim_xfer_msg+0x24/0x1ac [slimbus] (P)\n slim_read+0x48/0x74 [slimbus]\n regmap_slimbus_read+0x18/0x24 [regmap_slimbus]\n _regmap_raw_read+0xe8/0x174\n _regmap_bus_read+0x44/0x80\n _regmap_read+0x60/0xd8\n _regmap_update_bits+0xf4/0x140\n _regmap_select_page+0xa8/0x124\n _regmap_raw_write_impl+0x3b8/0x65c\n _regmap_bus_raw_write+0x60/0x80\n _regmap_write+0x58/0xc0\n regmap_write+0x4c/0x80\n wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]\n snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]\n __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]\n dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]\n dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]\n snd_pcm_hw_params+0x124/0x464 [snd_pcm]\n snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]\n snd_pcm_ioctl+0x34/0x4c [snd_pcm]\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xec\n el0t_64_sync_handler+0xa0/0xf0\n el0t_64_sync+0x198/0x19c\n\nThe __devm_regmap_init_slimbus() started to be used instead of\n__regmap_init_slimbus() after the commit mentioned above and turns out\nthe incorrect bus_context pointer (3rd argument) was used in\n__devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal\nto \u0026slimbus-\u003edev). Correct it. The wcd934x codec seems to be the only or\nthe first user of devm_regmap_init_slimbus() but we should fix it till\nthe point where __devm_regmap_init_slimbus() was introduced therefore\ntwo \"Fixes\" tags.\n\nWhile at this, also correct the same argument in __regmap_init_slimbus()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:44.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433"
},
{
"url": "https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1"
},
{
"url": "https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba"
},
{
"url": "https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb"
},
{
"url": "https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c"
},
{
"url": "https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b"
},
{
"url": "https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7"
},
{
"url": "https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2"
}
],
"title": "regmap: slimbus: fix bus_context pointer in regmap init calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40317",
"datePublished": "2025-12-08T00:46:44.287Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:44.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49968 (GCVE-0-2024-49968)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:02 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
ext4: filesystems without casefold feature cannot be mounted with siphash
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: filesystems without casefold feature cannot be mounted with siphash
When mounting the ext4 filesystem, if the default hash version is set to
DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
471fbbea7ff7061b2d6474665cb5a2ceb4fd6500 , < 86b81d4eab1cd4c56f7447896232cf33472c2395
(git)
Affected: 471fbbea7ff7061b2d6474665cb5a2ceb4fd6500 , < 11bd1c279bac701ba91119875796ffff3b98250e (git) Affected: 471fbbea7ff7061b2d6474665cb5a2ceb4fd6500 , < 52c4538a92da6f3242d4140c03ddc5ee71b39ba8 (git) Affected: 471fbbea7ff7061b2d6474665cb5a2ceb4fd6500 , < e1373903db6c4ac994de0d18076280ad88e12dee (git) Affected: 471fbbea7ff7061b2d6474665cb5a2ceb4fd6500 , < 985b67cd86392310d9e9326de941c22fc9340eec (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:34:11.259486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:46.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86b81d4eab1cd4c56f7447896232cf33472c2395",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "11bd1c279bac701ba91119875796ffff3b98250e",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "52c4538a92da6f3242d4140c03ddc5ee71b39ba8",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "e1373903db6c4ac994de0d18076280ad88e12dee",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "985b67cd86392310d9e9326de941c22fc9340eec",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filesystems without casefold feature cannot be mounted with siphash\n\nWhen mounting the ext4 filesystem, if the default hash version is set to\nDX_HASH_SIPHASH but the casefold feature is not set, exit the mounting."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:51.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86b81d4eab1cd4c56f7447896232cf33472c2395"
},
{
"url": "https://git.kernel.org/stable/c/11bd1c279bac701ba91119875796ffff3b98250e"
},
{
"url": "https://git.kernel.org/stable/c/52c4538a92da6f3242d4140c03ddc5ee71b39ba8"
},
{
"url": "https://git.kernel.org/stable/c/e1373903db6c4ac994de0d18076280ad88e12dee"
},
{
"url": "https://git.kernel.org/stable/c/985b67cd86392310d9e9326de941c22fc9340eec"
}
],
"title": "ext4: filesystems without casefold feature cannot be mounted with siphash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49968",
"datePublished": "2024-10-21T18:02:18.369Z",
"dateReserved": "2024-10-21T12:17:06.051Z",
"dateUpdated": "2026-01-19T12:17:51.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22111 (GCVE-0-2025-22111)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
893b195875340cb44b54c9db99e708145f1210e8 , < f51e471cb1577d510c3096e126678e1ea20d2efd
(git)
Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 338a0f3c66aef4ee13052880d02200aae8f2d8a8 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < d767ce15045df510f55cdd2af5df0eee71f928d0 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 4888e1dcc341e9a132ef7b8516234b3c3296de56 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 00fe0ac64efd1f5373b3dd9f1f84b19235371e39 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < ed3ba9b6e280e14cc3148c1b226ba453f02fa76c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f51e471cb1577d510c3096e126678e1ea20d2efd",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "338a0f3c66aef4ee13052880d02200aae8f2d8a8",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "d767ce15045df510f55cdd2af5df0eee71f928d0",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "4888e1dcc341e9a132ef7b8516234b3c3296de56",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "00fe0ac64efd1f5373b3dd9f1f84b19235371e39",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "ed3ba9b6e280e14cc3148c1b226ba453f02fa76c",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet\u0027s say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device\u0027s refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device. Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)\n ---------------------- ----------------------\n sock_ioctl sock_ioctl\n `- sock_do_ioctl `- br_ioctl_call\n `- dev_ioctl `- br_ioctl_stub\n |- rtnl_lock |\n |- dev_ifsioc \u0027\n \u0027 |- dev = __dev_get_by_name(...)\n |- netdev_hold(dev, ...) .\n / |- rtnl_unlock ------. |\n | |- br_ioctl_call `---\u003e |- rtnl_lock\n Race | | `- br_ioctl_stub |- br_del_bridge\n Window | | | |- dev = __dev_get_by_name(...)\n | | | May take long | `- br_dev_delete(dev, ...)\n | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)\n | | | | `- rtnl_unlock\n \\ | |- rtnl_lock \u003c-\u0027 `- netdev_run_todo\n | |- ... `- netdev_run_todo\n | `- rtnl_unlock |- __rtnl_unlock\n | |- netdev_wait_allrefs_any\n |- netdev_put(dev, ...) \u003c----------------\u0027\n Wait refcnt decrement\n and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let\u0027s not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n 2. Check CAP_NET_ADMIN in dev_ioctl()\n 3. Call dev_load() in dev_ioctl()\n 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it\u0027s better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n netdev_hold include/linux/netdevice.h:4311 [inline]\n dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:54.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f51e471cb1577d510c3096e126678e1ea20d2efd"
},
{
"url": "https://git.kernel.org/stable/c/338a0f3c66aef4ee13052880d02200aae8f2d8a8"
},
{
"url": "https://git.kernel.org/stable/c/d767ce15045df510f55cdd2af5df0eee71f928d0"
},
{
"url": "https://git.kernel.org/stable/c/4888e1dcc341e9a132ef7b8516234b3c3296de56"
},
{
"url": "https://git.kernel.org/stable/c/00fe0ac64efd1f5373b3dd9f1f84b19235371e39"
},
{
"url": "https://git.kernel.org/stable/c/ed3ba9b6e280e14cc3148c1b226ba453f02fa76c"
}
],
"title": "net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22111",
"datePublished": "2025-04-16T14:12:57.719Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-01-19T12:17:54.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39982 (GCVE-0-2025-39982)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
This fixes the following UFA in hci_acl_create_conn_sync where a
connection still pending is command submission (conn->state == BT_OPEN)
maybe freed, also since this also can happen with the likes of
hci_le_create_conn_sync fix it as well:
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541
CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci3 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 123736:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]
hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634
pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x54b/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 103680:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x18e/0x440 mm/slub.c:4842
device_release+0x9c/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22b/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199
hci_event_func net/bluetooth/hci_event.c:7477 [inline]
hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < 6243bda271a628c48875e3e473206e7f584892ce
(git)
Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < bcce99f613163a43de24674b717e7a6c135fc879 (git) Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < 484c7d571a3d1b3fd298fa691b660438c4548a53 (git) Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08 (git) Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < 9e622804d57e2d08f0271200606bd1270f75126f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6243bda271a628c48875e3e473206e7f584892ce",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "bcce99f613163a43de24674b717e7a6c135fc879",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "484c7d571a3d1b3fd298fa691b660438c4548a53",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "9e622804d57e2d08f0271200606bd1270f75126f",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync\n\nThis fixes the following UFA in hci_acl_create_conn_sync where a\nconnection still pending is command submission (conn-\u003estate == BT_OPEN)\nmaybe freed, also since this also can happen with the likes of\nhci_le_create_conn_sync fix it as well:\n\nBUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\nWrite of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541\n\nCPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci3 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x230 mm/kasan/report.c:480\n kasan_report+0x118/0x150 mm/kasan/report.c:593\n hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 123736:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\n hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]\n hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634\n pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x54b/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 103680:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x18e/0x440 mm/slub.c:4842\n device_release+0x9c/0x1c0\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x22b/0x480 lib/kobject.c:737\n hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\n hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\n hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199\n hci_event_func net/bluetooth/hci_event.c:7477 [inline]\n hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:02.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6243bda271a628c48875e3e473206e7f584892ce"
},
{
"url": "https://git.kernel.org/stable/c/bcce99f613163a43de24674b717e7a6c135fc879"
},
{
"url": "https://git.kernel.org/stable/c/484c7d571a3d1b3fd298fa691b660438c4548a53"
},
{
"url": "https://git.kernel.org/stable/c/a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08"
},
{
"url": "https://git.kernel.org/stable/c/9e622804d57e2d08f0271200606bd1270f75126f"
}
],
"title": "Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39982",
"datePublished": "2025-10-15T07:56:02.024Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:02.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40193 (GCVE-0-2025-40193)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
xtensa: simdisk: add input size check in proc_write_simdisk
Summary
In the Linux kernel, the following vulnerability has been resolved:
xtensa: simdisk: add input size check in proc_write_simdisk
A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.
This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b6c7e873daf765e41233b9752083b66442703b7a , < f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf
(git)
Affected: b6c7e873daf765e41233b9752083b66442703b7a , < 151bd88859474cdaccc1e4c8b21fbf72dbba2ab4 (git) Affected: b6c7e873daf765e41233b9752083b66442703b7a , < d381de7fd4cdc928ede96987dc64b133e6480dd6 (git) Affected: b6c7e873daf765e41233b9752083b66442703b7a , < a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a (git) Affected: b6c7e873daf765e41233b9752083b66442703b7a , < 5d5f08fd0cd970184376bee07d59f635c8403f63 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/xtensa/platforms/iss/simdisk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "151bd88859474cdaccc1e4c8b21fbf72dbba2ab4",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "d381de7fd4cdc928ede96987dc64b133e6480dd6",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "5d5f08fd0cd970184376bee07d59f635c8403f63",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/xtensa/platforms/iss/simdisk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxtensa: simdisk: add input size check in proc_write_simdisk\n\nA malicious user could pass an arbitrarily bad value\nto memdup_user_nul(), potentially causing kernel crash.\n\nThis follows the same pattern as commit ee76746387f6\n(\"netdevsim: prevent bad user input in nsim_dev_health_break_write()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:53.264Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf"
},
{
"url": "https://git.kernel.org/stable/c/151bd88859474cdaccc1e4c8b21fbf72dbba2ab4"
},
{
"url": "https://git.kernel.org/stable/c/d381de7fd4cdc928ede96987dc64b133e6480dd6"
},
{
"url": "https://git.kernel.org/stable/c/a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a"
},
{
"url": "https://git.kernel.org/stable/c/5d5f08fd0cd970184376bee07d59f635c8403f63"
}
],
"title": "xtensa: simdisk: add input size check in proc_write_simdisk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40193",
"datePublished": "2025-11-12T21:56:31.751Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:53.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68297 (GCVE-0-2025-68297)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
ceph: fix crash in process_v2_sparse_read() for encrypted directories
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix crash in process_v2_sparse_read() for encrypted directories
The crash in process_v2_sparse_read() for fscrypt-encrypted directories
has been reported. Issue takes place for Ceph msgr2 protocol in secure
mode. It can be reproduced by the steps:
sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure
(1) mkdir /mnt/cephfs/fscrypt-test-3
(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3
(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3
(4) fscrypt lock /mnt/cephfs/fscrypt-test-3
(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3
(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar
(7) Issue has been triggered
[ 408.072247] ------------[ cut here ]------------
[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865
ceph_con_v2_try_read+0x4b39/0x72f0
[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common
intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery
pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass
polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse
serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg
pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+
[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.17.0-5.fc42 04/01/2014
[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn
[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0
[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8
8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06
fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85
[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246
[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38
[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8
[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8
[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000
[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
knlGS:0000000000000000
[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
[ 408.072336] PKRU: 55555554
[ 408.072337] Call Trace:
[ 408.072338] <TASK>
[ 408.072340] ? sched_clock_noinstr+0x9/0x10
[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10
[ 408.072347] ? _raw_spin_unlock+0xe/0x40
[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830
[ 408.072353] ? __kasan_check_write+0x14/0x30
[ 408.072357] ? mutex_lock+0x84/0xe0
[ 408.072359] ? __pfx_mutex_lock+0x10/0x10
[ 408.072361] ceph_con_workfn+0x27e/0x10e0
[ 408.072364] ? metric_delayed_work+0x311/0x2c50
[ 408.072367] process_one_work+0x611/0xe20
[ 408.072371] ? __kasan_check_write+0x14/0x30
[ 408.072373] worker_thread+0x7e3/0x1580
[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 408.072378] ? __pfx_worker_thread+0x10/0x10
[ 408.072381] kthread+0x381/0x7a0
[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 408.072385] ? __pfx_kthread+0x10/0x10
[ 408.072387] ? __kasan_check_write+0x14/0x30
[ 408.072389] ? recalc_sigpending+0x160/0x220
[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50
[ 408.072394] ? calculate_sigpending+0x78/0xb0
[ 408.072395] ? __pfx_kthread+0x10/0x10
[ 408.072397] ret_from_fork+0x2b6/0x380
[ 408.072400] ? __pfx_kthread+0x10/0x10
[ 408.072402] ret_from_fork_asm+0x1a/0x30
[ 408.072406] </TASK>
[ 408.072407] ---[ end trace 0000000000000000 ]---
[ 408.072418] Oops: general protection fault, probably for non-canonical
address 0xdffffc00000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
da9c33a70f095d5d55c36d0bfeba969e31de08ae , < 5a3f3e39b18705bc578fae58abacc8ef93c15194
(git)
Affected: 8e46a2d068c92a905d01cbb018b00d66991585ab , < 47144748fbf12068ba4b82512098fe1ac748a2e9 (git) Affected: 8e46a2d068c92a905d01cbb018b00d66991585ab , < 7d1b7de853f7d1eefd6d22949bcefc0c25186727 (git) Affected: 8e46a2d068c92a905d01cbb018b00d66991585ab , < 43962db4a6f593903340c85591056a0cef812dfd (git) Affected: bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a3f3e39b18705bc578fae58abacc8ef93c15194",
"status": "affected",
"version": "da9c33a70f095d5d55c36d0bfeba969e31de08ae",
"versionType": "git"
},
{
"lessThan": "47144748fbf12068ba4b82512098fe1ac748a2e9",
"status": "affected",
"version": "8e46a2d068c92a905d01cbb018b00d66991585ab",
"versionType": "git"
},
{
"lessThan": "7d1b7de853f7d1eefd6d22949bcefc0c25186727",
"status": "affected",
"version": "8e46a2d068c92a905d01cbb018b00d66991585ab",
"versionType": "git"
},
{
"lessThan": "43962db4a6f593903340c85591056a0cef812dfd",
"status": "affected",
"version": "8e46a2d068c92a905d01cbb018b00d66991585ab",
"versionType": "git"
},
{
"status": "affected",
"version": "bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "6.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix crash in process_v2_sparse_read() for encrypted directories\n\nThe crash in process_v2_sparse_read() for fscrypt-encrypted directories\nhas been reported. Issue takes place for Ceph msgr2 protocol in secure\nmode. It can be reproduced by the steps:\n\nsudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure\n\n(1) mkdir /mnt/cephfs/fscrypt-test-3\n(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3\n(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3\n(4) fscrypt lock /mnt/cephfs/fscrypt-test-3\n(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3\n(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar\n(7) Issue has been triggered\n\n[ 408.072247] ------------[ cut here ]------------\n[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865\nceph_con_v2_try_read+0x4b39/0x72f0\n[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common\nintel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery\npmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass\npolyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse\nserio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg\npata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore\n[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+\n[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.17.0-5.fc42 04/01/2014\n[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn\n[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0\n[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8\n8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff \u003c0f\u003e 0b e9 06\nfe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85\n[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246\n[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38\n[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8\n[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8\n[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000\n[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)\nknlGS:0000000000000000\n[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0\n[ 408.072336] PKRU: 55555554\n[ 408.072337] Call Trace:\n[ 408.072338] \u003cTASK\u003e\n[ 408.072340] ? sched_clock_noinstr+0x9/0x10\n[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10\n[ 408.072347] ? _raw_spin_unlock+0xe/0x40\n[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830\n[ 408.072353] ? __kasan_check_write+0x14/0x30\n[ 408.072357] ? mutex_lock+0x84/0xe0\n[ 408.072359] ? __pfx_mutex_lock+0x10/0x10\n[ 408.072361] ceph_con_workfn+0x27e/0x10e0\n[ 408.072364] ? metric_delayed_work+0x311/0x2c50\n[ 408.072367] process_one_work+0x611/0xe20\n[ 408.072371] ? __kasan_check_write+0x14/0x30\n[ 408.072373] worker_thread+0x7e3/0x1580\n[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 408.072378] ? __pfx_worker_thread+0x10/0x10\n[ 408.072381] kthread+0x381/0x7a0\n[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 408.072385] ? __pfx_kthread+0x10/0x10\n[ 408.072387] ? __kasan_check_write+0x14/0x30\n[ 408.072389] ? recalc_sigpending+0x160/0x220\n[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50\n[ 408.072394] ? calculate_sigpending+0x78/0xb0\n[ 408.072395] ? __pfx_kthread+0x10/0x10\n[ 408.072397] ret_from_fork+0x2b6/0x380\n[ 408.072400] ? __pfx_kthread+0x10/0x10\n[ 408.072402] ret_from_fork_asm+0x1a/0x30\n[ 408.072406] \u003c/TASK\u003e\n[ 408.072407] ---[ end trace 0000000000000000 ]---\n[ 408.072418] Oops: general protection fault, probably for non-canonical\naddress 0xdffffc00000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:51.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a3f3e39b18705bc578fae58abacc8ef93c15194"
},
{
"url": "https://git.kernel.org/stable/c/47144748fbf12068ba4b82512098fe1ac748a2e9"
},
{
"url": "https://git.kernel.org/stable/c/7d1b7de853f7d1eefd6d22949bcefc0c25186727"
},
{
"url": "https://git.kernel.org/stable/c/43962db4a6f593903340c85591056a0cef812dfd"
}
],
"title": "ceph: fix crash in process_v2_sparse_read() for encrypted directories",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68297",
"datePublished": "2025-12-16T15:06:16.756Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2026-01-02T15:34:51.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68730 (GCVE-0-2025-68730)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()
Don't add BO to the vdev->bo_list in ivpu_gem_create_object().
When failure happens inside drm_gem_shmem_create(), the BO is not
fully created and ivpu_gem_bo_free() callback will not be called
causing a deleted BO to be left on the list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 , < 8172838a284c27190fa6782c2740a97020434750
(git)
Affected: 8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 , < c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec (git) Affected: 8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 , < 8b694b405a84696f1d964f6da7cf9721e68c4714 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8172838a284c27190fa6782c2740a97020434750",
"status": "affected",
"version": "8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66",
"versionType": "git"
},
{
"lessThan": "c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec",
"status": "affected",
"version": "8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66",
"versionType": "git"
},
{
"lessThan": "8b694b405a84696f1d964f6da7cf9721e68c4714",
"status": "affected",
"version": "8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()\n\nDon\u0027t add BO to the vdev-\u003ebo_list in ivpu_gem_create_object().\nWhen failure happens inside drm_gem_shmem_create(), the BO is not\nfully created and ivpu_gem_bo_free() callback will not be called\ncausing a deleted BO to be left on the list."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:26.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8172838a284c27190fa6782c2740a97020434750"
},
{
"url": "https://git.kernel.org/stable/c/c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec"
},
{
"url": "https://git.kernel.org/stable/c/8b694b405a84696f1d964f6da7cf9721e68c4714"
}
],
"title": "accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68730",
"datePublished": "2025-12-24T10:33:13.236Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:26.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40322 (GCVE-0-2025-40322)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fbdev: bitblit: bound-check glyph index in bit_putcs*
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: bitblit: bound-check glyph index in bit_putcs*
bit_putcs_aligned()/unaligned() derived the glyph pointer from the
character value masked by 0xff/0x1ff, which may exceed the actual font's
glyph count and read past the end of the built-in font array.
Clamp the index to the actual glyph count before computing the address.
This fixes a global out-of-bounds read reported by syzbot.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a10cede006f9614b465cf25609a8753efbfd45cc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0998a6cb232674408a03e8561dc15aa266b2f53b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < db5c9a162d2f42bcc842b76b3d935dcc050a0eec (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c12003bf91fdff381c55ef54fef3e961a5af2545 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9ba1a7802ca9a2590cef95b253e6526f4364477f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901f44227072be60812fe8083e83e1533c04eed1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < efaf89a75a29b2d179bf4fe63ca62852e93ad620 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18c4ef4e765a798b47980555ed665d78b71aeadf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a10cede006f9614b465cf25609a8753efbfd45cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0998a6cb232674408a03e8561dc15aa266b2f53b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db5c9a162d2f42bcc842b76b3d935dcc050a0eec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c12003bf91fdff381c55ef54fef3e961a5af2545",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ba1a7802ca9a2590cef95b253e6526f4364477f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "901f44227072be60812fe8083e83e1533c04eed1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efaf89a75a29b2d179bf4fe63ca62852e93ad620",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18c4ef4e765a798b47980555ed665d78b71aeadf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: bitblit: bound-check glyph index in bit_putcs*\n\nbit_putcs_aligned()/unaligned() derived the glyph pointer from the\ncharacter value masked by 0xff/0x1ff, which may exceed the actual font\u0027s\nglyph count and read past the end of the built-in font array.\nClamp the index to the actual glyph count before computing the address.\n\nThis fixes a global out-of-bounds read reported by syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:34.750Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc"
},
{
"url": "https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b"
},
{
"url": "https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec"
},
{
"url": "https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545"
},
{
"url": "https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f"
},
{
"url": "https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1"
},
{
"url": "https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620"
},
{
"url": "https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf"
}
],
"title": "fbdev: bitblit: bound-check glyph index in bit_putcs*",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40322",
"datePublished": "2025-12-08T00:46:49.773Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:34.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40129 (GCVE-0-2025-40129)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
sunrpc: fix null pointer dereference on zero-length checksum
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix null pointer dereference on zero-length checksum
In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes
checksum.data to be set to NULL. This triggers a NPD when accessing
checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that
the value of checksum.len is not less than XDR_UNIT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0653028e8f1c97fec30710813a001ad8a2ec34f4 , < 81cec07d303186d0d8c623ef8b5ecd3b81e94cf6
(git)
Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < affc03d44921f493deaae1d33151e3067a6f9f8f (git) Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < ab9a70cd2386a0d70c164b0905dd66bc9af52e77 (git) Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < 6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81cec07d303186d0d8c623ef8b5ecd3b81e94cf6",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "affc03d44921f493deaae1d33151e3067a6f9f8f",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "ab9a70cd2386a0d70c164b0905dd66bc9af52e77",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix null pointer dereference on zero-length checksum\n\nIn xdr_stream_decode_opaque_auth(), zero-length checksum.len causes\nchecksum.data to be set to NULL. This triggers a NPD when accessing\nchecksum.data in gss_krb5_verify_mic_v2(). This patch ensures that\nthe value of checksum.len is not less than XDR_UNIT."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:34.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81cec07d303186d0d8c623ef8b5ecd3b81e94cf6"
},
{
"url": "https://git.kernel.org/stable/c/affc03d44921f493deaae1d33151e3067a6f9f8f"
},
{
"url": "https://git.kernel.org/stable/c/ab9a70cd2386a0d70c164b0905dd66bc9af52e77"
},
{
"url": "https://git.kernel.org/stable/c/6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42"
}
],
"title": "sunrpc: fix null pointer dereference on zero-length checksum",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40129",
"datePublished": "2025-11-12T10:23:21.327Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:34.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39995 (GCVE-0-2025-39995)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
The state->timer is a cyclic timer that schedules work_i2c_poll and
delayed_work_enable_hotplug, while rearming itself. Using timer_delete()
fails to guarantee the timer isn't still running when destroyed, similarly
cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has
terminated if already executing. During probe failure after timer
initialization, these may continue running as orphans and reference the
already-freed tc358743_state object through tc358743_irq_poll_timer.
The following is the trace captured by KASAN.
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __pfx_sched_balance_find_src_group+0x10/0x10
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? rcu_sched_clock_irq+0xb06/0x27d0
? __pfx___run_timer_base.part.0+0x10/0x10
? try_to_wake_up+0xb15/0x1960
? tmigr_update_events+0x280/0x740
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
tmigr_handle_remote_up+0x603/0x7e0
? __pfx_tmigr_handle_remote_up+0x10/0x10
? sched_balance_trigger+0x98/0x9f0
? sched_tick+0x221/0x5a0
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
? tick_nohz_handler+0x339/0x440
? __pfx_tmigr_handle_remote_up+0x10/0x10
__walk_groups.isra.0+0x42/0x150
tmigr_handle_remote+0x1f4/0x2e0
? __pfx_tmigr_handle_remote+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
? hrtimer_interrupt+0x322/0x780
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_node_track_caller_noprof+0x198/0x430
devm_kmalloc+0x7b/0x1e0
tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
release_nodes+0xa4/0x100
devres_release_group+0x1b2/0x380
i2c_device_probe+0x694/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()
with cancel_delayed_work_sync() to ensure proper termination of timer and
work items before resource cleanup.
This bug was initially identified through static analysis. For reproduction
and testing, I created a functional emulation of the tc358743 device via a
kernel module and introduced faults through the debugfs interface.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d32d98642de66048f9534a05f3641558e811bbc9 , < 9205fb6e617a1c596d9a9ad2a160ee696e09d520
(git)
Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < 70913586c717dd25cfbade7a418e92cc9c99398a (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < 663faf1179db9663a3793c75e9bc869358bad910 (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < 3d17701c156579969470e58b3a906511f8bc018d (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < 228d06c4cbfc750f1216a3fd91b4693b0766d2f6 (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < f92181c0e13cad9671d07b15be695a97fc2534a3 (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < 2610617effb4454d2f1c434c011ccb5cc7140711 (git) Affected: d32d98642de66048f9534a05f3641558e811bbc9 , < 79d10f4f21a92e459b2276a77be62c59c1502c9d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/tc358743.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9205fb6e617a1c596d9a9ad2a160ee696e09d520",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "70913586c717dd25cfbade7a418e92cc9c99398a",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "663faf1179db9663a3793c75e9bc869358bad910",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "3d17701c156579969470e58b3a906511f8bc018d",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "228d06c4cbfc750f1216a3fd91b4693b0766d2f6",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "f92181c0e13cad9671d07b15be695a97fc2534a3",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "2610617effb4454d2f1c434c011ccb5cc7140711",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "79d10f4f21a92e459b2276a77be62c59c1502c9d",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/tc358743.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe\n\nThe state-\u003etimer is a cyclic timer that schedules work_i2c_poll and\ndelayed_work_enable_hotplug, while rearming itself. Using timer_delete()\nfails to guarantee the timer isn\u0027t still running when destroyed, similarly\ncancel_delayed_work() cannot ensure delayed_work_enable_hotplug has\nterminated if already executing. During probe failure after timer\ninitialization, these may continue running as orphans and reference the\nalready-freed tc358743_state object through tc358743_irq_poll_timer.\n\nThe following is the trace captured by KASAN.\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800ded83c8 by task swapper/1/0\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __pfx_sched_balance_find_src_group+0x10/0x10\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? rcu_sched_clock_irq+0xb06/0x27d0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? try_to_wake_up+0xb15/0x1960\n ? tmigr_update_events+0x280/0x740\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n tmigr_handle_remote_up+0x603/0x7e0\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n ? sched_balance_trigger+0x98/0x9f0\n ? sched_tick+0x221/0x5a0\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? tick_nohz_handler+0x339/0x440\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n __walk_groups.isra.0+0x42/0x150\n tmigr_handle_remote+0x1f4/0x2e0\n ? __pfx_tmigr_handle_remote+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n ? hrtimer_interrupt+0x322/0x780\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_node_track_caller_noprof+0x198/0x430\n devm_kmalloc+0x7b/0x1e0\n tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n release_nodes+0xa4/0x100\n devres_release_group+0x1b2/0x380\n i2c_device_probe+0x694/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace timer_delete() with timer_delete_sync() and cancel_delayed_work()\nwith cancel_delayed_work_sync() to ensure proper termination of timer and\nwork items before resource cleanup.\n\nThis bug was initially identified through static analysis. For reproduction\nand testing, I created a functional emulation of the tc358743 device via a\nkernel module and introduced faults through the debugfs interface."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:06.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9205fb6e617a1c596d9a9ad2a160ee696e09d520"
},
{
"url": "https://git.kernel.org/stable/c/70913586c717dd25cfbade7a418e92cc9c99398a"
},
{
"url": "https://git.kernel.org/stable/c/663faf1179db9663a3793c75e9bc869358bad910"
},
{
"url": "https://git.kernel.org/stable/c/3d17701c156579969470e58b3a906511f8bc018d"
},
{
"url": "https://git.kernel.org/stable/c/228d06c4cbfc750f1216a3fd91b4693b0766d2f6"
},
{
"url": "https://git.kernel.org/stable/c/f92181c0e13cad9671d07b15be695a97fc2534a3"
},
{
"url": "https://git.kernel.org/stable/c/f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b"
},
{
"url": "https://git.kernel.org/stable/c/2610617effb4454d2f1c434c011ccb5cc7140711"
},
{
"url": "https://git.kernel.org/stable/c/79d10f4f21a92e459b2276a77be62c59c1502c9d"
}
],
"title": "media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39995",
"datePublished": "2025-10-15T07:58:20.365Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:06.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39968 (GCVE-0-2025-39968)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: add max boundary check for VF filters
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: add max boundary check for VF filters
There is no check for max filters that VF can request. Add it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 9176e18681cb0d34c5acc87bda224f5652af2ab8
(git)
Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < e490d8c5a54e0dd1ab22417d72c3a7319cf0f030 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 77a35be582dff4c80442ebcdce24d45eed8a6ce4 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 02aae5fcdd34c3a55a243d80a1b328a35852a35c (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < edecce7abd7152b48e279b4fa0a883d1839bb577 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < d33e5d6631ac4fddda235a7815babc9d3f124299 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 8b13df5aa877b9e4541e301a58a84c42d84d2d9a (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < cb79fa7118c150c3c76a327894bb2eb878c02619 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9176e18681cb0d34c5acc87bda224f5652af2ab8",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "e490d8c5a54e0dd1ab22417d72c3a7319cf0f030",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "77a35be582dff4c80442ebcdce24d45eed8a6ce4",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "02aae5fcdd34c3a55a243d80a1b328a35852a35c",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "edecce7abd7152b48e279b4fa0a883d1839bb577",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "d33e5d6631ac4fddda235a7815babc9d3f124299",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "8b13df5aa877b9e4541e301a58a84c42d84d2d9a",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "cb79fa7118c150c3c76a327894bb2eb878c02619",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add max boundary check for VF filters\n\nThere is no check for max filters that VF can request. Add it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:52.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9176e18681cb0d34c5acc87bda224f5652af2ab8"
},
{
"url": "https://git.kernel.org/stable/c/e490d8c5a54e0dd1ab22417d72c3a7319cf0f030"
},
{
"url": "https://git.kernel.org/stable/c/77a35be582dff4c80442ebcdce24d45eed8a6ce4"
},
{
"url": "https://git.kernel.org/stable/c/02aae5fcdd34c3a55a243d80a1b328a35852a35c"
},
{
"url": "https://git.kernel.org/stable/c/edecce7abd7152b48e279b4fa0a883d1839bb577"
},
{
"url": "https://git.kernel.org/stable/c/d33e5d6631ac4fddda235a7815babc9d3f124299"
},
{
"url": "https://git.kernel.org/stable/c/8b13df5aa877b9e4541e301a58a84c42d84d2d9a"
},
{
"url": "https://git.kernel.org/stable/c/cb79fa7118c150c3c76a327894bb2eb878c02619"
}
],
"title": "i40e: add max boundary check for VF filters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39968",
"datePublished": "2025-10-15T07:55:52.272Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:52.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40169 (GCVE-0-2025-40169)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
bpf: Reject negative offsets for ALU ops
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject negative offsets for ALU ops
When verifying BPF programs, the check_alu_op() function validates
instructions with ALU operations. The 'offset' field in these
instructions is a signed 16-bit integer.
The existing check 'insn->off > 1' was intended to ensure the offset is
either 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is
signed, this check incorrectly accepts all negative values (e.g., -1).
This commit tightens the validation by changing the condition to
'(insn->off != 0 && insn->off != 1)'. This ensures that any value
other than the explicitly permitted 0 and 1 is rejected, hardening the
verifier against malformed BPF programs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 3bce44b344040e5eef3d64d38b157c15304c0aab
(git)
Affected: ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 5017c302ca4b2a45149ad64e058fa2d5623c068f (git) Affected: ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 21167bf70dbe400563e189ac632258d35eda38b5 (git) Affected: ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 55c0ced59fe17dee34e9dfd5f7be63cbab207758 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3bce44b344040e5eef3d64d38b157c15304c0aab",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
},
{
"lessThan": "5017c302ca4b2a45149ad64e058fa2d5623c068f",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
},
{
"lessThan": "21167bf70dbe400563e189ac632258d35eda38b5",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
},
{
"lessThan": "55c0ced59fe17dee34e9dfd5f7be63cbab207758",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject negative offsets for ALU ops\n\nWhen verifying BPF programs, the check_alu_op() function validates\ninstructions with ALU operations. The \u0027offset\u0027 field in these\ninstructions is a signed 16-bit integer.\n\nThe existing check \u0027insn-\u003eoff \u003e 1\u0027 was intended to ensure the offset is\neither 0, or 1 for BPF_MOD/BPF_DIV. However, because \u0027insn-\u003eoff\u0027 is\nsigned, this check incorrectly accepts all negative values (e.g., -1).\n\nThis commit tightens the validation by changing the condition to\n\u0027(insn-\u003eoff != 0 \u0026\u0026 insn-\u003eoff != 1)\u0027. This ensures that any value\nother than the explicitly permitted 0 and 1 is rejected, hardening the\nverifier against malformed BPF programs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:23.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3bce44b344040e5eef3d64d38b157c15304c0aab"
},
{
"url": "https://git.kernel.org/stable/c/5017c302ca4b2a45149ad64e058fa2d5623c068f"
},
{
"url": "https://git.kernel.org/stable/c/21167bf70dbe400563e189ac632258d35eda38b5"
},
{
"url": "https://git.kernel.org/stable/c/55c0ced59fe17dee34e9dfd5f7be63cbab207758"
}
],
"title": "bpf: Reject negative offsets for ALU ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40169",
"datePublished": "2025-11-12T10:46:51.736Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:23.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39894 (GCVE-0-2025-39894)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
When send a broadcast packet to a tap device, which was added to a bridge,
br_nf_local_in() is called to confirm the conntrack. If another conntrack
with the same hash value is added to the hash table, which can be
triggered by a normal packet to a non-bridge device, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
RIP: 0010:br_nf_local_in+0x168/0x200
Call Trace:
<TASK>
nf_hook_slow+0x3e/0xf0
br_pass_frame_up+0x103/0x180
br_handle_frame_finish+0x2de/0x5b0
br_nf_hook_thresh+0xc0/0x120
br_nf_pre_routing_finish+0x168/0x3a0
br_nf_pre_routing+0x237/0x5e0
br_handle_frame+0x1ec/0x3c0
__netif_receive_skb_core+0x225/0x1210
__netif_receive_skb_one_core+0x37/0xa0
netif_receive_skb+0x36/0x160
tun_get_user+0xa54/0x10c0
tun_chr_write_iter+0x65/0xb0
vfs_write+0x305/0x410
ksys_write+0x60/0xd0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
---[ end trace 0000000000000000 ]---
To solve the hash conflict, nf_ct_resolve_clash() try to merge the
conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
old ct from local variable 'nfct' after confirm(), which leads to this
warning.
If confirm() does not insert the conntrack entry and return NF_DROP, the
warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
remove it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7c3f28599652acf431a2211168de4a583f30b6d5 , < d00c8b0daf56012f69075e3377da67878c775e4c
(git)
Affected: 2b1414d5e94e477edff1d2c79030f1d742625ea0 , < ccbad4803225eafe0175d3cb19f0d8d73b504a94 (git) Affected: 80cd0487f630b5382734997c3e5e3003a77db315 , < 50db11e2bbb635e38e3dd096215580d6adb41fb0 (git) Affected: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 , < c47ca77fee9071aa543bae592dd2a384f895c8b6 (git) Affected: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 , < a74abcf0f09f59daeecf7a3ba9c1d690808b0afe (git) Affected: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 , < 479a54ab92087318514c82428a87af2d7af1a576 (git) Affected: cb734975b0ffa688ff6cc0eed463865bf07b6c01 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:28.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_netfilter_hooks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00c8b0daf56012f69075e3377da67878c775e4c",
"status": "affected",
"version": "7c3f28599652acf431a2211168de4a583f30b6d5",
"versionType": "git"
},
{
"lessThan": "ccbad4803225eafe0175d3cb19f0d8d73b504a94",
"status": "affected",
"version": "2b1414d5e94e477edff1d2c79030f1d742625ea0",
"versionType": "git"
},
{
"lessThan": "50db11e2bbb635e38e3dd096215580d6adb41fb0",
"status": "affected",
"version": "80cd0487f630b5382734997c3e5e3003a77db315",
"versionType": "git"
},
{
"lessThan": "c47ca77fee9071aa543bae592dd2a384f895c8b6",
"status": "affected",
"version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
"versionType": "git"
},
{
"lessThan": "a74abcf0f09f59daeecf7a3ba9c1d690808b0afe",
"status": "affected",
"version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
"versionType": "git"
},
{
"lessThan": "479a54ab92087318514c82428a87af2d7af1a576",
"status": "affected",
"version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
"versionType": "git"
},
{
"status": "affected",
"version": "cb734975b0ffa688ff6cc0eed463865bf07b6c01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_netfilter_hooks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm\n\nWhen send a broadcast packet to a tap device, which was added to a bridge,\nbr_nf_local_in() is called to confirm the conntrack. If another conntrack\nwith the same hash value is added to the hash table, which can be\ntriggered by a normal packet to a non-bridge device, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200\n CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)\n RIP: 0010:br_nf_local_in+0x168/0x200\n Call Trace:\n \u003cTASK\u003e\n nf_hook_slow+0x3e/0xf0\n br_pass_frame_up+0x103/0x180\n br_handle_frame_finish+0x2de/0x5b0\n br_nf_hook_thresh+0xc0/0x120\n br_nf_pre_routing_finish+0x168/0x3a0\n br_nf_pre_routing+0x237/0x5e0\n br_handle_frame+0x1ec/0x3c0\n __netif_receive_skb_core+0x225/0x1210\n __netif_receive_skb_one_core+0x37/0xa0\n netif_receive_skb+0x36/0x160\n tun_get_user+0xa54/0x10c0\n tun_chr_write_iter+0x65/0xb0\n vfs_write+0x305/0x410\n ksys_write+0x60/0xd0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nTo solve the hash conflict, nf_ct_resolve_clash() try to merge the\nconntracks, and update skb-\u003e_nfct. However, br_nf_local_in() still use the\nold ct from local variable \u0027nfct\u0027 after confirm(), which leads to this\nwarning.\n\nIf confirm() does not insert the conntrack entry and return NF_DROP, the\nwarning may also occur. There is no need to reserve the WARN_ON_ONCE, just\nremove it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:43.126Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c"
},
{
"url": "https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94"
},
{
"url": "https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0"
},
{
"url": "https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6"
},
{
"url": "https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe"
},
{
"url": "https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576"
}
],
"title": "netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39894",
"datePublished": "2025-10-01T07:42:43.126Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:28.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22022 (GCVE-0-2025-22022)
Vulnerability from cvelistv5 – Published: 2025-04-16 10:23 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No ne
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e393a834b41001174a8fb3ae3bc23a749467760 , < abf2df229b6a9172cc1827749c1a446d28e00a2e
(git)
Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 8b586de6f03c850ff48d42e539b4708d1f3f8f1a (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 1143f790a6316201dc8f067eba4c94ea97ecb6ca (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < dbf427663ce272070d3004b5fca63a4a537d781c (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < a4931d9fb99eb5462f3eaa231999d279c40afb21 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 43a18225150ce874d23b37761c302a5dffee1595 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 061a1683bae6ef56ab8fa392725ba7495515cd1d (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < bb0ba4cb1065e87f9cc75db1fa454e56d0894d01 (git) Affected: 5c7a6982e976b381595c9d4ee8e8c94564a40aec (git) Affected: f12ea4a8ca7009fa2d54794c3fcb8e638453bcff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf2df229b6a9172cc1827749c1a446d28e00a2e",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "8b586de6f03c850ff48d42e539b4708d1f3f8f1a",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "1143f790a6316201dc8f067eba4c94ea97ecb6ca",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "dbf427663ce272070d3004b5fca63a4a537d781c",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "a4931d9fb99eb5462f3eaa231999d279c40afb21",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "43a18225150ce874d23b37761c302a5dffee1595",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "061a1683bae6ef56ab8fa392725ba7495515cd1d",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "bb0ba4cb1065e87f9cc75db1fa454e56d0894d01",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"status": "affected",
"version": "5c7a6982e976b381595c9d4ee8e8c94564a40aec",
"versionType": "git"
},
{
"status": "affected",
"version": "f12ea4a8ca7009fa2d54794c3fcb8e638453bcff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt\u0027s possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don\u0027t know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit\u0027s not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:53.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf2df229b6a9172cc1827749c1a446d28e00a2e"
},
{
"url": "https://git.kernel.org/stable/c/8b586de6f03c850ff48d42e539b4708d1f3f8f1a"
},
{
"url": "https://git.kernel.org/stable/c/1143f790a6316201dc8f067eba4c94ea97ecb6ca"
},
{
"url": "https://git.kernel.org/stable/c/dbf427663ce272070d3004b5fca63a4a537d781c"
},
{
"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21"
},
{
"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595"
},
{
"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d"
},
{
"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01"
}
],
"title": "usb: xhci: Apply the link chain quirk on NEC isoc endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22022",
"datePublished": "2025-04-16T10:23:27.423Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2026-01-19T12:17:53.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39911 (GCVE-0-2025-39911)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration
later than the first, the error path wants to free the IRQs requested
so far. However, it uses the wrong dev_id argument for free_irq(), so
it does not free the IRQs correctly and instead triggers the warning:
Trying to free already-free IRQ 173
WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0
Modules linked in: i40e(+) [...]
CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: [...]
RIP: 0010:__free_irq+0x192/0x2c0
[...]
Call Trace:
<TASK>
free_irq+0x32/0x70
i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]
i40e_vsi_request_irq+0x79/0x80 [i40e]
i40e_vsi_open+0x21f/0x2f0 [i40e]
i40e_open+0x63/0x130 [i40e]
__dev_open+0xfc/0x210
__dev_change_flags+0x1fc/0x240
netif_change_flags+0x27/0x70
do_setlink.isra.0+0x341/0xc70
rtnl_newlink+0x468/0x860
rtnetlink_rcv_msg+0x375/0x450
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x288/0x3c0
netlink_sendmsg+0x20d/0x430
____sys_sendmsg+0x3a2/0x3d0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x82/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
</TASK>
---[ end trace 0000000000000000 ]---
Use the same dev_id for free_irq() as for request_irq().
I tested this with inserting code to fail intentionally.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
493fb30011b3ab5173cef96f1d1ce126da051792 , < 13ab9adef3cd386511c930a9660ae06595007f89
(git)
Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < 6e4016c0dca53afc71e3b99e24252b63417395df (git) Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < b9721a023df38cf44a88f2739b4cf51efd051f85 (git) Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < b905b2acb3a0bbb08ad9be9984d8cdabdf827315 (git) Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < 23431998a37764c464737b855c71a81d50992e98 (git) Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < a30afd6617c30aaa338d1dbcb1e34e7a1890085c (git) Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < c62580674ce5feb1be4f90b5873ff3ce50e0a1db (git) Affected: 493fb30011b3ab5173cef96f1d1ce126da051792 , < 915470e1b44e71d1dd07ee067276f003c3521ee3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ab9adef3cd386511c930a9660ae06595007f89",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "6e4016c0dca53afc71e3b99e24252b63417395df",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b9721a023df38cf44a88f2739b4cf51efd051f85",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b905b2acb3a0bbb08ad9be9984d8cdabdf827315",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "23431998a37764c464737b855c71a81d50992e98",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "a30afd6617c30aaa338d1dbcb1e34e7a1890085c",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "c62580674ce5feb1be4f90b5873ff3ce50e0a1db",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "915470e1b44e71d1dd07ee067276f003c3521ee3",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n \u003cTASK\u003e\n free_irq+0x32/0x70\n i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n i40e_vsi_request_irq+0x79/0x80 [i40e]\n i40e_vsi_open+0x21f/0x2f0 [i40e]\n i40e_open+0x63/0x130 [i40e]\n __dev_open+0xfc/0x210\n __dev_change_flags+0x1fc/0x240\n netif_change_flags+0x27/0x70\n do_setlink.isra.0+0x341/0xc70\n rtnl_newlink+0x468/0x860\n rtnetlink_rcv_msg+0x375/0x450\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x288/0x3c0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x3a2/0x3d0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x82/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:41.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ab9adef3cd386511c930a9660ae06595007f89"
},
{
"url": "https://git.kernel.org/stable/c/6e4016c0dca53afc71e3b99e24252b63417395df"
},
{
"url": "https://git.kernel.org/stable/c/b9721a023df38cf44a88f2739b4cf51efd051f85"
},
{
"url": "https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315"
},
{
"url": "https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98"
},
{
"url": "https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c"
},
{
"url": "https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db"
},
{
"url": "https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3"
}
],
"title": "i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39911",
"datePublished": "2025-10-01T07:44:34.561Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71064 (GCVE-0-2025-71064)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net: hns3: using the num_tqps in the vf driver to apply for resources
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: using the num_tqps in the vf driver to apply for resources
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < c149decd8c18ae6acdd7a6041d74507835cf26e6
(git)
Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < bcefdb288eedac96fd2f583298927e9c6c481489 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 6cd8a2930df850f4600fe8c57d0662b376520281 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 1956d47a03eb625951e9e070db39fe2590e27510 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 429f946a7af3fbf08761d218746cd4afa80a7954 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 62f28d79a6186a602a9d926a2dbb5b12b6867df7 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < c2a16269742e176fccdd0ef9c016a233491a49ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c149decd8c18ae6acdd7a6041d74507835cf26e6",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "bcefdb288eedac96fd2f583298927e9c6c481489",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "6cd8a2930df850f4600fe8c57d0662b376520281",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "1956d47a03eb625951e9e070db39fe2590e27510",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "429f946a7af3fbf08761d218746cd4afa80a7954",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "62f28d79a6186a602a9d926a2dbb5b12b6867df7",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "c2a16269742e176fccdd0ef9c016a233491a49ad",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: using the num_tqps in the vf driver to apply for resources\n\nCurrently, hdev-\u003ehtqp is allocated using hdev-\u003enum_tqps, and kinfo-\u003etqp\nis allocated using kinfo-\u003enum_tqps. However, kinfo-\u003enum_tqps is set to\nmin(new_tqps, hdev-\u003enum_tqps); Therefore, kinfo-\u003enum_tqps may be smaller\nthan hdev-\u003enum_tqps, which causes some hdev-\u003ehtqp[i] to remain\nuninitialized in hclgevf_knic_setup().\n\nThus, this patch allocates hdev-\u003ehtqp and kinfo-\u003etqp using hdev-\u003enum_tqps,\nensuring that the lengths of hdev-\u003ehtqp and kinfo-\u003etqp are consistent\nand that all elements are properly initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:14.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6"
},
{
"url": "https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489"
},
{
"url": "https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281"
},
{
"url": "https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510"
},
{
"url": "https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954"
},
{
"url": "https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7"
},
{
"url": "https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad"
}
],
"title": "net: hns3: using the num_tqps in the vf driver to apply for resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71064",
"datePublished": "2026-01-13T15:31:20.503Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-02-09T08:34:14.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40183 (GCVE-0-2025-40183)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Cilium has a BPF egress gateway feature which forces outgoing K8s Pod
traffic to pass through dedicated egress gateways which then SNAT the
traffic in order to interact with stable IPs outside the cluster.
The traffic is directed to the gateway via vxlan tunnel in collect md
mode. A recent BPF change utilized the bpf_redirect_neigh() helper to
forward packets after the arrival and decap on vxlan, which turned out
over time that the kmalloc-256 slab usage in kernel was ever-increasing.
The issue was that vxlan allocates the metadata_dst object and attaches
it through a fake dst entry to the skb. The latter was never released
though given bpf_redirect_neigh() was merely setting the new dst entry
via skb_dst_set() without dropping an existing one first.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b4ab31414970a7a03a5d55d75083f2c101a30592 , < 3fba965a9aac0fa3cbd8138436a37af9ab466d79
(git)
Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 057764172fcc6ee2ccb6c41351a55a9f054dc8fd (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 2e67c2037382abb56497bb9d7b7e10be04eb5598 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < b6bfe44b6dbb14a31d86c475cdc9c7689534fb09 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < f36a305d30f557306d87c787ddffe094ac5dac89 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 7404ce888a45eb7da0508b7cbbe6f2e95302eeb8 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 23f3770e1a53e6c7a553135011f547209e141e72 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fba965a9aac0fa3cbd8138436a37af9ab466d79",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "057764172fcc6ee2ccb6c41351a55a9f054dc8fd",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "2e67c2037382abb56497bb9d7b7e10be04eb5598",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "b6bfe44b6dbb14a31d86c475cdc9c7689534fb09",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "f36a305d30f557306d87c787ddffe094ac5dac89",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "7404ce888a45eb7da0508b7cbbe6f2e95302eeb8",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "23f3770e1a53e6c7a553135011f547209e141e72",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}\n\nCilium has a BPF egress gateway feature which forces outgoing K8s Pod\ntraffic to pass through dedicated egress gateways which then SNAT the\ntraffic in order to interact with stable IPs outside the cluster.\n\nThe traffic is directed to the gateway via vxlan tunnel in collect md\nmode. A recent BPF change utilized the bpf_redirect_neigh() helper to\nforward packets after the arrival and decap on vxlan, which turned out\nover time that the kmalloc-256 slab usage in kernel was ever-increasing.\n\nThe issue was that vxlan allocates the metadata_dst object and attaches\nit through a fake dst entry to the skb. The latter was never released\nthough given bpf_redirect_neigh() was merely setting the new dst entry\nvia skb_dst_set() without dropping an existing one first."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:40.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79"
},
{
"url": "https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd"
},
{
"url": "https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598"
},
{
"url": "https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09"
},
{
"url": "https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89"
},
{
"url": "https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8"
},
{
"url": "https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72"
}
],
"title": "bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40183",
"datePublished": "2025-11-12T21:56:27.429Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:40.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40280 (GCVE-0-2025-40280)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
tipc: Fix use-after-free in tipc_mon_reinit_self().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free in tipc_mon_reinit_self().
syzbot reported use-after-free of tipc_net(net)->monitors[]
in tipc_mon_reinit_self(). [0]
The array is protected by RTNL, but tipc_mon_reinit_self()
iterates over it without RTNL.
tipc_mon_reinit_self() is called from tipc_net_finalize(),
which is always under RTNL except for tipc_net_finalize_work().
Let's hold RTNL in tipc_net_finalize_work().
[0]:
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989
CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: events tipc_net_finalize_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]
rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]
rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244
rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243
write_lock_bh include/linux/rwlock_rt.h:99 [inline]
tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718
tipc_net_finalize+0x115/0x190 net/tipc/net.c:140
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6089:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657
tipc_enable_bearer net/tipc/bearer.c:357 [inline]
__tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047
__tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]
tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393
tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]
tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
____sys_sendmsg+0x508/0x820 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
28845c28f842e9e55e75b2c116bff714bb039055 , < 5f541300b02ef8b2af34f6f7d41ce617f3571e88
(git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < b2e77c789c234e7fe49057d2ced8f32e2d2c7901 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 51b8f0ab888f8aa5dfac954918864eeda8c12c19 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 499b5fa78d525c4450ebb76db83207db71efea77 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < c92dbf85627b5c29e52d9c120a24e785801716df (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < f0104977fed25ebe001fd63dab2b6b7fefad3373 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < fdf7c4c9af4f246323ce854e84b6aec198d49f7e (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 0725e6afb55128be21a2ca36e9674f573ccec173 (git) Affected: 295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f541300b02ef8b2af34f6f7d41ce617f3571e88",
"status": "affected",
"version": "28845c28f842e9e55e75b2c116bff714bb039055",
"versionType": "git"
},
{
"lessThan": "b2e77c789c234e7fe49057d2ced8f32e2d2c7901",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "51b8f0ab888f8aa5dfac954918864eeda8c12c19",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "499b5fa78d525c4450ebb76db83207db71efea77",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "c92dbf85627b5c29e52d9c120a24e785801716df",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "f0104977fed25ebe001fd63dab2b6b7fefad3373",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "fdf7c4c9af4f246323ce854e84b6aec198d49f7e",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "0725e6afb55128be21a2ca36e9674f573ccec173",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"status": "affected",
"version": "295c9b554f6dfcd2d368fae6e6fa22ee5b79c123",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)-\u003emonitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet\u0027s hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:04.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88"
},
{
"url": "https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901"
},
{
"url": "https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19"
},
{
"url": "https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77"
},
{
"url": "https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df"
},
{
"url": "https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e"
},
{
"url": "https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173"
}
],
"title": "tipc: Fix use-after-free in tipc_mon_reinit_self().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40280",
"datePublished": "2025-12-06T21:51:04.091Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:04.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68237 (GCVE-0-2025-68237)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08
VLAI?
EPSS
Title
mtdchar: fix integer overflow in read/write ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtdchar: fix integer overflow in read/write ioctls
The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function. We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.
Use check_add_overflow() to fix this bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < f37efdd97fd1ec3e0d0f1eec279c8279e28f981e
(git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 457376c6fbf0c69326a9bf1f72416225f681192b (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < eb9361484814fb12f3b7544b33835ea67d7a6a97 (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 37944f4f8199cd153fef74e95ca268020162f212 (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < e4185bed738da755b191aa3f2e16e8b48450e1b8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdchar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f37efdd97fd1ec3e0d0f1eec279c8279e28f981e",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "457376c6fbf0c69326a9bf1f72416225f681192b",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "eb9361484814fb12f3b7544b33835ea67d7a6a97",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "37944f4f8199cd153fef74e95ca268020162f212",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "e4185bed738da755b191aa3f2e16e8b48450e1b8",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdchar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function. We mask away the high 32 bits of\n\"req.len\" so that\u0027s capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:30.940Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e"
},
{
"url": "https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b"
},
{
"url": "https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97"
},
{
"url": "https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212"
},
{
"url": "https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8"
}
],
"title": "mtdchar: fix integer overflow in read/write ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68237",
"datePublished": "2025-12-16T14:08:30.940Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:08:30.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39951 (GCVE-0-2025-39951)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
um: virtio_uml: Fix use-after-free after put_device in probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
um: virtio_uml: Fix use-after-free after put_device in probe
When register_virtio_device() fails in virtio_uml_probe(),
the code sets vu_dev->registered = 1 even though
the device was not successfully registered.
This can lead to use-after-free or other issues.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
04e5b1fb01834a602acaae2276b67a783a8c6159 , < 14c231959a16ca41bfdcaede72483362a8c645d7
(git)
Affected: 04e5b1fb01834a602acaae2276b67a783a8c6159 , < 5e94e44c9cb30d7a383d8ac227f24a8c9326b770 (git) Affected: 04e5b1fb01834a602acaae2276b67a783a8c6159 , < aaf900a83508c8cd5cdf765e7749f9076196ec7f (git) Affected: 04e5b1fb01834a602acaae2276b67a783a8c6159 , < 4f364023ddcfe83f7073b973a9cb98584b7f2a46 (git) Affected: 04e5b1fb01834a602acaae2276b67a783a8c6159 , < 00e98b5a69034b251bb36dc6e7123d7648e218e4 (git) Affected: 04e5b1fb01834a602acaae2276b67a783a8c6159 , < c2ff91255e0157b356cff115d8dc3eeb5162edf2 (git) Affected: 04e5b1fb01834a602acaae2276b67a783a8c6159 , < 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/um/drivers/virtio_uml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14c231959a16ca41bfdcaede72483362a8c645d7",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "5e94e44c9cb30d7a383d8ac227f24a8c9326b770",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "aaf900a83508c8cd5cdf765e7749f9076196ec7f",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "4f364023ddcfe83f7073b973a9cb98584b7f2a46",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "00e98b5a69034b251bb36dc6e7123d7648e218e4",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "c2ff91255e0157b356cff115d8dc3eeb5162edf2",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "7ebf70cf181651fe3f2e44e95e7e5073d594c9c0",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/um/drivers/virtio_uml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\num: virtio_uml: Fix use-after-free after put_device in probe\n\nWhen register_virtio_device() fails in virtio_uml_probe(),\nthe code sets vu_dev-\u003eregistered = 1 even though\nthe device was not successfully registered.\nThis can lead to use-after-free or other issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:07.273Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14c231959a16ca41bfdcaede72483362a8c645d7"
},
{
"url": "https://git.kernel.org/stable/c/5e94e44c9cb30d7a383d8ac227f24a8c9326b770"
},
{
"url": "https://git.kernel.org/stable/c/aaf900a83508c8cd5cdf765e7749f9076196ec7f"
},
{
"url": "https://git.kernel.org/stable/c/4f364023ddcfe83f7073b973a9cb98584b7f2a46"
},
{
"url": "https://git.kernel.org/stable/c/00e98b5a69034b251bb36dc6e7123d7648e218e4"
},
{
"url": "https://git.kernel.org/stable/c/c2ff91255e0157b356cff115d8dc3eeb5162edf2"
},
{
"url": "https://git.kernel.org/stable/c/7ebf70cf181651fe3f2e44e95e7e5073d594c9c0"
}
],
"title": "um: virtio_uml: Fix use-after-free after put_device in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39951",
"datePublished": "2025-10-04T07:31:11.684Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:07.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39865 (GCVE-0-2025-39865)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
tee: fix NULL pointer dereference in tee_shm_put
Summary
In the Linux kernel, the following vulnerability has been resolved:
tee: fix NULL pointer dereference in tee_shm_put
tee_shm_put have NULL pointer dereference:
__optee_disable_shm_cache -->
shm = reg_pair_to_ptr(...);//shm maybe return NULL
tee_shm_free(shm); -->
tee_shm_put(shm);//crash
Add check in tee_shm_put to fix it.
panic log:
Unable to handle kernel paging request at virtual address 0000000000100cca
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000
[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----
6.6.0-39-generic #38
Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07
Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0
10/26/2022
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : tee_shm_put+0x24/0x188
lr : tee_shm_free+0x14/0x28
sp : ffff001f98f9faf0
x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000
x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048
x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88
x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff
x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003
x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101
x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c
x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca
Call trace:
tee_shm_put+0x24/0x188
tee_shm_free+0x14/0x28
__optee_disable_shm_cache+0xa8/0x108
optee_shutdown+0x28/0x38
platform_shutdown+0x28/0x40
device_shutdown+0x144/0x2b0
kernel_power_off+0x3c/0x80
hibernate+0x35c/0x388
state_store+0x64/0x80
kobj_attr_store+0x14/0x28
sysfs_kf_write+0x48/0x60
kernfs_fop_write_iter+0x128/0x1c0
vfs_write+0x270/0x370
ksys_write+0x6c/0x100
__arm64_sys_write+0x20/0x30
invoke_syscall+0x4c/0x120
el0_svc_common.constprop.0+0x44/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x24/0x88
el0t_64_sync_handler+0x134/0x150
el0t_64_sync+0x14c/0x15
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c05d8f66ec3470e5212c4d08c46d6cb5738d600d , < f266188603c34e6e234fb0dfc3185f0ba98d71b7
(git)
Affected: 492eb7afe858d60408b2da09adc78540c4d16543 , < 4377eac565c297fdfccd2f8e9bf94ee84ff6172f (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < 25e315bc8ad363bd1194e49062f183ad4011957e (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < 963fca19fe34c496e04f7dd133b807b76a5434ca (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < 5e07a4235bb85d9ef664411e4ff4ac34783c18ff (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < e4a718a3a47e89805c3be9d46a84de1949a98d5d (git) Affected: 3d556a28bbfe34a80b014db49908b0f1bcb1ae80 (git) Affected: b4a661b4212b8fac8853ec3b68e4a909dccc88a1 (git) Affected: 940e68e57ab69248fabba5889e615305789db8a7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:16.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f266188603c34e6e234fb0dfc3185f0ba98d71b7",
"status": "affected",
"version": "c05d8f66ec3470e5212c4d08c46d6cb5738d600d",
"versionType": "git"
},
{
"lessThan": "4377eac565c297fdfccd2f8e9bf94ee84ff6172f",
"status": "affected",
"version": "492eb7afe858d60408b2da09adc78540c4d16543",
"versionType": "git"
},
{
"lessThan": "25e315bc8ad363bd1194e49062f183ad4011957e",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "add1ecc8f3ad8df22e3599c5c88d7907cc2a3079",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "963fca19fe34c496e04f7dd133b807b76a5434ca",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "5e07a4235bb85d9ef664411e4ff4ac34783c18ff",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "e4a718a3a47e89805c3be9d46a84de1949a98d5d",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"status": "affected",
"version": "3d556a28bbfe34a80b014db49908b0f1bcb1ae80",
"versionType": "git"
},
{
"status": "affected",
"version": "b4a661b4212b8fac8853ec3b68e4a909dccc88a1",
"versionType": "git"
},
{
"status": "affected",
"version": "940e68e57ab69248fabba5889e615305789db8a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.10.89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.261",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache --\u003e\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n tee_shm_free(shm); --\u003e\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:21.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7"
},
{
"url": "https://git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f"
},
{
"url": "https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e"
},
{
"url": "https://git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079"
},
{
"url": "https://git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca"
},
{
"url": "https://git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff"
},
{
"url": "https://git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d"
}
],
"title": "tee: fix NULL pointer dereference in tee_shm_put",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39865",
"datePublished": "2025-09-19T15:26:34.853Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:16.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39961 (GCVE-0-2025-39961)
Vulnerability from cvelistv5 – Published: 2025-10-09 12:13 – Updated: 2025-10-09 12:13
VLAI?
EPSS
Title
iommu/amd/pgtbl: Fix possible race while increase page table level
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd/pgtbl: Fix possible race while increase page table level
The AMD IOMMU host page table implementation supports dynamic page table levels
(up to 6 levels), starting with a 3-level configuration that expands based on
IOVA address. The kernel maintains a root pointer and current page table level
to enable proper page table walks in alloc_pte()/fetch_pte() operations.
The IOMMU IOVA allocator initially starts with 32-bit address and onces its
exhuasted it switches to 64-bit address (max address is determined based
on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU
driver increases page table level.
But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads
pgtable->[root/mode] without lock. So its possible that in exteme corner case,
when increase_address_space() is updating pgtable->[root/mode], fetch_pte()
reads wrong page table level (pgtable->mode). It does compare the value with
level encoded in page table and returns NULL. This will result is
iommu_unmap ops to fail and upper layer may retry/log WARN_ON.
CPU 0 CPU 1
------ ------
map pages unmap pages
alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte()
pgtable->root = pte (new root value)
READ pgtable->[mode/root]
Reads new root, old mode
Updates mode (pgtable->mode += 1)
Since Page table level updates are infrequent and already synchronized with a
spinlock, implement seqcount to enable lock-free read operations on the read path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
754265bcab78a9014f0f99cd35e0d610fcd7dfa7 , < 075abf0b1a958acfbea2435003d228e738e90346
(git)
Affected: 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 , < cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b (git) Affected: 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 , < 7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2 (git) Affected: 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 , < 1e56310b40fd2e7e0b9493da9ff488af145bdd0c (git) Affected: 6fb92f18555a7b8e085267d513612dc0ff9a5360 (git) Affected: b15bf74405faa1a65025eb8a6eb337e140e5250a (git) Affected: 0d50f7b1e8c80a8c20db5049e269468c059b0378 (git) Affected: 785ca708a908b9c596ede852470ba28b8dc3e40b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/amd_iommu_types.h",
"drivers/iommu/amd/io_pgtable.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "075abf0b1a958acfbea2435003d228e738e90346",
"status": "affected",
"version": "754265bcab78a9014f0f99cd35e0d610fcd7dfa7",
"versionType": "git"
},
{
"lessThan": "cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b",
"status": "affected",
"version": "754265bcab78a9014f0f99cd35e0d610fcd7dfa7",
"versionType": "git"
},
{
"lessThan": "7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2",
"status": "affected",
"version": "754265bcab78a9014f0f99cd35e0d610fcd7dfa7",
"versionType": "git"
},
{
"lessThan": "1e56310b40fd2e7e0b9493da9ff488af145bdd0c",
"status": "affected",
"version": "754265bcab78a9014f0f99cd35e0d610fcd7dfa7",
"versionType": "git"
},
{
"status": "affected",
"version": "6fb92f18555a7b8e085267d513612dc0ff9a5360",
"versionType": "git"
},
{
"status": "affected",
"version": "b15bf74405faa1a65025eb8a6eb337e140e5250a",
"versionType": "git"
},
{
"status": "affected",
"version": "0d50f7b1e8c80a8c20db5049e269468c059b0378",
"versionType": "git"
},
{
"status": "affected",
"version": "785ca708a908b9c596ede852470ba28b8dc3e40b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/amd_iommu_types.h",
"drivers/iommu/amd/io_pgtable.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd/pgtbl: Fix possible race while increase page table level\n\nThe AMD IOMMU host page table implementation supports dynamic page table levels\n(up to 6 levels), starting with a 3-level configuration that expands based on\nIOVA address. The kernel maintains a root pointer and current page table level\nto enable proper page table walks in alloc_pte()/fetch_pte() operations.\n\nThe IOMMU IOVA allocator initially starts with 32-bit address and onces its\nexhuasted it switches to 64-bit address (max address is determined based\non IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU\ndriver increases page table level.\n\nBut in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads\npgtable-\u003e[root/mode] without lock. So its possible that in exteme corner case,\nwhen increase_address_space() is updating pgtable-\u003e[root/mode], fetch_pte()\nreads wrong page table level (pgtable-\u003emode). It does compare the value with\nlevel encoded in page table and returns NULL. This will result is\niommu_unmap ops to fail and upper layer may retry/log WARN_ON.\n\nCPU 0 CPU 1\n------ ------\nmap pages unmap pages\nalloc_pte() -\u003e increase_address_space() iommu_v1_unmap_pages() -\u003e fetch_pte()\n pgtable-\u003eroot = pte (new root value)\n READ pgtable-\u003e[mode/root]\n\t\t\t\t\t Reads new root, old mode\n Updates mode (pgtable-\u003emode += 1)\n\nSince Page table level updates are infrequent and already synchronized with a\nspinlock, implement seqcount to enable lock-free read operations on the read path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T12:13:22.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/075abf0b1a958acfbea2435003d228e738e90346"
},
{
"url": "https://git.kernel.org/stable/c/cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b"
},
{
"url": "https://git.kernel.org/stable/c/7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2"
},
{
"url": "https://git.kernel.org/stable/c/1e56310b40fd2e7e0b9493da9ff488af145bdd0c"
}
],
"title": "iommu/amd/pgtbl: Fix possible race while increase page table level",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39961",
"datePublished": "2025-10-09T12:13:22.029Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-09T12:13:22.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71084 (GCVE-0-2025-71084)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
RDMA/cm: Fix leaking the multicast GID table reference
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cm: Fix leaking the multicast GID table reference
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60d613b39e8d0c9f3b526e9c96445422b4562d76 , < d5ce588a9552878859a4d44b70b724216c188a5f
(git)
Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < abf38398724ecc888f62c678d288da40d11878af (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < ab668a58c4a2ccb6d54add7a76f2f955d15d0196 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < c0acdee513239e1d6e1b490f56be0e6837dfd162 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 57f3cb6c84159d12ba343574df2115fb18dd83ca (git) Affected: a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5ce588a9552878859a4d44b70b724216c188a5f",
"status": "affected",
"version": "60d613b39e8d0c9f3b526e9c96445422b4562d76",
"versionType": "git"
},
{
"lessThan": "abf38398724ecc888f62c678d288da40d11878af",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "ab668a58c4a2ccb6d54add7a76f2f955d15d0196",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "c0acdee513239e1d6e1b490f56be0e6837dfd162",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "57f3cb6c84159d12ba343574df2115fb18dd83ca",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"status": "affected",
"version": "a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix leaking the multicast GID table reference\n\nIf the CM ID is destroyed while the CM event for multicast creating is\nstill queued the cancel_work_sync() will prevent the work from running\nwhich also prevents destroying the ah_attr. This leaks a refcount and\ntriggers a WARN:\n\n GID entry ref leak for dev syz1 index 2 ref=573\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestroy the ah_attr after canceling the work, it is safe to call this\ntwice."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:35.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f"
},
{
"url": "https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af"
},
{
"url": "https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196"
},
{
"url": "https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162"
},
{
"url": "https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3"
},
{
"url": "https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5"
},
{
"url": "https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca"
}
],
"title": "RDMA/cm: Fix leaking the multicast GID table reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71084",
"datePublished": "2026-01-13T15:34:47.665Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:35.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68803 (GCVE-0-2025-68803)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
NFSD: NFSv4 file creation neglects setting ACL
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: NFSv4 file creation neglects setting ACL
An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c5409ce523af40d5c3019717bc5b4f72038d48be , < c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d
(git)
Affected: d52acd23a327cada5fb597591267cfc09f08bb1d , < 75f91534f9acdfef77f8fa094313b7806f801725 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 60dbdef2ebc2317266a385e4debdb1bb0e57afe1 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 381261f24f4e4b41521c0e5ef5cc0b9a786a9862 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < bf4e671c651534a307ab2fabba4926116beef8c3 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 214b396480061cbc8b16f2c518b2add7fbfa5192 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 913f7cf77bf14c13cfea70e89bcb6d0b22239562 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d",
"status": "affected",
"version": "c5409ce523af40d5c3019717bc5b4f72038d48be",
"versionType": "git"
},
{
"lessThan": "75f91534f9acdfef77f8fa094313b7806f801725",
"status": "affected",
"version": "d52acd23a327cada5fb597591267cfc09f08bb1d",
"versionType": "git"
},
{
"lessThan": "60dbdef2ebc2317266a385e4debdb1bb0e57afe1",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "381261f24f4e4b41521c0e5ef5cc0b9a786a9862",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "bf4e671c651534a307ab2fabba4926116beef8c3",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "214b396480061cbc8b16f2c518b2add7fbfa5192",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "913f7cf77bf14c13cfea70e89bcb6d0b22239562",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file\u0027s\nmode bits rather than returning the originally-specified ACL."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:52.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d"
},
{
"url": "https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725"
},
{
"url": "https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1"
},
{
"url": "https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862"
},
{
"url": "https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3"
},
{
"url": "https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192"
},
{
"url": "https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562"
}
],
"title": "NFSD: NFSv4 file creation neglects setting ACL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68803",
"datePublished": "2026-01-13T15:29:11.732Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:52.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40000 (GCVE-0-2025-40000)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:59 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()
There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to
access already freed skb_data:
BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025
Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
Use-after-free write at 0x0000000020309d9d (in kfence-#251):
rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141
rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
process_one_work kernel/workqueue.c:3241
worker_thread kernel/workqueue.c:3400
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache
allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):
__alloc_skb net/core/skbuff.c:659
__netdev_alloc_skb net/core/skbuff.c:734
ieee80211_nullfunc_get net/mac80211/tx.c:5844
rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431
rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194
rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
process_one_work kernel/workqueue.c:3241
worker_thread kernel/workqueue.c:3400
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):
ieee80211_tx_status_skb net/mac80211/status.c:1117
rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564
rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651
rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676
rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238
__napi_poll net/core/dev.c:7495
net_rx_action net/core/dev.c:7557 net/core/dev.c:7684
handle_softirqs kernel/softirq.c:580
do_softirq.part.0 kernel/softirq.c:480
__local_bh_enable_ip kernel/softirq.c:407
rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927
irq_thread_fn kernel/irq/manage.c:1133
irq_thread kernel/irq/manage.c:1257
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
It is a consequence of a race between the waiting and the signaling side
of the completion:
Waiting thread Completing thread
rtw89_core_tx_kick_off_and_wait()
rcu_assign_pointer(skb_data->wait, wait)
/* start waiting */
wait_for_completion_timeout()
rtw89_pci_tx_status()
rtw89_core_tx_wait_complete()
rcu_read_lock()
/* signals completion and
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1ae5ca615285d5d4f72d1de464716d85dffef19f , < 895cccf639ac015f3d5f993218cf098db82ac145
(git)
Affected: 1ae5ca615285d5d4f72d1de464716d85dffef19f , < f21f530b03b4b23448edb531a0cfea434cb76bb4 (git) Affected: 1ae5ca615285d5d4f72d1de464716d85dffef19f , < bdb3c41b358cf87d99e39d393e164f9e4a6088e6 (git) Affected: 1ae5ca615285d5d4f72d1de464716d85dffef19f , < 3e31a6bc07312b448fad3b45de578471f86f0e77 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c",
"drivers/net/wireless/realtek/rtw89/core.h",
"drivers/net/wireless/realtek/rtw89/pci.c",
"drivers/net/wireless/realtek/rtw89/ser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "895cccf639ac015f3d5f993218cf098db82ac145",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
},
{
"lessThan": "f21f530b03b4b23448edb531a0cfea434cb76bb4",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
},
{
"lessThan": "bdb3c41b358cf87d99e39d393e164f9e4a6088e6",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
},
{
"lessThan": "3e31a6bc07312b448fad3b45de578471f86f0e77",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c",
"drivers/net/wireless/realtek/rtw89/core.h",
"drivers/net/wireless/realtek/rtw89/pci.c",
"drivers/net/wireless/realtek/rtw89/ser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()\n\nThere is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to\naccess already freed skb_data:\n\n BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110\n\n CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025\n Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]\n\n Use-after-free write at 0x0000000020309d9d (in kfence-#251):\n rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110\n rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338\n rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979\n rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165\n rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141\n rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012\n rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059\n rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758\n process_one_work kernel/workqueue.c:3241\n worker_thread kernel/workqueue.c:3400\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\n kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache\n\n allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):\n __alloc_skb net/core/skbuff.c:659\n __netdev_alloc_skb net/core/skbuff.c:734\n ieee80211_nullfunc_get net/mac80211/tx.c:5844\n rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431\n rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338\n rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979\n rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165\n rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194\n rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012\n rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059\n rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758\n process_one_work kernel/workqueue.c:3241\n worker_thread kernel/workqueue.c:3400\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\n freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):\n ieee80211_tx_status_skb net/mac80211/status.c:1117\n rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564\n rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651\n rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676\n rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238\n __napi_poll net/core/dev.c:7495\n net_rx_action net/core/dev.c:7557 net/core/dev.c:7684\n handle_softirqs kernel/softirq.c:580\n do_softirq.part.0 kernel/softirq.c:480\n __local_bh_enable_ip kernel/softirq.c:407\n rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927\n irq_thread_fn kernel/irq/manage.c:1133\n irq_thread kernel/irq/manage.c:1257\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\nIt is a consequence of a race between the waiting and the signaling side\nof the completion:\n\n Waiting thread Completing thread\n\nrtw89_core_tx_kick_off_and_wait()\n rcu_assign_pointer(skb_data-\u003ewait, wait)\n /* start waiting */\n wait_for_completion_timeout()\n rtw89_pci_tx_status()\n rtw89_core_tx_wait_complete()\n rcu_read_lock()\n /* signals completion and\n \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:12.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/895cccf639ac015f3d5f993218cf098db82ac145"
},
{
"url": "https://git.kernel.org/stable/c/f21f530b03b4b23448edb531a0cfea434cb76bb4"
},
{
"url": "https://git.kernel.org/stable/c/bdb3c41b358cf87d99e39d393e164f9e4a6088e6"
},
{
"url": "https://git.kernel.org/stable/c/3e31a6bc07312b448fad3b45de578471f86f0e77"
}
],
"title": "wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40000",
"datePublished": "2025-10-15T07:59:14.606Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:12.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40279 (GCVE-0-2025-40279)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 218b67c8c8246d47a2a7910eae80abe4861fe2b7
(git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 73cc56c608c209d3d666cc571293b090a471da70 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 31e4aa93e2e5b5647fc235b0f6ee329646878f9e (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 51cb05d4fd632596816ba44e882e84db9fb28a7e (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 25837889ec062f2b7618142cd80253dff3da5343 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 62b656e43eaeae445a39cd8021a4f47065af4389 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_connmark.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "218b67c8c8246d47a2a7910eae80abe4861fe2b7",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "73cc56c608c209d3d666cc571293b090a471da70",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "31e4aa93e2e5b5647fc235b0f6ee329646878f9e",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "51cb05d4fd632596816ba44e882e84db9fb28a7e",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "25837889ec062f2b7618142cd80253dff3da5343",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "62b656e43eaeae445a39cd8021a4f47065af4389",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_connmark.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_connmark: initialize struct tc_ife to fix kernel leak\n\nIn tcf_connmark_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:03.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7"
},
{
"url": "https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70"
},
{
"url": "https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e"
},
{
"url": "https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e"
},
{
"url": "https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343"
},
{
"url": "https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389"
}
],
"title": "net: sched: act_connmark: initialize struct tc_ife to fix kernel leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40279",
"datePublished": "2025-12-06T21:51:03.010Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:03.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68263 (GCVE-0-2025-68263)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.
Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():
BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
Write of size 12 at addr ffff888198ee6e20 by task pool/109349
...
Freed by task:
kvfree
ipc_msg_send_request [ksmbd]
ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]
Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
entry->response, freeing it when invalid, and removing the entry from
ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
semantics.
This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < de85fb58f9967ba024bb08e0041613d37b57b4d1
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 708a620b471a14466f1f52c90bf3f65ebdb31460 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 759c8c30cfa8706c518e56f67971b1f0932f4b9b (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8229c6ca50cea701e25a7ee25f48441b582ec5fa (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1fab1fa091f5aa97265648b53ea031deedd26235 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de85fb58f9967ba024bb08e0041613d37b57b4d1",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "708a620b471a14466f1f52c90bf3f65ebdb31460",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "759c8c30cfa8706c518e56f67971b1f0932f4b9b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "8229c6ca50cea701e25a7ee25f48441b582ec5fa",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "1fab1fa091f5aa97265648b53ea031deedd26235",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry-\u003eresponse under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry-\u003eresponse without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry-\u003eresponse while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n ...\n Freed by task:\n kvfree\n ipc_msg_send_request [ksmbd]\n ksmbd_rpc_open -\u003e ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n entry-\u003eresponse, freeing it when invalid, and removing the entry from\n ipc_msg_table.\n- Returning the final entry-\u003eresponse pointer to the caller only after\n the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n semantics.\n\nThis makes all accesses to entry-\u003eresponse consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:22.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1"
},
{
"url": "https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460"
},
{
"url": "https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"
},
{
"url": "https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b"
},
{
"url": "https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa"
},
{
"url": "https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235"
}
],
"title": "ksmbd: ipc: fix use-after-free in ipc_msg_send_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68263",
"datePublished": "2025-12-16T14:45:05.218Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:22.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39940 (GCVE-0-2025-39940)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
dm-stripe: fix a possible integer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-stripe: fix a possible integer overflow
There's a possible integer overflow in stripe_io_hints if we have too
large chunk size. Test if the overflow happened, and if it did, don't set
limits->io_min and limits->io_opt;
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
40bea431274c247425e7f5970d796ff7b37a2b22 , < f8f64254bca5ae58f3b679441962bda4c409f659
(git)
Affected: 40bea431274c247425e7f5970d796ff7b37a2b22 , < ee27658c239b27721397f3e4eb16370b5cce596e (git) Affected: 40bea431274c247425e7f5970d796ff7b37a2b22 , < 1071d560afb4c245c2076494226df47db5a35708 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-stripe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f8f64254bca5ae58f3b679441962bda4c409f659",
"status": "affected",
"version": "40bea431274c247425e7f5970d796ff7b37a2b22",
"versionType": "git"
},
{
"lessThan": "ee27658c239b27721397f3e4eb16370b5cce596e",
"status": "affected",
"version": "40bea431274c247425e7f5970d796ff7b37a2b22",
"versionType": "git"
},
{
"lessThan": "1071d560afb4c245c2076494226df47db5a35708",
"status": "affected",
"version": "40bea431274c247425e7f5970d796ff7b37a2b22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-stripe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-stripe: fix a possible integer overflow\n\nThere\u0027s a possible integer overflow in stripe_io_hints if we have too\nlarge chunk size. Test if the overflow happened, and if it did, don\u0027t set\nlimits-\u003eio_min and limits-\u003eio_opt;"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:41.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f8f64254bca5ae58f3b679441962bda4c409f659"
},
{
"url": "https://git.kernel.org/stable/c/ee27658c239b27721397f3e4eb16370b5cce596e"
},
{
"url": "https://git.kernel.org/stable/c/1071d560afb4c245c2076494226df47db5a35708"
}
],
"title": "dm-stripe: fix a possible integer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39940",
"datePublished": "2025-10-04T07:31:03.309Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2026-01-02T15:32:41.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49465 (GCVE-0-2022-49465)
Vulnerability from cvelistv5 – Published: 2025-02-26 02:13 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
blk-throttle: Set BIO_THROTTLED when bio has been throttled
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: Set BIO_THROTTLED when bio has been throttled
1.In current process, all bio will set the BIO_THROTTLED flag
after __blk_throtl_bio().
2.If bio needs to be throttled, it will start the timer and
stop submit bio directly. Bio will submit in
blk_throtl_dispatch_work_fn() when the timer expires.But in
the current process, if bio is throttled. The BIO_THROTTLED
will be set to bio after timer start. If the bio has been
completed, it may cause use-after-free blow.
BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
Read of size 2 at addr ffff88801b8902d4 by task fio/26380
dump_stack+0x9b/0xce
print_address_description.constprop.6+0x3e/0x60
kasan_report.cold.9+0x22/0x3a
blk_throtl_bio+0x12f0/0x2c70
submit_bio_checks+0x701/0x1550
submit_bio_noacct+0x83/0xc80
submit_bio+0xa7/0x330
mpage_readahead+0x380/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 26380:
kasan_save_stack+0x19/0x40
__kasan_kmalloc.constprop.2+0xc1/0xd0
kmem_cache_alloc+0x146/0x440
mempool_alloc+0x125/0x2f0
bio_alloc_bioset+0x353/0x590
mpage_alloc+0x3b/0x240
do_mpage_readpage+0xddf/0x1ef0
mpage_readahead+0x264/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 0:
kasan_save_stack+0x19/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x1b/0x30
__kasan_slab_free+0x111/0x160
kmem_cache_free+0x94/0x460
mempool_free+0xd6/0x320
bio_free+0xe0/0x130
bio_put+0xab/0xe0
bio_endio+0x3a6/0x5d0
blk_update_request+0x590/0x1370
scsi_end_request+0x7d/0x400
scsi_io_completion+0x1aa/0xe50
scsi_softirq_done+0x11b/0x240
blk_mq_complete_request+0xd4/0x120
scsi_mq_done+0xf0/0x200
virtscsi_vq_done+0xbc/0x150
vring_interrupt+0x179/0x390
__handle_irq_event_percpu+0xf7/0x490
handle_irq_event_percpu+0x7b/0x160
handle_irq_event+0xcc/0x170
handle_edge_irq+0x215/0xb20
common_interrupt+0x60/0x120
asm_common_interrupt+0x1e/0x40
Fix this by move BIO_THROTTLED set into the queue_lock.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2a0f61e6ecd08d260054bde4b096ff207ce5350f , < 24ba80efaf6e772f6132465fad08e20fb4767da7
(git)
Affected: 2a0f61e6ecd08d260054bde4b096ff207ce5350f , < 047ea38d41d90d748bca812a43339632f52ba715 (git) Affected: 2a0f61e6ecd08d260054bde4b096ff207ce5350f , < 0cfc8a0fb07cde61915e4a77c4794c47de3114a4 (git) Affected: 2a0f61e6ecd08d260054bde4b096ff207ce5350f , < 935fa666534d7b7185e8c6b0191cd06281be4290 (git) Affected: 2a0f61e6ecd08d260054bde4b096ff207ce5350f , < 5a011f889b4832aa80c2a872a5aade5c48d2756f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:02.824581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24ba80efaf6e772f6132465fad08e20fb4767da7",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "047ea38d41d90d748bca812a43339632f52ba715",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "0cfc8a0fb07cde61915e4a77c4794c47de3114a4",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "935fa666534d7b7185e8c6b0191cd06281be4290",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "5a011f889b4832aa80c2a872a5aade5c48d2756f",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: Set BIO_THROTTLED when bio has been throttled\n\n1.In current process, all bio will set the BIO_THROTTLED flag\nafter __blk_throtl_bio().\n\n2.If bio needs to be throttled, it will start the timer and\nstop submit bio directly. Bio will submit in\nblk_throtl_dispatch_work_fn() when the timer expires.But in\nthe current process, if bio is throttled. The BIO_THROTTLED\nwill be set to bio after timer start. If the bio has been\ncompleted, it may cause use-after-free blow.\n\nBUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70\nRead of size 2 at addr ffff88801b8902d4 by task fio/26380\n\n dump_stack+0x9b/0xce\n print_address_description.constprop.6+0x3e/0x60\n kasan_report.cold.9+0x22/0x3a\n blk_throtl_bio+0x12f0/0x2c70\n submit_bio_checks+0x701/0x1550\n submit_bio_noacct+0x83/0xc80\n submit_bio+0xa7/0x330\n mpage_readahead+0x380/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAllocated by task 26380:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc.constprop.2+0xc1/0xd0\n kmem_cache_alloc+0x146/0x440\n mempool_alloc+0x125/0x2f0\n bio_alloc_bioset+0x353/0x590\n mpage_alloc+0x3b/0x240\n do_mpage_readpage+0xddf/0x1ef0\n mpage_readahead+0x264/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFreed by task 0:\n kasan_save_stack+0x19/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x1b/0x30\n __kasan_slab_free+0x111/0x160\n kmem_cache_free+0x94/0x460\n mempool_free+0xd6/0x320\n bio_free+0xe0/0x130\n bio_put+0xab/0xe0\n bio_endio+0x3a6/0x5d0\n blk_update_request+0x590/0x1370\n scsi_end_request+0x7d/0x400\n scsi_io_completion+0x1aa/0xe50\n scsi_softirq_done+0x11b/0x240\n blk_mq_complete_request+0xd4/0x120\n scsi_mq_done+0xf0/0x200\n virtscsi_vq_done+0xbc/0x150\n vring_interrupt+0x179/0x390\n __handle_irq_event_percpu+0xf7/0x490\n handle_irq_event_percpu+0x7b/0x160\n handle_irq_event+0xcc/0x170\n handle_edge_irq+0x215/0xb20\n common_interrupt+0x60/0x120\n asm_common_interrupt+0x1e/0x40\n\nFix this by move BIO_THROTTLED set into the queue_lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:39.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24ba80efaf6e772f6132465fad08e20fb4767da7"
},
{
"url": "https://git.kernel.org/stable/c/047ea38d41d90d748bca812a43339632f52ba715"
},
{
"url": "https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4"
},
{
"url": "https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290"
},
{
"url": "https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f"
}
],
"title": "blk-throttle: Set BIO_THROTTLED when bio has been throttled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49465",
"datePublished": "2025-02-26T02:13:10.975Z",
"dateReserved": "2025-02-26T02:08:31.577Z",
"dateUpdated": "2026-01-19T12:17:39.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40200 (GCVE-0-2025-40200)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
Squashfs: reject negative file sizes in squashfs_read_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: reject negative file sizes in squashfs_read_inode()
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 54170057a5fadd24a37b70de41e61d39284d9bd7
(git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 2871c74caa3f4f05b429e6bfefebac62dbf1b408 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < fbfc745db628de31f5c089147deeb87e95b89e66 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8118f66124895829443d09c207e654adcb2f9321 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8c7aad76751816207fee556d44aa88a710824810 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 875fb3f87ae0225b881319ba016a1a8c4ffd5812 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < f271155ff31aca8ef82c61c8df23ca97e9a77dd4 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54170057a5fadd24a37b70de41e61d39284d9bd7",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "2871c74caa3f4f05b429e6bfefebac62dbf1b408",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "fbfc745db628de31f5c089147deeb87e95b89e66",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8118f66124895829443d09c207e654adcb2f9321",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8c7aad76751816207fee556d44aa88a710824810",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "875fb3f87ae0225b881319ba016a1a8c4ffd5812",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "f271155ff31aca8ef82c61c8df23ca97e9a77dd4",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:02.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7"
},
{
"url": "https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408"
},
{
"url": "https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66"
},
{
"url": "https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321"
},
{
"url": "https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810"
},
{
"url": "https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812"
},
{
"url": "https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4"
},
{
"url": "https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b"
}
],
"title": "Squashfs: reject negative file sizes in squashfs_read_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40200",
"datePublished": "2025-11-12T21:56:33.783Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:20:02.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40339 (GCVE-0-2025-40339)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amdgpu: fix nullptr err of vm_handle_moved
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix nullptr err of vm_handle_moved
If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL.
So, such kind of amdgpu_bo_va should be updated separately before
amdgpu_vm_handle_moved.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 47281febebe337586569aa4c5694a7511063a42e
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 273d1ea12e42e9babb9783837906f3c466f213d3 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 859958a7faefe5b7742b7b8cdbc170713d4bf158 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47281febebe337586569aa4c5694a7511063a42e",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "273d1ea12e42e9babb9783837906f3c466f213d3",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "859958a7faefe5b7742b7b8cdbc170713d4bf158",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix nullptr err of vm_handle_moved\n\nIf a amdgpu_bo_va is fpriv-\u003eprt_va, the bo of this one is always NULL.\nSo, such kind of amdgpu_bo_va should be updated separately before\namdgpu_vm_handle_moved."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:10.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47281febebe337586569aa4c5694a7511063a42e"
},
{
"url": "https://git.kernel.org/stable/c/273d1ea12e42e9babb9783837906f3c466f213d3"
},
{
"url": "https://git.kernel.org/stable/c/859958a7faefe5b7742b7b8cdbc170713d4bf158"
}
],
"title": "drm/amdgpu: fix nullptr err of vm_handle_moved",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40339",
"datePublished": "2025-12-09T04:09:55.697Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:10.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39806 (GCVE-0-2025-39806)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 , < 4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d
(git)
Affected: 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 , < 7ab7311c43ae19c66c53ccd8c5052a9072a4e338 (git) Affected: 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b , < d4e6e2680807671e1c73cd6a986b33659ce92f2b (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 3055309821dd3da92888f88bad10f0324c3c89fe (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < c13e95587583d018cfbcc277df7e02d41902ac5a (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 0379eb8691b9c4477da0277ae0832036ca4410b4 (git) Affected: d189e24a42b8bd0ece3d28801d751bf66dba8e92 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:32.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d",
"status": "affected",
"version": "7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0",
"versionType": "git"
},
{
"lessThan": "7ab7311c43ae19c66c53ccd8c5052a9072a4e338",
"status": "affected",
"version": "45ec9f17ce46417fc4eccecf388c99e81fb7fcc1",
"versionType": "git"
},
{
"lessThan": "d4e6e2680807671e1c73cd6a986b33659ce92f2b",
"status": "affected",
"version": "1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b",
"versionType": "git"
},
{
"lessThan": "3055309821dd3da92888f88bad10f0324c3c89fe",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "c13e95587583d018cfbcc277df7e02d41902ac5a",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "0379eb8691b9c4477da0277ae0832036ca4410b4",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "d189e24a42b8bd0ece3d28801d751bf66dba8e92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[ 13.671954] ==================================================================\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[ 13.673297]\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[ 13.673297] Call Trace:\n[ 13.673297] \u003cTASK\u003e\n[ 13.673297] dump_stack_lvl+0x5f/0x80\n[ 13.673297] print_report+0xd1/0x660\n[ 13.673297] kasan_report+0xe5/0x120\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\n[ 13.673297] mt_report_fixup+0x103/0x110\n[ 13.673297] hid_open_report+0x1ef/0x810\n[ 13.673297] mt_probe+0x422/0x960\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\n[ 13.673297] really_probe+0x1c6/0x6b0\n[ 13.673297] __driver_probe_device+0x24f/0x310\n[ 13.673297] driver_probe_device+0x4e/0x220\n[ 13.673297] __device_attach_driver+0x169/0x320\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\n[ 13.673297] __device_attach+0x1b8/0x3e0\n[ 13.673297] device_initial_probe+0x12/0x20\n[ 13.673297] bus_probe_device+0x13d/0x180\n[ 13.673297] device_add+0xe3a/0x1670\n[ 13.673297] hid_add_device+0x31d/0xa40\n[...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:48.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d"
},
{
"url": "https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338"
},
{
"url": "https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b"
},
{
"url": "https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe"
},
{
"url": "https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a"
},
{
"url": "https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4"
}
],
"title": "HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39806",
"datePublished": "2025-09-16T13:00:09.524Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-11-03T17:43:32.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39980 (GCVE-0-2025-39980)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
nexthop: Forbid FDB status change while nexthop is in a group
Summary
In the Linux kernel, the following vulnerability has been resolved:
nexthop: Forbid FDB status change while nexthop is in a group
The kernel forbids the creation of non-FDB nexthop groups with FDB
nexthops:
# ip nexthop add id 1 via 192.0.2.1 fdb
# ip nexthop add id 2 group 1
Error: Non FDB nexthop group cannot have fdb nexthops.
And vice versa:
# ip nexthop add id 3 via 192.0.2.2 dev dummy1
# ip nexthop add id 4 group 3 fdb
Error: FDB nexthop group can only have fdb nexthops.
However, as long as no routes are pointing to a non-FDB nexthop group,
the kernel allows changing the type of a nexthop from FDB to non-FDB and
vice versa:
# ip nexthop add id 5 via 192.0.2.2 dev dummy1
# ip nexthop add id 6 group 5
# ip nexthop replace id 5 via 192.0.2.2 fdb
# echo $?
0
This configuration is invalid and can result in a NPD [1] since FDB
nexthops are not associated with a nexthop device:
# ip route add 198.51.100.1/32 nhid 6
# ping 198.51.100.1
Fix by preventing nexthop FDB status change while the nexthop is in a
group:
# ip nexthop add id 7 via 192.0.2.2 dev dummy1
# ip nexthop add id 8 group 7
# ip nexthop replace id 7 via 192.0.2.2 fdb
Error: Cannot change nexthop FDB status while in a group.
[1]
BUG: kernel NULL pointer dereference, address: 00000000000003c0
[...]
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80
[...]
Call Trace:
<TASK>
fib_table_lookup+0x541/0x650
ip_route_output_key_hash_rcu+0x2ea/0x970
ip_route_output_key_hash+0x55/0x80
__ip4_datagram_connect+0x250/0x330
udp_connect+0x2b/0x60
__sys_connect+0x9c/0xd0
__x64_sys_connect+0x18/0x20
do_syscall_64+0xa4/0x2a0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
38428d68719c454d269cb03b776d8a4b0ad66111 , < e1e87ac0daacd51f522ecd1645cd76b5809303ed
(git)
Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 0e7bfe7a268ccbd7859730c529161cafbf44637c (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < ec428fff792b7bd15b248dafca2e654b666b1304 (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 24046d31f6f92220852d393d510b6062843e3fbd (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < f0e49fd13afe9dea7a09a1c9537fd00cea22badb (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 8dd4aa0122885f710930de135af2adc4ccc3238f (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 390b3a300d7872cef9588f003b204398be69ce08 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1e87ac0daacd51f522ecd1645cd76b5809303ed",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "0e7bfe7a268ccbd7859730c529161cafbf44637c",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "ec428fff792b7bd15b248dafca2e654b666b1304",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "24046d31f6f92220852d393d510b6062843e3fbd",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "f0e49fd13afe9dea7a09a1c9537fd00cea22badb",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "8dd4aa0122885f710930de135af2adc4ccc3238f",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "390b3a300d7872cef9588f003b204398be69ce08",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192.0.2.1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192.0.2.2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192.0.2.2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192.0.2.2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198.51.100.1/32 nhid 6\n # ping 198.51.100.1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192.0.2.2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192.0.2.2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:00.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1e87ac0daacd51f522ecd1645cd76b5809303ed"
},
{
"url": "https://git.kernel.org/stable/c/0e7bfe7a268ccbd7859730c529161cafbf44637c"
},
{
"url": "https://git.kernel.org/stable/c/ec428fff792b7bd15b248dafca2e654b666b1304"
},
{
"url": "https://git.kernel.org/stable/c/24046d31f6f92220852d393d510b6062843e3fbd"
},
{
"url": "https://git.kernel.org/stable/c/f0e49fd13afe9dea7a09a1c9537fd00cea22badb"
},
{
"url": "https://git.kernel.org/stable/c/8dd4aa0122885f710930de135af2adc4ccc3238f"
},
{
"url": "https://git.kernel.org/stable/c/390b3a300d7872cef9588f003b204398be69ce08"
}
],
"title": "nexthop: Forbid FDB status change while nexthop is in a group",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39980",
"datePublished": "2025-10-15T07:56:00.275Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:00.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68813 (GCVE-0-2025-68813)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ipvs: fix ipv4 null-ptr-deref in route error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed0de45a1008991fdaa27a0152befcb74d126a8b , < dd72a93c80408f06327dd2d956eb1a656d0b5903
(git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 312d7cd88882fc6cadcc08b02287497aaaf94bcd (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < cdeff10851c37a002d87a035818ebd60fdb74447 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 4729ff0581fbb7ad098b6153b76b6f5aac94618a (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 25ab24df31f7af843c96a38e0781b9165216e1a8 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 689a627d14788ad772e0fa24c2e57a23dbc7ce90 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < ad891bb3d079a46a821bf2b8867854645191bab0 (git) Affected: 6c2fa855d8178699706b1192db2f1f8102b0ba1e (git) Affected: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 (git) Affected: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 (git) Affected: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 (git) Affected: 8a430e56a6485267a1b2d3747209d26c54d1a34b (git) Affected: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"status": "affected",
"version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
"versionType": "git"
},
{
"status": "affected",
"version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
"versionType": "git"
},
{
"status": "affected",
"version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
"versionType": "git"
},
{
"status": "affected",
"version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
"versionType": "git"
},
{
"status": "affected",
"version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
"versionType": "git"
},
{
"status": "affected",
"version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n \u003cTASK\u003e\n spec_dst_fill net/ipv4/ip_options.c:232\n spec_dst_fill net/ipv4/ip_options.c:229\n __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n ipv4_send_dest_unreach net/ipv4/route.c:1252\n ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n dst_link_failure include/net/dst.h:437\n __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:02.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
},
{
"url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
},
{
"url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
},
{
"url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
},
{
"url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
},
{
"url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
},
{
"url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
}
],
"title": "ipvs: fix ipv4 null-ptr-deref in route error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68813",
"datePublished": "2026-01-13T15:29:18.483Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:02.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40112 (GCVE-0-2025-40112)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
Summary
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations and a broken epilogue in the exception handlers. This will
prevent crashes and ensure correct return values of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < 05440320ea3e249d5f984918f2bf51210c1a7c03
(git)
Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < 7823fc4d8ab5e57f8db7806ff2530c03c166c4bb (git) Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < 37547d8e6eba87507279ee3dfddfd9dc46335454 (git) Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < a365ee556e45f780ee322b349a06efdad0c1458f (git) Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < 8cdeb5e482d3fdce7e825444b6ca3865e24c0228 (git) Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < a90ce516a73dbe087f9bf3dbf311301a58d125c6 (git) Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < 088c5098ec6d6b0396edfbf3dad3e81de8469c1c (git) Affected: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e , < 0b67c8fc10b13a9090340c5f8a37d308f4e1571c (git) Affected: bfc8be6593097cb074d3912ba2f27565cfbb7d6e (git) Affected: a15859f9d8396cce7c55ccdb7e75f70f14cbc349 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/NGmemcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05440320ea3e249d5f984918f2bf51210c1a7c03",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "7823fc4d8ab5e57f8db7806ff2530c03c166c4bb",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "37547d8e6eba87507279ee3dfddfd9dc46335454",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "a365ee556e45f780ee322b349a06efdad0c1458f",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "8cdeb5e482d3fdce7e825444b6ca3865e24c0228",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "a90ce516a73dbe087f9bf3dbf311301a58d125c6",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "088c5098ec6d6b0396edfbf3dad3e81de8469c1c",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "0b67c8fc10b13a9090340c5f8a37d308f4e1571c",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"status": "affected",
"version": "bfc8be6593097cb074d3912ba2f27565cfbb7d6e",
"versionType": "git"
},
{
"status": "affected",
"version": "a15859f9d8396cce7c55ccdb7e75f70f14cbc349",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/NGmemcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for Niagara\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. This commit fixes a couple of bad\ncalculations and a broken epilogue in the exception handlers. This will\nprevent crashes and ensure correct return values of copy_from_user and\ncopy_to_user in the faulting case. The behaviour of memcpy stays unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:15.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05440320ea3e249d5f984918f2bf51210c1a7c03"
},
{
"url": "https://git.kernel.org/stable/c/7823fc4d8ab5e57f8db7806ff2530c03c166c4bb"
},
{
"url": "https://git.kernel.org/stable/c/37547d8e6eba87507279ee3dfddfd9dc46335454"
},
{
"url": "https://git.kernel.org/stable/c/a365ee556e45f780ee322b349a06efdad0c1458f"
},
{
"url": "https://git.kernel.org/stable/c/8cdeb5e482d3fdce7e825444b6ca3865e24c0228"
},
{
"url": "https://git.kernel.org/stable/c/a90ce516a73dbe087f9bf3dbf311301a58d125c6"
},
{
"url": "https://git.kernel.org/stable/c/088c5098ec6d6b0396edfbf3dad3e81de8469c1c"
},
{
"url": "https://git.kernel.org/stable/c/0b67c8fc10b13a9090340c5f8a37d308f4e1571c"
}
],
"title": "sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40112",
"datePublished": "2025-11-12T10:23:16.690Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:15.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40192 (GCVE-0-2025-40192)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
Revert "ipmi: fix msg stack when IPMI is disconnected"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "ipmi: fix msg stack when IPMI is disconnected"
This reverts commit c608966f3f9c2dca596967501d00753282b395fc.
This patch has a subtle bug that can cause the IPMI driver to go into an
infinite loop if the BMC misbehaves in a certain way. Apparently
certain BMCs do misbehave this way because several reports have come in
recently about this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c608966f3f9c2dca596967501d00753282b395fc , < f4aab940ae9eb3ba32e5332b35703673f00d7f37
(git)
Affected: c608966f3f9c2dca596967501d00753282b395fc , < b9cc7155e65f6feca51bfedd543b9bd300e2be2b (git) Affected: c608966f3f9c2dca596967501d00753282b395fc , < 8cf5c24533b8058910fcb83a25a9cf0306383780 (git) Affected: c608966f3f9c2dca596967501d00753282b395fc , < 5d09ee1bec870263f4ace439402ea840503b503b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_kcs_sm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4aab940ae9eb3ba32e5332b35703673f00d7f37",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
},
{
"lessThan": "b9cc7155e65f6feca51bfedd543b9bd300e2be2b",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
},
{
"lessThan": "8cf5c24533b8058910fcb83a25a9cf0306383780",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
},
{
"lessThan": "5d09ee1bec870263f4ace439402ea840503b503b",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_kcs_sm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ipmi: fix msg stack when IPMI is disconnected\"\n\nThis reverts commit c608966f3f9c2dca596967501d00753282b395fc.\n\nThis patch has a subtle bug that can cause the IPMI driver to go into an\ninfinite loop if the BMC misbehaves in a certain way. Apparently\ncertain BMCs do misbehave this way because several reports have come in\nrecently about this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:51.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4aab940ae9eb3ba32e5332b35703673f00d7f37"
},
{
"url": "https://git.kernel.org/stable/c/b9cc7155e65f6feca51bfedd543b9bd300e2be2b"
},
{
"url": "https://git.kernel.org/stable/c/8cf5c24533b8058910fcb83a25a9cf0306383780"
},
{
"url": "https://git.kernel.org/stable/c/5d09ee1bec870263f4ace439402ea840503b503b"
}
],
"title": "Revert \"ipmi: fix msg stack when IPMI is disconnected\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40192",
"datePublished": "2025-11-12T21:56:31.476Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:51.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68821 (GCVE-0-2025-68821)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
fuse: fix readahead reclaim deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix readahead reclaim deadlock
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a39f70d63f4373a598820d9491719e44cd60afe9 , < cbbf3f1bb9f834bb2acbb61ddca74363456e19cd
(git)
Affected: 7d38aa079ed859b73f4460aab89c7619b04963b8 , < 4703bc0e8cd3409acb1476a70cb5b7ff943cf39a (git) Affected: c7ec75f3cbf73bd46f479f7d6942585f765715da , < cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < e0d6de83a4cc22bbac72713f3a58121af36cc411 (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cbbf3f1bb9f834bb2acbb61ddca74363456e19cd",
"status": "affected",
"version": "a39f70d63f4373a598820d9491719e44cd60afe9",
"versionType": "git"
},
{
"lessThan": "4703bc0e8cd3409acb1476a70cb5b7ff943cf39a",
"status": "affected",
"version": "7d38aa079ed859b73f4460aab89c7619b04963b8",
"versionType": "git"
},
{
"lessThan": "cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f",
"status": "affected",
"version": "c7ec75f3cbf73bd46f479f7d6942585f765715da",
"versionType": "git"
},
{
"lessThan": "fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "e0d6de83a4cc22bbac72713f3a58121af36cc411",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix readahead reclaim deadlock\n\nCommit e26ee4efbc79 (\"fuse: allocate ff-\u003erelease_args only if release is\nneeded\") skips allocating ff-\u003erelease_args if the server does not\nimplement open. However in doing so, fuse_prepare_release() now skips\ngrabbing the reference on the inode, which makes it possible for an\ninode to be evicted from the dcache while there are inflight readahead\nrequests. This causes a deadlock if the server triggers reclaim while\nservicing the readahead request and reclaim attempts to evict the inode\nof the file being read ahead. Since the folio is locked during\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\nattempts to remove all folios associated with the inode from the page\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\nfor the lock since readahead cannot relinquish the lock because it is\nitself blocked in reclaim:\n\n\u003e\u003e\u003e stack_trace(1504735)\n folio_wait_bit_common (mm/filemap.c:1308:4)\n folio_lock (./include/linux/pagemap.h:1052:3)\n truncate_inode_pages_range (mm/truncate.c:336:10)\n fuse_evict_inode (fs/fuse/inode.c:161:2)\n evict (fs/inode.c:704:3)\n dentry_unlink_inode (fs/dcache.c:412:3)\n __dentry_kill (fs/dcache.c:615:3)\n shrink_kill (fs/dcache.c:1060:12)\n shrink_dentry_list (fs/dcache.c:1087:3)\n prune_dcache_sb (fs/dcache.c:1168:2)\n super_cache_scan (fs/super.c:221:10)\n do_shrink_slab (mm/shrinker.c:435:9)\n shrink_slab (mm/shrinker.c:626:10)\n shrink_node (mm/vmscan.c:5951:2)\n shrink_zones (mm/vmscan.c:6195:3)\n do_try_to_free_pages (mm/vmscan.c:6257:3)\n do_swap_page (mm/memory.c:4136:11)\n handle_pte_fault (mm/memory.c:5562:10)\n handle_mm_fault (mm/memory.c:5870:9)\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\n asm_exc_page_fault+0x22/0x27\n\nFix this deadlock by allocating ff-\u003erelease_args and grabbing the\nreference on the inode when preparing the file for release even if the\nserver does not implement open. The inode reference will be dropped when\nthe last reference on the fuse file is dropped (see fuse_file_put() -\u003e\nfuse_release_end())."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:11.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd"
},
{
"url": "https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a"
},
{
"url": "https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f"
},
{
"url": "https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6"
},
{
"url": "https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411"
},
{
"url": "https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50"
}
],
"title": "fuse: fix readahead reclaim deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68821",
"datePublished": "2026-01-13T15:29:24.014Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:11.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39977 (GCVE-0-2025-39977)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
futex: Prevent use-after-free during requeue-PI
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Prevent use-after-free during requeue-PI
syzbot managed to trigger the following race:
T1 T2
futex_wait_requeue_pi()
futex_do_wait()
schedule()
futex_requeue()
futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
requeue_pi_wake_futex()
futex_requeue_pi_complete()
/* preempt */
* timeout/ signal wakes T1 *
futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
futex_hash_put()
// back to userland, on stack futex_q is garbage
/* back */
wake_up_state(q->task, TASK_NORMAL);
In this scenario futex_wait_requeue_pi() is able to leave without using
futex_q::lock_ptr for synchronization.
This can be prevented by reading futex_q::task before updating the
futex_q::requeue_state. A reference on the task_struct is not needed
because requeue_pi_wake_futex() is invoked with a spinlock_t held which
implies a RCU read section.
Even if T1 terminates immediately after, the task_struct will remain valid
during T2's wake_up_state(). A READ_ONCE on futex_q::task before
futex_requeue_pi_complete() is enough because it ensures that the variable
is read before the state is updated.
Read futex_q::task before updating the requeue state, use it for the
following wakeup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < cb5d19a61274b51b49601214a87af573b43d60fa
(git)
Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < 348736955ed6ca6e99ca24b93b1d3fbfe352c181 (git) Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < a170b9c0dde83312b8b58ccc91509c7c15711641 (git) Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < d824b2dbdcfe3c390278dd9652ea526168ef6850 (git) Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < b549113738e8c751b613118032a724b772aa83f2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/futex/requeue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb5d19a61274b51b49601214a87af573b43d60fa",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "348736955ed6ca6e99ca24b93b1d3fbfe352c181",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "a170b9c0dde83312b8b58ccc91509c7c15711641",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "d824b2dbdcfe3c390278dd9652ea526168ef6850",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "b549113738e8c751b613118032a724b772aa83f2",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/futex/requeue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent use-after-free during requeue-PI\n\nsyzbot managed to trigger the following race:\n\n T1 T2\n\n futex_wait_requeue_pi()\n futex_do_wait()\n schedule()\n futex_requeue()\n futex_proxy_trylock_atomic()\n futex_requeue_pi_prepare()\n requeue_pi_wake_futex()\n futex_requeue_pi_complete()\n /* preempt */\n\n * timeout/ signal wakes T1 *\n\n futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED\n futex_hash_put()\n // back to userland, on stack futex_q is garbage\n\n /* back */\n wake_up_state(q-\u003etask, TASK_NORMAL);\n\nIn this scenario futex_wait_requeue_pi() is able to leave without using\nfutex_q::lock_ptr for synchronization.\n\nThis can be prevented by reading futex_q::task before updating the\nfutex_q::requeue_state. A reference on the task_struct is not needed\nbecause requeue_pi_wake_futex() is invoked with a spinlock_t held which\nimplies a RCU read section.\n\nEven if T1 terminates immediately after, the task_struct will remain valid\nduring T2\u0027s wake_up_state(). A READ_ONCE on futex_q::task before\nfutex_requeue_pi_complete() is enough because it ensures that the variable\nis read before the state is updated.\n\nRead futex_q::task before updating the requeue state, use it for the\nfollowing wakeup."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:58.283Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb5d19a61274b51b49601214a87af573b43d60fa"
},
{
"url": "https://git.kernel.org/stable/c/348736955ed6ca6e99ca24b93b1d3fbfe352c181"
},
{
"url": "https://git.kernel.org/stable/c/a170b9c0dde83312b8b58ccc91509c7c15711641"
},
{
"url": "https://git.kernel.org/stable/c/d824b2dbdcfe3c390278dd9652ea526168ef6850"
},
{
"url": "https://git.kernel.org/stable/c/b549113738e8c751b613118032a724b772aa83f2"
}
],
"title": "futex: Prevent use-after-free during requeue-PI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39977",
"datePublished": "2025-10-15T07:55:58.283Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:55:58.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68284 (GCVE-0-2025-68284)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
The len field originates from untrusted network packets. Boundary
checks have been added to prevent potential out-of-bounds writes when
decrypting the connection secret or processing service tickets.
[ idryomov: changelog ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < f22c55a20a2d9ffbbac57408d5d488cef8201e9d
(git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < ccbccfba25e9aa395daaea156b5e7790910054c4 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 5ef575834ca99f719d7573cdece9df2fe2b72424 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 6920ff09bf911bc919cd7a6b7176fbdd1a6e6850 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 7fce830ecd0a0256590ee37eb65a39cbad3d64fc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/auth_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f22c55a20a2d9ffbbac57408d5d488cef8201e9d",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "ccbccfba25e9aa395daaea156b5e7790910054c4",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "5ef575834ca99f719d7573cdece9df2fe2b72424",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "6920ff09bf911bc919cd7a6b7176fbdd1a6e6850",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "7fce830ecd0a0256590ee37eb65a39cbad3d64fc",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/auth_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds writes in handle_auth_session_key()\n\nThe len field originates from untrusted network packets. Boundary\nchecks have been added to prevent potential out-of-bounds writes when\ndecrypting the connection secret or processing service tickets.\n\n[ idryomov: changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:48.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d"
},
{
"url": "https://git.kernel.org/stable/c/8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09"
},
{
"url": "https://git.kernel.org/stable/c/ccbccfba25e9aa395daaea156b5e7790910054c4"
},
{
"url": "https://git.kernel.org/stable/c/5ef575834ca99f719d7573cdece9df2fe2b72424"
},
{
"url": "https://git.kernel.org/stable/c/6920ff09bf911bc919cd7a6b7176fbdd1a6e6850"
},
{
"url": "https://git.kernel.org/stable/c/7fce830ecd0a0256590ee37eb65a39cbad3d64fc"
}
],
"title": "libceph: prevent potential out-of-bounds writes in handle_auth_session_key()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68284",
"datePublished": "2025-12-16T15:06:06.235Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:48.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40255 (GCVE-0-2025-40255)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect
a NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8817f816ae41908e9625c0770c4af0dcdcc01238",
"status": "affected",
"version": "6e9e2eed4f39d52edf5fd006409d211facf49f6b",
"versionType": "git"
},
{
"lessThan": "f796a8dec9beafcc0f6f0d3478ed685a15c5e062",
"status": "affected",
"version": "6e9e2eed4f39d52edf5fd006409d211facf49f6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()\n\nThe ethtool tsconfig Netlink path can trigger a null pointer\ndereference. A call chain such as:\n\n tsconfig_prepare_data() -\u003e\n dev_get_hwtstamp_phylib() -\u003e\n vlan_hwtstamp_get() -\u003e\n generic_hwtstamp_get_lower() -\u003e\n generic_hwtstamp_ioctl_lower()\n\nresults in generic_hwtstamp_ioctl_lower() being called with\nkernel_cfg-\u003eifr as NULL.\n\nThe generic_hwtstamp_ioctl_lower() function does not expect\na NULL ifr and dereferences it, leading to a system crash.\n\nFix this by adding a NULL check for kernel_cfg-\u003eifr in\ngeneric_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:17.023Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8817f816ae41908e9625c0770c4af0dcdcc01238"
},
{
"url": "https://git.kernel.org/stable/c/f796a8dec9beafcc0f6f0d3478ed685a15c5e062"
}
],
"title": "net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40255",
"datePublished": "2025-12-04T16:08:17.023Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T16:08:17.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23143 (GCVE-0-2025-23143)
Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 17:32
VLAI?
EPSS
Title
net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
When I ran the repro [0] and waited a few seconds, I observed two
LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]
Reproduction Steps:
1) Mount CIFS
2) Add an iptables rule to drop incoming FIN packets for CIFS
3) Unmount CIFS
4) Unload the CIFS module
5) Remove the iptables rule
At step 3), the CIFS module calls sock_release() for the underlying
TCP socket, and it returns quickly. However, the socket remains in
FIN_WAIT_1 because incoming FIN packets are dropped.
At this point, the module's refcnt is 0 while the socket is still
alive, so the following rmmod command succeeds.
# ss -tan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445
# lsmod | grep cifs
cifs 1159168 0
This highlights a discrepancy between the lifetime of the CIFS module
and the underlying TCP socket. Even after CIFS calls sock_release()
and it returns, the TCP socket does not die immediately in order to
close the connection gracefully.
While this is generally fine, it causes an issue with LOCKDEP because
CIFS assigns a different lock class to the TCP socket's sk->sk_lock
using sock_lock_init_class_and_name().
Once an incoming packet is processed for the socket or a timer fires,
sk->sk_lock is acquired.
Then, LOCKDEP checks the lock context in check_wait_context(), where
hlock_class() is called to retrieve the lock class. However, since
the module has already been unloaded, hlock_class() logs a warning
and returns NULL, triggering the null-ptr-deref.
If LOCKDEP is enabled, we must ensure that a module calling
sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded
while such a socket is still alive to prevent this issue.
Let's hold the module reference in sock_lock_init_class_and_name()
and release it when the socket is freed in sk_prot_free().
Note that sock_lock_init() clears sk->sk_owner for svc_create_socket()
that calls sock_lock_init_class_and_name() for a listening socket,
which clones a socket by sk_clone_lock() without GFP_ZERO.
[0]:
CIFS_SERVER="10.0.0.137"
CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST"
DEV="enp0s3"
CRED="/root/WindowsCredential.txt"
MNT=$(mktemp -d /tmp/XXXXXX)
mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1
iptables -A INPUT -s ${CIFS_SERVER} -j DROP
for i in $(seq 10);
do
umount ${MNT}
rmmod cifs
sleep 1
done
rm -r ${MNT}
iptables -D INPUT -s ${CIFS_SERVER} -j DROP
[1]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
...
Call Trace:
<IRQ>
__lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)
lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)
_raw_spin_lock_nested (kernel/locking/spinlock.c:379)
tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)
...
BUG: kernel NULL pointer dereference, address: 00000000000000c4
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__lock_acquire (kernel/
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed07536ed6731775219c1df7fa26a7588753e693 , < 83083c5fc7cf9b0f136a42f26aba60da380f3601
(git)
Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < b7489b753667bc9245958a4896c9419743083c27 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < d51e47e2ab6ef10a317d576075cf625cdbf96426 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < feda73ad44a5cc80f6bf796bb1099a3fe71576d4 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < 905d43b8ad2436c240f844acb3ebcc7a99b8ebf1 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < 5f7f6abd92b6c8dc8f19625ef93c3a18549ede04 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < c11247a21aab4b50a23c8b696727d7483de2f1e1 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < 2155802d3313d7b8365935c6b8d6edc0ddd7eb94 (git) Affected: ed07536ed6731775219c1df7fa26a7588753e693 , < 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:32:14.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sock.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83083c5fc7cf9b0f136a42f26aba60da380f3601",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "b7489b753667bc9245958a4896c9419743083c27",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "d51e47e2ab6ef10a317d576075cf625cdbf96426",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "feda73ad44a5cc80f6bf796bb1099a3fe71576d4",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "905d43b8ad2436c240f844acb3ebcc7a99b8ebf1",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "5f7f6abd92b6c8dc8f19625ef93c3a18549ede04",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "c11247a21aab4b50a23c8b696727d7483de2f1e1",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "2155802d3313d7b8365935c6b8d6edc0ddd7eb94",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sock.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\n\nWhen I ran the repro [0] and waited a few seconds, I observed two\nLOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]\n\nReproduction Steps:\n\n 1) Mount CIFS\n 2) Add an iptables rule to drop incoming FIN packets for CIFS\n 3) Unmount CIFS\n 4) Unload the CIFS module\n 5) Remove the iptables rule\n\nAt step 3), the CIFS module calls sock_release() for the underlying\nTCP socket, and it returns quickly. However, the socket remains in\nFIN_WAIT_1 because incoming FIN packets are dropped.\n\nAt this point, the module\u0027s refcnt is 0 while the socket is still\nalive, so the following rmmod command succeeds.\n\n # ss -tan\n State Recv-Q Send-Q Local Address:Port Peer Address:Port\n FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445\n\n # lsmod | grep cifs\n cifs 1159168 0\n\nThis highlights a discrepancy between the lifetime of the CIFS module\nand the underlying TCP socket. Even after CIFS calls sock_release()\nand it returns, the TCP socket does not die immediately in order to\nclose the connection gracefully.\n\nWhile this is generally fine, it causes an issue with LOCKDEP because\nCIFS assigns a different lock class to the TCP socket\u0027s sk-\u003esk_lock\nusing sock_lock_init_class_and_name().\n\nOnce an incoming packet is processed for the socket or a timer fires,\nsk-\u003esk_lock is acquired.\n\nThen, LOCKDEP checks the lock context in check_wait_context(), where\nhlock_class() is called to retrieve the lock class. However, since\nthe module has already been unloaded, hlock_class() logs a warning\nand returns NULL, triggering the null-ptr-deref.\n\nIf LOCKDEP is enabled, we must ensure that a module calling\nsock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded\nwhile such a socket is still alive to prevent this issue.\n\nLet\u0027s hold the module reference in sock_lock_init_class_and_name()\nand release it when the socket is freed in sk_prot_free().\n\nNote that sock_lock_init() clears sk-\u003esk_owner for svc_create_socket()\nthat calls sock_lock_init_class_and_name() for a listening socket,\nwhich clones a socket by sk_clone_lock() without GFP_ZERO.\n\n[0]:\nCIFS_SERVER=\"10.0.0.137\"\nCIFS_PATH=\"//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST\"\nDEV=\"enp0s3\"\nCRED=\"/root/WindowsCredential.txt\"\n\nMNT=$(mktemp -d /tmp/XXXXXX)\nmount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1\n\niptables -A INPUT -s ${CIFS_SERVER} -j DROP\n\nfor i in $(seq 10);\ndo\n umount ${MNT}\n rmmod cifs\n sleep 1\ndone\n\nrm -r ${MNT}\n\niptables -D INPUT -s ${CIFS_SERVER} -j DROP\n\n[1]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\nModules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\n...\nCall Trace:\n \u003cIRQ\u003e\n __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)\n lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)\n _raw_spin_lock_nested (kernel/locking/spinlock.c:379)\n tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)\n...\n\nBUG: kernel NULL pointer dereference, address: 00000000000000c4\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__lock_acquire (kernel/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:25:47.262Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83083c5fc7cf9b0f136a42f26aba60da380f3601"
},
{
"url": "https://git.kernel.org/stable/c/b7489b753667bc9245958a4896c9419743083c27"
},
{
"url": "https://git.kernel.org/stable/c/d51e47e2ab6ef10a317d576075cf625cdbf96426"
},
{
"url": "https://git.kernel.org/stable/c/feda73ad44a5cc80f6bf796bb1099a3fe71576d4"
},
{
"url": "https://git.kernel.org/stable/c/905d43b8ad2436c240f844acb3ebcc7a99b8ebf1"
},
{
"url": "https://git.kernel.org/stable/c/5f7f6abd92b6c8dc8f19625ef93c3a18549ede04"
},
{
"url": "https://git.kernel.org/stable/c/c11247a21aab4b50a23c8b696727d7483de2f1e1"
},
{
"url": "https://git.kernel.org/stable/c/2155802d3313d7b8365935c6b8d6edc0ddd7eb94"
},
{
"url": "https://git.kernel.org/stable/c/0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569"
}
],
"title": "net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23143",
"datePublished": "2025-05-01T12:55:33.348Z",
"dateReserved": "2025-01-11T14:28:41.512Z",
"dateUpdated": "2025-11-03T17:32:14.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40188 (GCVE-0-2025-40188)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
pwm: berlin: Fix wrong register in suspend/resume
Summary
In the Linux kernel, the following vulnerability has been resolved:
pwm: berlin: Fix wrong register in suspend/resume
The 'enable' register should be BERLIN_PWM_EN rather than
BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
will be cpu exception then kernel panic during suspend/resume.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bbf0722c1c663b08f612bd8c58af27f45aa84862 , < da3cadb8b0f35d845b3e2fbb7d978cf6473fd221
(git)
Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444 (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 9ee5eb3d09217f115f63b7c102d110ccdb1b26af (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < fd017aabd4273216ed4223f17991fc087163771f (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < dc3a1c6237e7f8046e6d4109bcf1998452ccafad (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < d9457e6258750692c3b27f80880a613178053c25 (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 6cef9e4425143b19742044c8a675335821fa1994 (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 3a4b9d027e4061766f618292df91760ea64a1fcc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da3cadb8b0f35d845b3e2fbb7d978cf6473fd221",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "9ee5eb3d09217f115f63b7c102d110ccdb1b26af",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "fd017aabd4273216ed4223f17991fc087163771f",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "dc3a1c6237e7f8046e6d4109bcf1998452ccafad",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "d9457e6258750692c3b27f80880a613178053c25",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "6cef9e4425143b19742044c8a675335821fa1994",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "3a4b9d027e4061766f618292df91760ea64a1fcc",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: berlin: Fix wrong register in suspend/resume\n\nThe \u0027enable\u0027 register should be BERLIN_PWM_EN rather than\nBERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there\nwill be cpu exception then kernel panic during suspend/resume."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:46.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da3cadb8b0f35d845b3e2fbb7d978cf6473fd221"
},
{
"url": "https://git.kernel.org/stable/c/5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444"
},
{
"url": "https://git.kernel.org/stable/c/9ee5eb3d09217f115f63b7c102d110ccdb1b26af"
},
{
"url": "https://git.kernel.org/stable/c/fd017aabd4273216ed4223f17991fc087163771f"
},
{
"url": "https://git.kernel.org/stable/c/dc3a1c6237e7f8046e6d4109bcf1998452ccafad"
},
{
"url": "https://git.kernel.org/stable/c/d9457e6258750692c3b27f80880a613178053c25"
},
{
"url": "https://git.kernel.org/stable/c/6cef9e4425143b19742044c8a675335821fa1994"
},
{
"url": "https://git.kernel.org/stable/c/3a4b9d027e4061766f618292df91760ea64a1fcc"
}
],
"title": "pwm: berlin: Fix wrong register in suspend/resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40188",
"datePublished": "2025-11-12T21:56:30.108Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:46.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40231 (GCVE-0-2025-40231)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
vsock: fix lock inversion in vsock_assign_transport()
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: fix lock inversion in vsock_assign_transport()
Syzbot reported a potential lock inversion deadlock between
vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.
The issue was introduced by commit 687aa0c5581b ("vsock: Fix
transport_* TOCTOU") which added vsock_register_mutex locking in
vsock_assign_transport() around the transport->release() call, that can
call vsock_linger(). vsock_assign_transport() can be called with sk_lock
held. vsock_linger() calls sk_wait_event() that temporarily releases and
re-acquires sk_lock. During this window, if another thread hold
vsock_register_mutex while trying to acquire sk_lock, a circular
dependency is created.
Fix this by releasing vsock_register_mutex before calling
transport->release() and vsock_deassign_transport(). This is safe
because we don't need to hold vsock_register_mutex while releasing the
old transport, and we ensure the new transport won't disappear by
obtaining a module reference first via try_module_get().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8667e8d0eb46bc54fdae30ba2f4786407d3d88eb , < ce4f856c64f0bc30e29302a0ce41f4295ca391c5
(git)
Affected: 36a439049b34cca0b3661276049b84a1f76cc21a , < 09bba278ccde25a14b6e5088a9e65a8717d0cccf (git) Affected: 9ce53e744f18e73059d3124070e960f3aa9902bf , < b44182c116778feaa05da52a426aeb9da1878dcf (git) Affected: 9d24bb6780282b0255b9929abe5e8f98007e2c6e , < 42ed0784d11adebf748711e503af0eb9f1e6d81d (git) Affected: ae2c712ba39c7007de63cb0c75b51ce1caaf1da5 , < 251caee792a21eb0b781aab91362b422c945e162 (git) Affected: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf , < a2a4346eea8b4cb75037dbcb20b98cb454324f80 (git) Affected: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf , < f7c877e7535260cc7a21484c994e8ce7e8cb6780 (git) Affected: 7b73bddf54777fb62d4d8c7729d0affe6df04477 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce4f856c64f0bc30e29302a0ce41f4295ca391c5",
"status": "affected",
"version": "8667e8d0eb46bc54fdae30ba2f4786407d3d88eb",
"versionType": "git"
},
{
"lessThan": "09bba278ccde25a14b6e5088a9e65a8717d0cccf",
"status": "affected",
"version": "36a439049b34cca0b3661276049b84a1f76cc21a",
"versionType": "git"
},
{
"lessThan": "b44182c116778feaa05da52a426aeb9da1878dcf",
"status": "affected",
"version": "9ce53e744f18e73059d3124070e960f3aa9902bf",
"versionType": "git"
},
{
"lessThan": "42ed0784d11adebf748711e503af0eb9f1e6d81d",
"status": "affected",
"version": "9d24bb6780282b0255b9929abe5e8f98007e2c6e",
"versionType": "git"
},
{
"lessThan": "251caee792a21eb0b781aab91362b422c945e162",
"status": "affected",
"version": "ae2c712ba39c7007de63cb0c75b51ce1caaf1da5",
"versionType": "git"
},
{
"lessThan": "a2a4346eea8b4cb75037dbcb20b98cb454324f80",
"status": "affected",
"version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"versionType": "git"
},
{
"lessThan": "f7c877e7535260cc7a21484c994e8ce7e8cb6780",
"status": "affected",
"version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"versionType": "git"
},
{
"status": "affected",
"version": "7b73bddf54777fb62d4d8c7729d0affe6df04477",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.15.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix lock inversion in vsock_assign_transport()\n\nSyzbot reported a potential lock inversion deadlock between\nvsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.\n\nThe issue was introduced by commit 687aa0c5581b (\"vsock: Fix\ntransport_* TOCTOU\") which added vsock_register_mutex locking in\nvsock_assign_transport() around the transport-\u003erelease() call, that can\ncall vsock_linger(). vsock_assign_transport() can be called with sk_lock\nheld. vsock_linger() calls sk_wait_event() that temporarily releases and\nre-acquires sk_lock. During this window, if another thread hold\nvsock_register_mutex while trying to acquire sk_lock, a circular\ndependency is created.\n\nFix this by releasing vsock_register_mutex before calling\ntransport-\u003erelease() and vsock_deassign_transport(). This is safe\nbecause we don\u0027t need to hold vsock_register_mutex while releasing the\nold transport, and we ensure the new transport won\u0027t disappear by\nobtaining a module reference first via try_module_get()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:22.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5"
},
{
"url": "https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf"
},
{
"url": "https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf"
},
{
"url": "https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d"
},
{
"url": "https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162"
},
{
"url": "https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80"
},
{
"url": "https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780"
}
],
"title": "vsock: fix lock inversion in vsock_assign_transport()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40231",
"datePublished": "2025-12-04T15:31:22.199Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:22.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68246 (GCVE-0-2025-68246)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
ksmbd: close accepted socket when per-IP limit rejects connection
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: close accepted socket when per-IP limit rejects connection
When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.
Release client_sk before continuing.
This bug was found with ZeroPath.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < 7a3c7154d5fc05956a8ad9e72ecf49e21555bfca
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 5746b2a0f5eb3d79667b3c51fe849bd62464220e (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 4587a7826be1ae0190dba10ff70b46bb0e3bc7d3 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 35521b5a7e8a184548125f4530552101236dcda1 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a3c7154d5fc05956a8ad9e72ecf49e21555bfca",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "5746b2a0f5eb3d79667b3c51fe849bd62464220e",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "4587a7826be1ae0190dba10ff70b46bb0e3bc7d3",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "35521b5a7e8a184548125f4530552101236dcda1",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: close accepted socket when per-IP limit rejects connection\n\nWhen the per-IP connection limit is exceeded in ksmbd_kthread_fn(),\nthe code sets ret = -EAGAIN and continues the accept loop without\nclosing the just-accepted socket. That leaks one socket per rejected\nattempt from a single IP and enables a trivial remote DoS.\n\nRelease client_sk before continuing.\n\nThis bug was found with ZeroPath."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:17.480Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a3c7154d5fc05956a8ad9e72ecf49e21555bfca"
},
{
"url": "https://git.kernel.org/stable/c/5746b2a0f5eb3d79667b3c51fe849bd62464220e"
},
{
"url": "https://git.kernel.org/stable/c/4587a7826be1ae0190dba10ff70b46bb0e3bc7d3"
},
{
"url": "https://git.kernel.org/stable/c/35521b5a7e8a184548125f4530552101236dcda1"
},
{
"url": "https://git.kernel.org/stable/c/98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9"
}
],
"title": "ksmbd: close accepted socket when per-IP limit rejects connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68246",
"datePublished": "2025-12-16T14:21:23.551Z",
"dateReserved": "2025-12-16T13:41:40.264Z",
"dateUpdated": "2025-12-20T08:52:17.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39839 (GCVE-0-2025-39839)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
batman-adv: fix OOB read/write in network-coding decode
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix OOB read/write in network-coding decode
batadv_nc_skb_decode_packet() trusts coded_len and checks only against
skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
payload headroom, and the source skb length is not verified, allowing an
out-of-bounds read and a small out-of-bounds write.
Validate that coded_len fits within the payload area of both destination
and source sk_buffs before XORing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < 30fc47248f02b8a14a61df469e1da4704be1a19f
(git)
Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < 1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183 (git) Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < 5d334bce9fad58cf328d8fa14ea1fff855819863 (git) Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < dce6c2aa70e94c04c523b375dfcc664d7a0a560a (git) Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < bb37252c9af1cb250f34735ee98f80b46be3cef1 (git) Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < 20080709457bc1e920eb002483d7d981d9b2ac1c (git) Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < a67c6397fcb7e842d3c595243049940970541c48 (git) Affected: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb , < d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:54.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/network-coding.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30fc47248f02b8a14a61df469e1da4704be1a19f",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "5d334bce9fad58cf328d8fa14ea1fff855819863",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "dce6c2aa70e94c04c523b375dfcc664d7a0a560a",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "bb37252c9af1cb250f34735ee98f80b46be3cef1",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "20080709457bc1e920eb002483d7d981d9b2ac1c",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "a67c6397fcb7e842d3c595243049940970541c48",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/network-coding.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix OOB read/write in network-coding decode\n\nbatadv_nc_skb_decode_packet() trusts coded_len and checks only against\nskb-\u003elen. XOR starts at sizeof(struct batadv_unicast_packet), reducing\npayload headroom, and the source skb length is not verified, allowing an\nout-of-bounds read and a small out-of-bounds write.\n\nValidate that coded_len fits within the payload area of both destination\nand source sk_buffs before XORing."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:44.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30fc47248f02b8a14a61df469e1da4704be1a19f"
},
{
"url": "https://git.kernel.org/stable/c/1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183"
},
{
"url": "https://git.kernel.org/stable/c/5d334bce9fad58cf328d8fa14ea1fff855819863"
},
{
"url": "https://git.kernel.org/stable/c/dce6c2aa70e94c04c523b375dfcc664d7a0a560a"
},
{
"url": "https://git.kernel.org/stable/c/bb37252c9af1cb250f34735ee98f80b46be3cef1"
},
{
"url": "https://git.kernel.org/stable/c/20080709457bc1e920eb002483d7d981d9b2ac1c"
},
{
"url": "https://git.kernel.org/stable/c/a67c6397fcb7e842d3c595243049940970541c48"
},
{
"url": "https://git.kernel.org/stable/c/d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087"
}
],
"title": "batman-adv: fix OOB read/write in network-coding decode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39839",
"datePublished": "2025-09-19T15:26:14.688Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:54.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68231 (GCVE-0-2025-68231)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
mm/mempool: fix poisoning order>0 pages with HIGHMEM
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/mempool: fix poisoning order>0 pages with HIGHMEM
The kernel test has reported:
BUG: unable to handle page fault for address: fffba000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
*pde = 03171067 *pte = 00000000
Oops: Oops: 0002 [#1]
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
Tainted: [T]=RANDSTRUCT
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
Call Trace:
poison_element (mm/mempool.c:83 mm/mempool.c:102)
mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
? mempool_alloc_pages (mm/mempool.c:640)
bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
? mempool_alloc_pages (mm/mempool.c:640)
do_one_initcall (init/main.c:1283)
Christoph found out this is due to the poisoning code not dealing
properly with CONFIG_HIGHMEM because only the first page is mapped but
then the whole potentially high-order page is accessed.
We could give up on HIGHMEM here, but it's straightforward to fix this
with a loop that's mapping, poisoning or checking and unmapping
individual pages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < ea4131665107e66ece90e66bcec1a2f1246cbd41
(git)
Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < 19de79aaea33ee1ea058c8711b3b2b4a7e4decd4 (git) Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < 6a13b56537e7b0d97f4bb74e8038ce471f9770d7 (git) Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < a79e49e1704367b635edad1479db23d7cf1fb71a (git) Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < ec33b59542d96830e3c89845ff833cf7b25ef172 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/mempool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea4131665107e66ece90e66bcec1a2f1246cbd41",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "19de79aaea33ee1ea058c8711b3b2b4a7e4decd4",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "6a13b56537e7b0d97f4bb74e8038ce471f9770d7",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "a79e49e1704367b635edad1479db23d7cf1fb71a",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "ec33b59542d96830e3c89845ff833cf7b25ef172",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/mempool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempool: fix poisoning order\u003e0 pages with HIGHMEM\n\nThe kernel test has reported:\n\n BUG: unable to handle page fault for address: fffba000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n *pde = 03171067 *pte = 00000000\n Oops: Oops: 0002 [#1]\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca\n Tainted: [T]=RANDSTRUCT\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)\n Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 \u003cf3\u003e aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56\n EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b\n ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8\n DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287\n CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690\n Call Trace:\n poison_element (mm/mempool.c:83 mm/mempool.c:102)\n mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)\n mempool_init_noprof (mm/mempool.c:250 (discriminator 1))\n ? mempool_alloc_pages (mm/mempool.c:640)\n bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))\n ? mempool_alloc_pages (mm/mempool.c:640)\n do_one_initcall (init/main.c:1283)\n\nChristoph found out this is due to the poisoning code not dealing\nproperly with CONFIG_HIGHMEM because only the first page is mapped but\nthen the whole potentially high-order page is accessed.\n\nWe could give up on HIGHMEM here, but it\u0027s straightforward to fix this\nwith a loop that\u0027s mapping, poisoning or checking and unmapping\nindividual pages."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:23.712Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea4131665107e66ece90e66bcec1a2f1246cbd41"
},
{
"url": "https://git.kernel.org/stable/c/19de79aaea33ee1ea058c8711b3b2b4a7e4decd4"
},
{
"url": "https://git.kernel.org/stable/c/6a13b56537e7b0d97f4bb74e8038ce471f9770d7"
},
{
"url": "https://git.kernel.org/stable/c/a79e49e1704367b635edad1479db23d7cf1fb71a"
},
{
"url": "https://git.kernel.org/stable/c/ec33b59542d96830e3c89845ff833cf7b25ef172"
}
],
"title": "mm/mempool: fix poisoning order\u003e0 pages with HIGHMEM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68231",
"datePublished": "2025-12-16T13:57:23.712Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T13:57:23.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38105 (GCVE-0-2025-38105)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-10-12 11:12
VLAI?
EPSS
Title
ALSA: usb-audio: Kill timer properly at removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Kill timer properly at removal
The USB-audio MIDI code initializes the timer, but in a rare case, the
driver might be freed without the disconnect call. This leaves the
timer in an active state while the assigned object is released via
snd_usbmidi_free(), which ends up with a kernel warning when the debug
configuration is enabled, as spotted by fuzzer.
For avoiding the problem, put timer_shutdown_sync() at
snd_usbmidi_free(), so that the timer can be killed properly.
While we're at it, replace the existing timer_delete_sync() at the
disconnect callback with timer_shutdown_sync(), too.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 647410a7da46067953a53c0d03f8680eff570959
(git)
Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < c611b9e55174e439dcd85a72969b43a95f3827a4 (git) Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 62066758d2ae169278e5d6aea5995b1b6f6ddeb5 (git) Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "647410a7da46067953a53c0d03f8680eff570959",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "c611b9e55174e439dcd85a72969b43a95f3827a4",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "62066758d2ae169278e5d6aea5995b1b6f6ddeb5",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Kill timer properly at removal\n\nThe USB-audio MIDI code initializes the timer, but in a rare case, the\ndriver might be freed without the disconnect call. This leaves the\ntimer in an active state while the assigned object is released via\nsnd_usbmidi_free(), which ends up with a kernel warning when the debug\nconfiguration is enabled, as spotted by fuzzer.\n\nFor avoiding the problem, put timer_shutdown_sync() at\nsnd_usbmidi_free(), so that the timer can be killed properly.\nWhile we\u0027re at it, replace the existing timer_delete_sync() at the\ndisconnect callback with timer_shutdown_sync(), too."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-12T11:12:51.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/647410a7da46067953a53c0d03f8680eff570959"
},
{
"url": "https://git.kernel.org/stable/c/c611b9e55174e439dcd85a72969b43a95f3827a4"
},
{
"url": "https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5"
},
{
"url": "https://git.kernel.org/stable/c/0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1"
}
],
"title": "ALSA: usb-audio: Kill timer properly at removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38105",
"datePublished": "2025-07-03T08:35:15.301Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2025-10-12T11:12:51.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68362 (GCVE-0-2025-68362)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 118e12bf3e4288cf845cd3759bd9d4c99f91aab5
(git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 6a96bd0d94305fd04a6ac64446ec113bae289384 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < e2f3ea15e804607e0a4a34a2f6c331c8750b68bc (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < dc153401fb26c1640a2b279c47b65e1c416af276 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 4758770a673c60d8f615809304d72e1432fa6355 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 638d4148e166d114a4cd7becaae992ce1a815ed8 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < b647d2574e4583c2e3b0ab35568f60c88e910840 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "118e12bf3e4288cf845cd3759bd9d4c99f91aab5",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "6a96bd0d94305fd04a6ac64446ec113bae289384",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "e2f3ea15e804607e0a4a34a2f6c331c8750b68bc",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "dc153401fb26c1640a2b279c47b65e1c416af276",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "4758770a673c60d8f615809304d72e1432fa6355",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "638d4148e166d114a4cd7becaae992ce1a815ed8",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "b647d2574e4583c2e3b0ab35568f60c88e910840",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()\n\nThe rtl8187_rx_cb() calculates the rx descriptor header address\nby subtracting its size from the skb tail pointer.\nHowever, it does not validate if the received packet\n(skb-\u003elen from urb-\u003eactual_length) is large enough to contain this\nheader.\n\nIf a truncated packet is received, this will lead to a buffer\nunderflow, reading memory before the start of the skb data area,\nand causing a kernel panic.\n\nAdd length checks for both rtl8187 and rtl8187b descriptor headers\nbefore attempting to access them, dropping the packet cleanly if the\ncheck fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:57.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/118e12bf3e4288cf845cd3759bd9d4c99f91aab5"
},
{
"url": "https://git.kernel.org/stable/c/6a96bd0d94305fd04a6ac64446ec113bae289384"
},
{
"url": "https://git.kernel.org/stable/c/e2f3ea15e804607e0a4a34a2f6c331c8750b68bc"
},
{
"url": "https://git.kernel.org/stable/c/dc153401fb26c1640a2b279c47b65e1c416af276"
},
{
"url": "https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355"
},
{
"url": "https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8"
},
{
"url": "https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15"
},
{
"url": "https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840"
}
],
"title": "wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68362",
"datePublished": "2025-12-24T10:32:50.492Z",
"dateReserved": "2025-12-16T14:48:05.307Z",
"dateUpdated": "2026-02-09T08:31:57.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40329 (GCVE-0-2025-40329)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
The Mesa issue referenced below pointed out a possible deadlock:
[ 1231.611031] Possible interrupt unsafe locking scenario:
[ 1231.611033] CPU0 CPU1
[ 1231.611034] ---- ----
[ 1231.611035] lock(&xa->xa_lock#17);
[ 1231.611038] local_irq_disable();
[ 1231.611039] lock(&fence->lock);
[ 1231.611041] lock(&xa->xa_lock#17);
[ 1231.611044] <Interrupt>
[ 1231.611045] lock(&fence->lock);
[ 1231.611047]
*** DEADLOCK ***
In this example, CPU0 would be any function accessing job->dependencies
through the xa_* functions that don't disable interrupts (eg:
drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).
CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling
callback so in an interrupt context. It will deadlock when trying to
grab the xa_lock which is already held by CPU0.
Replacing all xa_* usage by their xa_*_irq counterparts would fix
this issue, but Christian pointed out another issue: dma_fence_signal
takes fence.lock and so does dma_fence_add_callback.
dma_fence_signal() // locks f1.lock
-> drm_sched_entity_kill_jobs_cb()
-> foreach dependencies
-> dma_fence_add_callback() // locks f2.lock
This will deadlock if f1 and f2 share the same spinlock.
To fix both issues, the code iterating on dependencies and re-arming them
is moved out to drm_sched_entity_kill_jobs_work().
[phasta: commit message nits]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 70150b9443dddf02157d821c68abf438f55a2e8e
(git)
Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 0d63031ee4a57be0252cb9a4e09ae921c75cece9 (git) Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 3e8ada4fd838e3fd2cca94000dac054f3a347c01 (git) Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 487df8b698345dd5a91346335f05170ed5f29d4e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70150b9443dddf02157d821c68abf438f55a2e8e",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "0d63031ee4a57be0252cb9a4e09ae921c75cece9",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "3e8ada4fd838e3fd2cca94000dac054f3a347c01",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "487df8b698345dd5a91346335f05170ed5f29d4e",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb\n\nThe Mesa issue referenced below pointed out a possible deadlock:\n\n[ 1231.611031] Possible interrupt unsafe locking scenario:\n\n[ 1231.611033] CPU0 CPU1\n[ 1231.611034] ---- ----\n[ 1231.611035] lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611038] local_irq_disable();\n[ 1231.611039] lock(\u0026fence-\u003elock);\n[ 1231.611041] lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611044] \u003cInterrupt\u003e\n[ 1231.611045] lock(\u0026fence-\u003elock);\n[ 1231.611047]\n *** DEADLOCK ***\n\nIn this example, CPU0 would be any function accessing job-\u003edependencies\nthrough the xa_* functions that don\u0027t disable interrupts (eg:\ndrm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).\n\nCPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling\ncallback so in an interrupt context. It will deadlock when trying to\ngrab the xa_lock which is already held by CPU0.\n\nReplacing all xa_* usage by their xa_*_irq counterparts would fix\nthis issue, but Christian pointed out another issue: dma_fence_signal\ntakes fence.lock and so does dma_fence_add_callback.\n\n dma_fence_signal() // locks f1.lock\n -\u003e drm_sched_entity_kill_jobs_cb()\n -\u003e foreach dependencies\n -\u003e dma_fence_add_callback() // locks f2.lock\n\nThis will deadlock if f1 and f2 share the same spinlock.\n\nTo fix both issues, the code iterating on dependencies and re-arming them\nis moved out to drm_sched_entity_kill_jobs_work().\n\n[phasta: commit message nits]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:46.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e"
},
{
"url": "https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9"
},
{
"url": "https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01"
},
{
"url": "https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e"
}
],
"title": "drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40329",
"datePublished": "2025-12-09T04:09:46.156Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:46.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40103 (GCVE-0-2025-40103)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
smb: client: Fix refcount leak for cifs_sb_tlink
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Fix refcount leak for cifs_sb_tlink
Fix three refcount inconsistency issues related to `cifs_sb_tlink`.
Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be
called after successful calls to `cifs_sb_tlink()`. Three calls fail to
update refcount accordingly, leading to possible resource leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8ceb984379462f94bdebef3288d569c6e1f912ea , < 790282abe9d805f08618c1c24ea2529e7259b692
(git)
Affected: 8ceb984379462f94bdebef3288d569c6e1f912ea , < d7dd034c14928306db1b46be277ae439b84dacf9 (git) Affected: 8ceb984379462f94bdebef3288d569c6e1f912ea , < e15605b68b490186da2ad8029c0351a9cfb0b9af (git) Affected: 8ceb984379462f94bdebef3288d569c6e1f912ea , < 896bb31e1416f582503db1350cf1bd10dc64e5a6 (git) Affected: 8ceb984379462f94bdebef3288d569c6e1f912ea , < c2b77f42205ef485a647f62082c442c1cd69d3fc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c",
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "790282abe9d805f08618c1c24ea2529e7259b692",
"status": "affected",
"version": "8ceb984379462f94bdebef3288d569c6e1f912ea",
"versionType": "git"
},
{
"lessThan": "d7dd034c14928306db1b46be277ae439b84dacf9",
"status": "affected",
"version": "8ceb984379462f94bdebef3288d569c6e1f912ea",
"versionType": "git"
},
{
"lessThan": "e15605b68b490186da2ad8029c0351a9cfb0b9af",
"status": "affected",
"version": "8ceb984379462f94bdebef3288d569c6e1f912ea",
"versionType": "git"
},
{
"lessThan": "896bb31e1416f582503db1350cf1bd10dc64e5a6",
"status": "affected",
"version": "8ceb984379462f94bdebef3288d569c6e1f912ea",
"versionType": "git"
},
{
"lessThan": "c2b77f42205ef485a647f62082c442c1cd69d3fc",
"status": "affected",
"version": "8ceb984379462f94bdebef3288d569c6e1f912ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c",
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix refcount leak for cifs_sb_tlink\n\nFix three refcount inconsistency issues related to `cifs_sb_tlink`.\n\nComments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be\ncalled after successful calls to `cifs_sb_tlink()`. Three calls fail to\nupdate refcount accordingly, leading to possible resource leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:06.031Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/790282abe9d805f08618c1c24ea2529e7259b692"
},
{
"url": "https://git.kernel.org/stable/c/d7dd034c14928306db1b46be277ae439b84dacf9"
},
{
"url": "https://git.kernel.org/stable/c/e15605b68b490186da2ad8029c0351a9cfb0b9af"
},
{
"url": "https://git.kernel.org/stable/c/896bb31e1416f582503db1350cf1bd10dc64e5a6"
},
{
"url": "https://git.kernel.org/stable/c/c2b77f42205ef485a647f62082c442c1cd69d3fc"
}
],
"title": "smb: client: Fix refcount leak for cifs_sb_tlink",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40103",
"datePublished": "2025-10-30T09:48:08.421Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-12-01T06:18:06.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40040 (GCVE-0-2025-40040)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
mm/ksm: fix flag-dropping behavior in ksm_madvise
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/ksm: fix flag-dropping behavior in ksm_madvise
syzkaller discovered the following crash: (kernel BUG)
[ 44.607039] ------------[ cut here ]------------
[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!
[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)
[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460
<snip other registers, drop unreliable trace>
[ 44.617726] Call Trace:
[ 44.617926] <TASK>
[ 44.619284] userfaultfd_release+0xef/0x1b0
[ 44.620976] __fput+0x3f9/0xb60
[ 44.621240] fput_close_sync+0x110/0x210
[ 44.622222] __x64_sys_close+0x8f/0x120
[ 44.622530] do_syscall_64+0x5b/0x2f0
[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 44.623244] RIP: 0033:0x7f365bb3f227
Kernel panics because it detects UFFD inconsistency during
userfaultfd_release_all(). Specifically, a VMA which has a valid pointer
to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.
The inconsistency is caused in ksm_madvise(): when user calls madvise()
with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,
it accidentally clears all flags stored in the upper 32 bits of
vma->vm_flags.
Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and
int are 32-bit wide. This setup causes the following mishap during the &=
~VM_MERGEABLE assignment.
VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000.
After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then
promoted to unsigned long before the & operation. This promotion fills
upper 32 bits with leading 0s, as we're doing unsigned conversion (and
even for a signed conversion, this wouldn't help as the leading bit is 0).
& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff
instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears
the upper 32-bits of its value.
Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the
BIT() macro.
Note: other VM_* flags are not affected: This only happens to the
VM_MERGEABLE flag, as the other VM_* flags are all constants of type int
and after ~ operation, they end up with leading 1 and are thus converted
to unsigned long with leading 1s.
Note 2:
After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is
no longer a kernel BUG, but a WARNING at the same place:
[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067
but the root-cause (flag-drop) remains the same.
[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
63c17fb8e5a46a16e10e82005748837fd11a2024 , < 850f1ea245bdc0ce6a3fd36bfb80d8cf9647cb71
(git)
Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < 788e5385d0ff69cdba1cabccb9dab8d9647b9239 (git) Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < b69f19244c2b6475c8a6eb72f0fb0d53509e48cd (git) Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < 41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693 (git) Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < 92b82e232b8d8b116ac6e57aeae7a6033db92c60 (git) Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < ac50c6e0a8f91a02b681af81abb2362fbb67cc18 (git) Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < 76385629f45740b7888f8fcd83bde955b10f61fe (git) Affected: 63c17fb8e5a46a16e10e82005748837fd11a2024 , < f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"rust/bindings/bindings_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "850f1ea245bdc0ce6a3fd36bfb80d8cf9647cb71",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "788e5385d0ff69cdba1cabccb9dab8d9647b9239",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "b69f19244c2b6475c8a6eb72f0fb0d53509e48cd",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "92b82e232b8d8b116ac6e57aeae7a6033db92c60",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "ac50c6e0a8f91a02b681af81abb2362fbb67cc18",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "76385629f45740b7888f8fcd83bde955b10f61fe",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"rust/bindings/bindings_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ksm: fix flag-dropping behavior in ksm_madvise\n\nsyzkaller discovered the following crash: (kernel BUG)\n\n[ 44.607039] ------------[ cut here ]------------\n[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!\n[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)\n[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460\n\n\u003csnip other registers, drop unreliable trace\u003e\n\n[ 44.617726] Call Trace:\n[ 44.617926] \u003cTASK\u003e\n[ 44.619284] userfaultfd_release+0xef/0x1b0\n[ 44.620976] __fput+0x3f9/0xb60\n[ 44.621240] fput_close_sync+0x110/0x210\n[ 44.622222] __x64_sys_close+0x8f/0x120\n[ 44.622530] do_syscall_64+0x5b/0x2f0\n[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 44.623244] RIP: 0033:0x7f365bb3f227\n\nKernel panics because it detects UFFD inconsistency during\nuserfaultfd_release_all(). Specifically, a VMA which has a valid pointer\nto vma-\u003evm_userfaultfd_ctx, but no UFFD flags in vma-\u003evm_flags.\n\nThe inconsistency is caused in ksm_madvise(): when user calls madvise()\nwith MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,\nit accidentally clears all flags stored in the upper 32 bits of\nvma-\u003evm_flags.\n\nAssuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and\nint are 32-bit wide. This setup causes the following mishap during the \u0026=\n~VM_MERGEABLE assignment.\n\nVM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000\u00270000. \nAfter ~ is applied, it becomes 0x7fff\u0027ffff unsigned int, which is then\npromoted to unsigned long before the \u0026 operation. This promotion fills\nupper 32 bits with leading 0s, as we\u0027re doing unsigned conversion (and\neven for a signed conversion, this wouldn\u0027t help as the leading bit is 0).\n\u0026 operation thus ends up AND-ing vm_flags with 0x0000\u00270000\u00277fff\u0027ffff\ninstead of intended 0xffff\u0027ffff\u00277fff\u0027ffff and hence accidentally clears\nthe upper 32-bits of its value.\n\nFix it by changing `VM_MERGEABLE` constant to unsigned long, using the\nBIT() macro.\n\nNote: other VM_* flags are not affected: This only happens to the\nVM_MERGEABLE flag, as the other VM_* flags are all constants of type int\nand after ~ operation, they end up with leading 1 and are thus converted\nto unsigned long with leading 1s.\n\nNote 2:\nAfter commit 31defc3b01d9 (\"userfaultfd: remove (VM_)BUG_ON()s\"), this is\nno longer a kernel BUG, but a WARNING at the same place:\n\n[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067\n\nbut the root-cause (flag-drop) remains the same.\n\n[akpm@linux-foundation.org: rust bindgen wasn\u0027t able to handle BIT(), from Miguel]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:41.532Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/850f1ea245bdc0ce6a3fd36bfb80d8cf9647cb71"
},
{
"url": "https://git.kernel.org/stable/c/788e5385d0ff69cdba1cabccb9dab8d9647b9239"
},
{
"url": "https://git.kernel.org/stable/c/b69f19244c2b6475c8a6eb72f0fb0d53509e48cd"
},
{
"url": "https://git.kernel.org/stable/c/41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693"
},
{
"url": "https://git.kernel.org/stable/c/92b82e232b8d8b116ac6e57aeae7a6033db92c60"
},
{
"url": "https://git.kernel.org/stable/c/ac50c6e0a8f91a02b681af81abb2362fbb67cc18"
},
{
"url": "https://git.kernel.org/stable/c/76385629f45740b7888f8fcd83bde955b10f61fe"
},
{
"url": "https://git.kernel.org/stable/c/f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93"
}
],
"title": "mm/ksm: fix flag-dropping behavior in ksm_madvise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40040",
"datePublished": "2025-10-28T11:48:20.395Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2026-01-26T16:17:41.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39847 (GCVE-0-2025-39847)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
ppp: fix memory leak in pad_compress_skb
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix memory leak in pad_compress_skb
If alloc_skb() fails in pad_compress_skb(), it returns NULL without
releasing the old skb. The caller does:
skb = pad_compress_skb(ppp, skb);
if (!skb)
goto drop;
drop:
kfree_skb(skb);
When pad_compress_skb() returns NULL, the reference to the old skb is
lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
Align pad_compress_skb() semantics with realloc(): only free the old
skb if allocation and compression succeed. At the call site, use the
new_skb variable so the original skb is not lost when pad_compress_skb()
fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 9ca6a040f76c0b149293e430dabab446f3fc8ab7
(git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 87a35a36742df328d0badf4fbc2e56061c15846c (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 0b21e9cd4559102da798bdcba453b64ecd7be7ee (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 85c1c86a67e09143aa464e9bf09c397816772348 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 33a5bac5f14772730d2caf632ae97b6c2ee95044 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 4844123fe0b853a4982c02666cb3fd863d701d50 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:04.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ca6a040f76c0b149293e430dabab446f3fc8ab7",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "87a35a36742df328d0badf4fbc2e56061c15846c",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "0b21e9cd4559102da798bdcba453b64ecd7be7ee",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "85c1c86a67e09143aa464e9bf09c397816772348",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "33a5bac5f14772730d2caf632ae97b6c2ee95044",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "4844123fe0b853a4982c02666cb3fd863d701d50",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix memory leak in pad_compress_skb\n\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\nreleasing the old skb. The caller does:\n\n skb = pad_compress_skb(ppp, skb);\n if (!skb)\n goto drop;\n\ndrop:\n kfree_skb(skb);\n\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\n\nAlign pad_compress_skb() semantics with realloc(): only free the old\nskb if allocation and compression succeed. At the call site, use the\nnew_skb variable so the original skb is not lost when pad_compress_skb()\nfails."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:57.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ca6a040f76c0b149293e430dabab446f3fc8ab7"
},
{
"url": "https://git.kernel.org/stable/c/87a35a36742df328d0badf4fbc2e56061c15846c"
},
{
"url": "https://git.kernel.org/stable/c/0b21e9cd4559102da798bdcba453b64ecd7be7ee"
},
{
"url": "https://git.kernel.org/stable/c/1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8"
},
{
"url": "https://git.kernel.org/stable/c/85c1c86a67e09143aa464e9bf09c397816772348"
},
{
"url": "https://git.kernel.org/stable/c/631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4"
},
{
"url": "https://git.kernel.org/stable/c/33a5bac5f14772730d2caf632ae97b6c2ee95044"
},
{
"url": "https://git.kernel.org/stable/c/4844123fe0b853a4982c02666cb3fd863d701d50"
}
],
"title": "ppp: fix memory leak in pad_compress_skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39847",
"datePublished": "2025-09-19T15:26:20.648Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:04.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39864 (GCVE-0-2025-39864)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
wifi: cfg80211: fix use-after-free in cmp_bss()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: fix use-after-free in cmp_bss()
Following bss_free() quirk introduced in commit 776b3580178f
("cfg80211: track hidden SSID networks properly"), adjust
cfg80211_update_known_bss() to free the last beacon frame
elements only if they're not shared via the corresponding
'hidden_beacon_bss' pointer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < a8bb681e879ca3c9f722aa08d3d7ae41c42a8807
(git)
Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < a97a9791e455bb0cd5e7a38b5abcb05523d4e21c (git) Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < ff040562c10a540b8d851f7f4145fa112977f853 (git) Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < 6854476d9e1aeaaf05ebc98d610061c2075db07d (git) Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < b7d08929178c16398278613df07ad65cf63cce9d (git) Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < 5b7ae04969f822283a95c866967e42b4d75e0eef (git) Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < 912c4b66bef713a20775cfbf3b5e9bd71525c716 (git) Affected: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 , < 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:14.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8bb681e879ca3c9f722aa08d3d7ae41c42a8807",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "a97a9791e455bb0cd5e7a38b5abcb05523d4e21c",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "ff040562c10a540b8d851f7f4145fa112977f853",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "6854476d9e1aeaaf05ebc98d610061c2075db07d",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "b7d08929178c16398278613df07ad65cf63cce9d",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "5b7ae04969f822283a95c866967e42b4d75e0eef",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "912c4b66bef713a20775cfbf3b5e9bd71525c716",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "26e84445f02ce6b2fe5f3e0e28ff7add77f35e08",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix use-after-free in cmp_bss()\n\nFollowing bss_free() quirk introduced in commit 776b3580178f\n(\"cfg80211: track hidden SSID networks properly\"), adjust\ncfg80211_update_known_bss() to free the last beacon frame\nelements only if they\u0027re not shared via the corresponding\n\u0027hidden_beacon_bss\u0027 pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:19.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8bb681e879ca3c9f722aa08d3d7ae41c42a8807"
},
{
"url": "https://git.kernel.org/stable/c/a97a9791e455bb0cd5e7a38b5abcb05523d4e21c"
},
{
"url": "https://git.kernel.org/stable/c/ff040562c10a540b8d851f7f4145fa112977f853"
},
{
"url": "https://git.kernel.org/stable/c/6854476d9e1aeaaf05ebc98d610061c2075db07d"
},
{
"url": "https://git.kernel.org/stable/c/b7d08929178c16398278613df07ad65cf63cce9d"
},
{
"url": "https://git.kernel.org/stable/c/5b7ae04969f822283a95c866967e42b4d75e0eef"
},
{
"url": "https://git.kernel.org/stable/c/912c4b66bef713a20775cfbf3b5e9bd71525c716"
},
{
"url": "https://git.kernel.org/stable/c/26e84445f02ce6b2fe5f3e0e28ff7add77f35e08"
}
],
"title": "wifi: cfg80211: fix use-after-free in cmp_bss()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39864",
"datePublished": "2025-09-19T15:26:33.787Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:14.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68742 (GCVE-0-2025-68742)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
bpf: Fix invalid prog->stats access when update_effective_progs fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix invalid prog->stats access when update_effective_progs fails
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 93d1964773ff513c9bd530f7686d3e48b786fa6b
(git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < bf2c990b012100610c0f1ec5c4ea434da2d080c2 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 539137e3038ce6f953efd72110110f03c14c7d97 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 56905bb70c8b88421709bb4e32fcba617aa37d41 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 2579c356ccd35d06238b176e4b460978186d804b (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 7dc211c1159d991db609bdf4b0fb9033c04adcbc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d1964773ff513c9bd530f7686d3e48b786fa6b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "bf2c990b012100610c0f1ec5c4ea434da2d080c2",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "539137e3038ce6f953efd72110110f03c14c7d97",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "56905bb70c8b88421709bb4e32fcba617aa37d41",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "2579c356ccd35d06238b176e4b460978186d804b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "7dc211c1159d991db609bdf4b0fb9033c04adcbc",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog-\u003estats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n update_effective_progs\n compute_effective_progs\n bpf_prog_array_alloc \u003c-- fault inject\n purge_effective_progs\n /* change to dummy_bpf_prog */\n array-\u003eitems[index] = \u0026dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n ...\n __cgroup_bpf_run_filter_skb\n __bpf_prog_run_save_cb\n bpf_prog_run\n stats = this_cpu_ptr(prog-\u003estats)\n /* invalid memory access */\n flags = u64_stats_update_begin_irqsave(\u0026stats-\u003esyncp)\n---softirq end---\n\n static_branch_dec(\u0026cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:46.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d1964773ff513c9bd530f7686d3e48b786fa6b"
},
{
"url": "https://git.kernel.org/stable/c/bf2c990b012100610c0f1ec5c4ea434da2d080c2"
},
{
"url": "https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97"
},
{
"url": "https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41"
},
{
"url": "https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b"
},
{
"url": "https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc"
}
],
"title": "bpf: Fix invalid prog-\u003estats access when update_effective_progs fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68742",
"datePublished": "2025-12-24T12:09:39.341Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:46.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40077 (GCVE-0-2025-40077)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
f2fs: fix to avoid overflow while left shift operation
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid overflow while left shift operation
Should cast type of folio->index from pgoff_t to loff_t to avoid overflow
while left shift operation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3265d3db1f16395cfc6b8ea9b31b4001d98d05ef , < ef49378864bb1ed14cd48c8e687729e12714d849
(git)
Affected: 3265d3db1f16395cfc6b8ea9b31b4001d98d05ef , < 0e75a098b0a37f02ca31fe99ac16004c8163cf67 (git) Affected: 3265d3db1f16395cfc6b8ea9b31b4001d98d05ef , < 57d3381dfb97ff73ddd18601017fec21cca80985 (git) Affected: 3265d3db1f16395cfc6b8ea9b31b4001d98d05ef , < 0fe1c6bec54ea68ed8c987b3890f2296364e77bb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef49378864bb1ed14cd48c8e687729e12714d849",
"status": "affected",
"version": "3265d3db1f16395cfc6b8ea9b31b4001d98d05ef",
"versionType": "git"
},
{
"lessThan": "0e75a098b0a37f02ca31fe99ac16004c8163cf67",
"status": "affected",
"version": "3265d3db1f16395cfc6b8ea9b31b4001d98d05ef",
"versionType": "git"
},
{
"lessThan": "57d3381dfb97ff73ddd18601017fec21cca80985",
"status": "affected",
"version": "3265d3db1f16395cfc6b8ea9b31b4001d98d05ef",
"versionType": "git"
},
{
"lessThan": "0fe1c6bec54ea68ed8c987b3890f2296364e77bb",
"status": "affected",
"version": "3265d3db1f16395cfc6b8ea9b31b4001d98d05ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid overflow while left shift operation\n\nShould cast type of folio-\u003eindex from pgoff_t to loff_t to avoid overflow\nwhile left shift operation."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:33.786Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef49378864bb1ed14cd48c8e687729e12714d849"
},
{
"url": "https://git.kernel.org/stable/c/0e75a098b0a37f02ca31fe99ac16004c8163cf67"
},
{
"url": "https://git.kernel.org/stable/c/57d3381dfb97ff73ddd18601017fec21cca80985"
},
{
"url": "https://git.kernel.org/stable/c/0fe1c6bec54ea68ed8c987b3890f2296364e77bb"
}
],
"title": "f2fs: fix to avoid overflow while left shift operation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40077",
"datePublished": "2025-10-28T11:48:42.976Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:33.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40320 (GCVE-0-2025-40320)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
smb: client: fix potential cfid UAF in smb2_query_info_compound
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential cfid UAF in smb2_query_info_compound
When smb2_query_info_compound() retries, a previously allocated cfid may
have been freed in the first attempt.
Because cfid wasn't reset on replay, later cleanup could act on a stale
pointer, leading to a potential use-after-free.
Reinitialize cfid to NULL under the replay label.
Example trace (trimmed):
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110
[...]
RIP: 0010:refcount_warn_saturate+0x9c/0x110
[...]
Call Trace:
<TASK>
smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
? step_into+0x10d/0x690
? __legitimize_path+0x28/0x60
smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
? kmem_cache_alloc+0x18a/0x340
? getname_flags+0x46/0x1e0
cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
statfs_by_dentry+0x67/0x90
vfs_statfs+0x16/0xd0
user_statfs+0x54/0xa0
__do_sys_statfs+0x20/0x50
do_syscall_64+0x58/0x80
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
433042a91f9373241307725b52de573933ffedbf , < 939c4e33005e2a56ea8fcedddf0da92df864bd3b
(git)
Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < 327f89c21601ebb7889f8c97754b76f08ce95a0c (git) Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < b556c278d43f4707a9073ca74d55581b4f279806 (git) Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < 5c76f9961c170552c1d07c830b5e145475151600 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "939c4e33005e2a56ea8fcedddf0da92df864bd3b",
"status": "affected",
"version": "433042a91f9373241307725b52de573933ffedbf",
"versionType": "git"
},
{
"lessThan": "327f89c21601ebb7889f8c97754b76f08ce95a0c",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
},
{
"lessThan": "b556c278d43f4707a9073ca74d55581b4f279806",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
},
{
"lessThan": "5c76f9961c170552c1d07c830b5e145475151600",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential cfid UAF in smb2_query_info_compound\n\nWhen smb2_query_info_compound() retries, a previously allocated cfid may\nhave been freed in the first attempt.\nBecause cfid wasn\u0027t reset on replay, later cleanup could act on a stale\npointer, leading to a potential use-after-free.\n\nReinitialize cfid to NULL under the replay label.\n\nExample trace (trimmed):\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110\n[...]\nRIP: 0010:refcount_warn_saturate+0x9c/0x110\n[...]\nCall Trace:\n \u003cTASK\u003e\n smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? step_into+0x10d/0x690\n ? __legitimize_path+0x28/0x60\n smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? kmem_cache_alloc+0x18a/0x340\n ? getname_flags+0x46/0x1e0\n cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n statfs_by_dentry+0x67/0x90\n vfs_statfs+0x16/0xd0\n user_statfs+0x54/0xa0\n __do_sys_statfs+0x20/0x50\n do_syscall_64+0x58/0x80"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:47.670Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/939c4e33005e2a56ea8fcedddf0da92df864bd3b"
},
{
"url": "https://git.kernel.org/stable/c/327f89c21601ebb7889f8c97754b76f08ce95a0c"
},
{
"url": "https://git.kernel.org/stable/c/b556c278d43f4707a9073ca74d55581b4f279806"
},
{
"url": "https://git.kernel.org/stable/c/5c76f9961c170552c1d07c830b5e145475151600"
}
],
"title": "smb: client: fix potential cfid UAF in smb2_query_info_compound",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40320",
"datePublished": "2025-12-08T00:46:47.670Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:47.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40024 (GCVE-0-2025-40024)
Vulnerability from cvelistv5 – Published: 2025-10-24 12:24 – Updated: 2025-10-24 12:24
VLAI?
EPSS
Title
vhost: Take a reference on the task in struct vhost_task.
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost: Take a reference on the task in struct vhost_task.
vhost_task_create() creates a task and keeps a reference to its
task_struct. That task may exit early via a signal and its task_struct
will be released.
A pending vhost_task_wake() will then attempt to wake the task and
access a task_struct which is no longer there.
Acquire a reference on the task_struct while creating the thread and
release the reference while the struct vhost_task itself is removed.
If the task exits early due to a signal, then the vhost_task_wake() will
still access a valid task_struct. The wake is safe and will be skipped
in this case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < 82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0
(git)
Affected: f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < d2be773a92874a070215b51b730cb2b1eaa8fae2 (git) Affected: f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < 7ce635b3d3aba43296b62b5a2d97c008bc51cbd2 (git) Affected: f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < afe16653e05db07d658b55245c7a2e0603f136c0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/vhost_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
},
{
"lessThan": "d2be773a92874a070215b51b730cb2b1eaa8fae2",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
},
{
"lessThan": "7ce635b3d3aba43296b62b5a2d97c008bc51cbd2",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
},
{
"lessThan": "afe16653e05db07d658b55245c7a2e0603f136c0",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/vhost_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: Take a reference on the task in struct vhost_task.\n\nvhost_task_create() creates a task and keeps a reference to its\ntask_struct. That task may exit early via a signal and its task_struct\nwill be released.\nA pending vhost_task_wake() will then attempt to wake the task and\naccess a task_struct which is no longer there.\n\nAcquire a reference on the task_struct while creating the thread and\nrelease the reference while the struct vhost_task itself is removed.\nIf the task exits early due to a signal, then the vhost_task_wake() will\nstill access a valid task_struct. The wake is safe and will be skipped\nin this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:59.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0"
},
{
"url": "https://git.kernel.org/stable/c/d2be773a92874a070215b51b730cb2b1eaa8fae2"
},
{
"url": "https://git.kernel.org/stable/c/7ce635b3d3aba43296b62b5a2d97c008bc51cbd2"
},
{
"url": "https://git.kernel.org/stable/c/afe16653e05db07d658b55245c7a2e0603f136c0"
}
],
"title": "vhost: Take a reference on the task in struct vhost_task.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40024",
"datePublished": "2025-10-24T12:24:59.199Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:59.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68265 (GCVE-0-2025-68265)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:47 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
nvme: fix admin request_queue lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix admin request_queue lifetime
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fe60e8c534118a288cd251a59d747cbf5c03e160 , < a505f0ba36ab24176c300d7ff56aff85c2977e6c
(git)
Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < e8061d02b49c5c901980f58d91e96580e9a14acf (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < e7dac681790556c131854b97551337aa8042215b (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < 03b3bcd319b3ab5182bc9aaa0421351572c78ac0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a505f0ba36ab24176c300d7ff56aff85c2977e6c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e8061d02b49c5c901980f58d91e96580e9a14acf",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e7dac681790556c131854b97551337aa8042215b",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "03b3bcd319b3ab5182bc9aaa0421351572c78ac0",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin request_queue lifetime\n\nThe namespaces can access the controller\u0027s admin request_queue, and\nstale references on the namespaces may exist after tearing down the\ncontroller. Ensure the admin request_queue is active by moving the\ncontroller\u0027s \u0027put\u0027 to after all controller references have been released\nto ensure no one is can access the request_queue. This fixes a reported\nuse-after-free bug:\n\n BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0\n Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287\n CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x60\n print_report+0xc4/0x620\n ? _raw_spin_lock_irqsave+0x70/0xb0\n ? _raw_read_unlock_irqrestore+0x30/0x30\n ? blk_queue_enter+0x41c/0x4a0\n kasan_report+0xab/0xe0\n ? blk_queue_enter+0x41c/0x4a0\n blk_queue_enter+0x41c/0x4a0\n ? __irq_work_queue_local+0x75/0x1d0\n ? blk_queue_start_drain+0x70/0x70\n ? irq_work_queue+0x18/0x20\n ? vprintk_emit.part.0+0x1cc/0x350\n ? wake_up_klogd_work_func+0x60/0x60\n blk_mq_alloc_request+0x2b7/0x6b0\n ? __blk_mq_alloc_requests+0x1060/0x1060\n ? __switch_to+0x5b7/0x1060\n nvme_submit_user_cmd+0xa9/0x330\n nvme_user_cmd.isra.0+0x240/0x3f0\n ? force_sigsegv+0xe0/0xe0\n ? nvme_user_cmd64+0x400/0x400\n ? vfs_fileattr_set+0x9b0/0x9b0\n ? cgroup_update_frozen_flag+0x24/0x1c0\n ? cgroup_leave_frozen+0x204/0x330\n ? nvme_ioctl+0x7c/0x2c0\n blkdev_ioctl+0x1a8/0x4d0\n ? blkdev_common_ioctl+0x1930/0x1930\n ? fdget+0x54/0x380\n __x64_sys_ioctl+0x129/0x190\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f765f703b0b\n Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b\n RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003\n R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:39.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a505f0ba36ab24176c300d7ff56aff85c2977e6c"
},
{
"url": "https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf"
},
{
"url": "https://git.kernel.org/stable/c/e7dac681790556c131854b97551337aa8042215b"
},
{
"url": "https://git.kernel.org/stable/c/03b3bcd319b3ab5182bc9aaa0421351572c78ac0"
}
],
"title": "nvme: fix admin request_queue lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68265",
"datePublished": "2025-12-16T14:47:05.303Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-01-11T16:29:39.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39920 (GCVE-0-2025-39920)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:55 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
pcmcia: Add error handling for add_interval() in do_validate_mem()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pcmcia: Add error handling for add_interval() in do_validate_mem()
In the do_validate_mem(), the call to add_interval() does not
handle errors. If kmalloc() fails in add_interval(), it could
result in a null pointer being inserted into the linked list,
leading to illegal memory access when sub_interval() is called
next.
This patch adds an error handling for the add_interval(). If
add_interval() returns an error, the function will return early
with the error code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 5b60ed401b47897352c520bc724c85aa908dedcc
(git)
Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < ae184024ef31423e5beb44cf4f52999bbcf2fe5b (git) Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 85be7ef8c8e792a414940a38d94565dd48d2f236 (git) Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 06b26e3099207c94b3d1be8565aedc6edc4f0a60 (git) Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b (git) Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 289b58f8ff3198d091074a751d6b8f6827726f3e (git) Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 369bf6e241506583f4ee7593c53b92e5a9f271b4 (git) Affected: 7b4884ca8853a638df0eb5d251d80d67777b8b1a , < 4a81f78caa53e0633cf311ca1526377d9bff7479 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:40.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b60ed401b47897352c520bc724c85aa908dedcc",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "ae184024ef31423e5beb44cf4f52999bbcf2fe5b",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "85be7ef8c8e792a414940a38d94565dd48d2f236",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "06b26e3099207c94b3d1be8565aedc6edc4f0a60",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "289b58f8ff3198d091074a751d6b8f6827726f3e",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "369bf6e241506583f4ee7593c53b92e5a9f271b4",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "4a81f78caa53e0633cf311ca1526377d9bff7479",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Add error handling for add_interval() in do_validate_mem()\n\nIn the do_validate_mem(), the call to add_interval() does not\nhandle errors. If kmalloc() fails in add_interval(), it could\nresult in a null pointer being inserted into the linked list,\nleading to illegal memory access when sub_interval() is called\nnext.\n\nThis patch adds an error handling for the add_interval(). If\nadd_interval() returns an error, the function will return early\nwith the error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:15.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b60ed401b47897352c520bc724c85aa908dedcc"
},
{
"url": "https://git.kernel.org/stable/c/ae184024ef31423e5beb44cf4f52999bbcf2fe5b"
},
{
"url": "https://git.kernel.org/stable/c/85be7ef8c8e792a414940a38d94565dd48d2f236"
},
{
"url": "https://git.kernel.org/stable/c/06b26e3099207c94b3d1be8565aedc6edc4f0a60"
},
{
"url": "https://git.kernel.org/stable/c/8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b"
},
{
"url": "https://git.kernel.org/stable/c/289b58f8ff3198d091074a751d6b8f6827726f3e"
},
{
"url": "https://git.kernel.org/stable/c/369bf6e241506583f4ee7593c53b92e5a9f271b4"
},
{
"url": "https://git.kernel.org/stable/c/4a81f78caa53e0633cf311ca1526377d9bff7479"
}
],
"title": "pcmcia: Add error handling for add_interval() in do_validate_mem()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39920",
"datePublished": "2025-10-01T07:55:15.731Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:40.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68769 (GCVE-0-2025-68769)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
f2fs: fix return value of f2fs_recover_fsync_data()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix return value of f2fs_recover_fsync_data()
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725
(git)
Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 0de4977a1eeafe9d77701e3c031a1bcdba389243 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 9bc246018aaa3b46a7710428d0a2196c229f9d49 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < a4c67d96f92eefcfa5596a08f069e77b743c5865 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 473550e715654ad7612aa490d583cb7c25fe2ff3 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 4560db9678a2c5952b6205fbca468c6805c2ba2a (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 01fba45deaddcce0d0b01c411435d1acf6feab7b (git) Affected: 1499d39b74f5957e932639a86487ccea5a0a9740 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "0de4977a1eeafe9d77701e3c031a1bcdba389243",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "9bc246018aaa3b46a7710428d0a2196c229f9d49",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "a4c67d96f92eefcfa5596a08f069e77b743c5865",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "473550e715654ad7612aa490d583cb7c25fe2ff3",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "4560db9678a2c5952b6205fbca468c6805c2ba2a",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "01fba45deaddcce0d0b01c411435d1acf6feab7b",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"status": "affected",
"version": "1499d39b74f5957e932639a86487ccea5a0a9740",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_recover_fsync_data()\n\nWith below scripts, it will trigger panic in f2fs:\n\nmkfs.f2fs -f /dev/vdd\nmount /dev/vdd /mnt/f2fs\ntouch /mnt/f2fs/foo\nsync\necho 111 \u003e\u003e /mnt/f2fs/foo\nf2fs_io fsync /mnt/f2fs/foo\nf2fs_io shutdown 2 /mnt/f2fs\numount /mnt/f2fs\nmount -o ro,norecovery /dev/vdd /mnt/f2fs\nor\nmount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs\n\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0\nF2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f\nF2FS-fs (vdd): Stopped filesystem due to reason: 0\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1\nFilesystem f2fs get_tree() didn\u0027t set fc-\u003eroot, returned 1\n------------[ cut here ]------------\nkernel BUG at fs/super.c:1761!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vfs_get_tree.cold+0x18/0x1a\nCall Trace:\n \u003cTASK\u003e\n fc_mount+0x13/0xa0\n path_mount+0x34e/0xc50\n __x64_sys_mount+0x121/0x150\n do_syscall_64+0x84/0x800\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa6cc126cfe\n\nThe root cause is we missed to handle error number returned from\nf2fs_recover_fsync_data() when mounting image w/ ro,norecovery or\nro,disable_roll_forward mount option, result in returning a positive\nerror number to vfs_get_tree(), fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:14.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725"
},
{
"url": "https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243"
},
{
"url": "https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49"
},
{
"url": "https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865"
},
{
"url": "https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3"
},
{
"url": "https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a"
},
{
"url": "https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b"
}
],
"title": "f2fs: fix return value of f2fs_recover_fsync_data()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68769",
"datePublished": "2026-01-13T15:28:47.798Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:14.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68740 (GCVE-0-2025-68740)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
ima: Handle error code returned by ima_filter_rule_match()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Handle error code returned by ima_filter_rule_match()
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.
This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace:
selinux_audit_rule_match+0x310/0x3b8
security_audit_rule_match+0x60/0xa0
ima_match_rules+0x2e4/0x4a0
ima_match_policy+0x9c/0x1e8
ima_get_action+0x48/0x60
process_measurement+0xf8/0xa98
ima_bprm_check+0x98/0xd8
security_bprm_check+0x5c/0x78
search_binary_handler+0x6c/0x318
exec_binprm+0x58/0x1b8
bprm_execve+0xb8/0x130
do_execveat_common.isra.0+0x1a8/0x258
__arm64_sys_execve+0x48/0x68
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4af4662fa4a9dc62289c580337ae2506339c4729 , < d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51
(git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < cca3e7df3c0f99542033657ba850b9a6d27f8784 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < c2238d487a640ae3511e1b6f4640ab27ce10d7f6 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < de4431faf308d0c533cb386f5fa9af009bc86158 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 32952c4f4d1b2deb30dce72ba109da808a9018e1 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "cca3e7df3c0f99542033657ba850b9a6d27f8784",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "c2238d487a640ae3511e1b6f4640ab27ce10d7f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "de4431faf308d0c533cb386f5fa9af009bc86158",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "32952c4f4d1b2deb30dce72ba109da808a9018e1",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "738c9738e690f5cea24a3ad6fd2d9a323cf614f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Handle error code returned by ima_filter_rule_match()\n\nIn ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to\nthe rule being NULL, the function incorrectly skips the \u0027if (!rc)\u0027 check\nand sets \u0027result = true\u0027. The LSM rule is considered a match, causing\nextra files to be measured by IMA.\n\nThis issue can be reproduced in the following scenario:\nAfter unloading the SELinux policy module via \u0027semodule -d\u0027, if an IMA\nmeasurement is triggered before ima_lsm_rules is updated,\nin ima_match_rules(), the first call to ima_filter_rule_match() returns\n-ESTALE. This causes the code to enter the \u0027if (rc == -ESTALE \u0026\u0026\n!rule_reinitialized)\u0027 block, perform ima_lsm_copy_rule() and retry. In\nima_lsm_copy_rule(), since the SELinux module has been removed, the rule\nbecomes NULL, and the second call to ima_filter_rule_match() returns\n-ENOENT. This bypasses the \u0027if (!rc)\u0027 check and results in a false match.\n\nCall trace:\n selinux_audit_rule_match+0x310/0x3b8\n security_audit_rule_match+0x60/0xa0\n ima_match_rules+0x2e4/0x4a0\n ima_match_policy+0x9c/0x1e8\n ima_get_action+0x48/0x60\n process_measurement+0xf8/0xa98\n ima_bprm_check+0x98/0xd8\n security_bprm_check+0x5c/0x78\n search_binary_handler+0x6c/0x318\n exec_binprm+0x58/0x1b8\n bprm_execve+0xb8/0x130\n do_execveat_common.isra.0+0x1a8/0x258\n __arm64_sys_execve+0x48/0x68\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x44/0x200\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x3c8/0x3d0\n\nFix this by changing \u0027if (!rc)\u0027 to \u0027if (rc \u003c= 0)\u0027 to ensure that error\ncodes like -ENOENT do not bypass the check and accidentally result in a\nsuccessful match."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:44.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51"
},
{
"url": "https://git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85"
},
{
"url": "https://git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749"
},
{
"url": "https://git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784"
},
{
"url": "https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6"
},
{
"url": "https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158"
},
{
"url": "https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1"
},
{
"url": "https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6"
}
],
"title": "ima: Handle error code returned by ima_filter_rule_match()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68740",
"datePublished": "2025-12-24T12:09:37.971Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:44.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23019 (GCVE-0-2026-23019)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.
This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 8a4333b2818f0d853b43e139936c20659366e4a0
(git)
Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 325aea74be7e192b5c947c782da23b0d19a5fda2 (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 94e070cd50790317fba7787ae6006934b7edcb6f (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 3950054c9512add0cc79ab7e72b6d2f9f675e25b (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 326a4b7e61d01db3507f71c8bb5e85362f607064 (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < a428e0da1248c353557970848994f35fd3f005e2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a4333b2818f0d853b43e139936c20659366e4a0",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "325aea74be7e192b5c947c782da23b0d19a5fda2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "94e070cd50790317fba7787ae6006934b7edcb6f",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "3950054c9512add0cc79ab7e72b6d2f9f675e25b",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "326a4b7e61d01db3507f71c8bb5e85362f607064",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "a428e0da1248c353557970848994f35fd3f005e2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix NULL dereference on devlink_alloc() failure\n\ndevlink_alloc() may return NULL on allocation failure, but\nprestera_devlink_alloc() unconditionally calls devlink_priv() on\nthe returned pointer.\n\nThis leads to a NULL pointer dereference if devlink allocation fails.\nAdd a check for a NULL devlink pointer and return NULL early to avoid\nthe crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:12.887Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0"
},
{
"url": "https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2"
},
{
"url": "https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f"
},
{
"url": "https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b"
},
{
"url": "https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064"
},
{
"url": "https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2"
}
],
"title": "net: marvell: prestera: fix NULL dereference on devlink_alloc() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23019",
"datePublished": "2026-01-31T11:39:03.179Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-02-09T08:37:12.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39934 (GCVE-0-2025-39934)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:30 – Updated: 2025-10-04 07:37
VLAI?
EPSS
Title
drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
If the interrupt occurs before resource initialization is complete, the
interrupt handler/worker may access uninitialized data such as the I2C
tcpc_client device, potentially leading to NULL pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 , < 51a501e990a353a4f15da6bab295b28e5d118f64
(git)
Affected: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 , < f9a089d0a6d537d0f2061c8a37a7de535ce0310e (git) Affected: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 , < 15a77e1ab0a994d69b471c76b8d01117128dda26 (git) Affected: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 , < 0da73f7827691a5e2265b110d5fe12f29535ec92 (git) Affected: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 , < 1a7ea294d57fb61485d11b3f2241d631d73025cb (git) Affected: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 , < a10f910c77f280327b481e77eab909934ec508f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51a501e990a353a4f15da6bab295b28e5d118f64",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "f9a089d0a6d537d0f2061c8a37a7de535ce0310e",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "15a77e1ab0a994d69b471c76b8d01117128dda26",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "0da73f7827691a5e2265b110d5fe12f29535ec92",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "1a7ea294d57fb61485d11b3f2241d631d73025cb",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "a10f910c77f280327b481e77eab909934ec508f0",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: anx7625: Fix NULL pointer dereference with early IRQ\n\nIf the interrupt occurs before resource initialization is complete, the\ninterrupt handler/worker may access uninitialized data such as the I2C\ntcpc_client device, potentially leading to NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:00.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51a501e990a353a4f15da6bab295b28e5d118f64"
},
{
"url": "https://git.kernel.org/stable/c/f9a089d0a6d537d0f2061c8a37a7de535ce0310e"
},
{
"url": "https://git.kernel.org/stable/c/15a77e1ab0a994d69b471c76b8d01117128dda26"
},
{
"url": "https://git.kernel.org/stable/c/0da73f7827691a5e2265b110d5fe12f29535ec92"
},
{
"url": "https://git.kernel.org/stable/c/1a7ea294d57fb61485d11b3f2241d631d73025cb"
},
{
"url": "https://git.kernel.org/stable/c/a10f910c77f280327b481e77eab909934ec508f0"
}
],
"title": "drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39934",
"datePublished": "2025-10-04T07:30:58.284Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:00.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39899 (GCVE-0-2025-39899)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE
With CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using
kmap_local_page(), which requires unmapping in Last-In-First-Out order.
The current code maps dst_pte first, then src_pte, but unmaps them in the
same order (dst_pte, src_pte), violating the LIFO requirement. This
causes the warning in kunmap_local_indexed():
WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c
addr \!= __fix_to_virt(FIX_KMAP_BEGIN + idx)
Fix this by reversing the unmap order to respect LIFO ordering.
This issue follows the same pattern as similar fixes:
- commit eca6828403b8 ("crypto: skcipher - fix mismatch between mapping and unmapping order")
- commit 8cf57c6df818 ("nilfs2: eliminate staggered calls to kunmap in nilfs_rename")
Both of which addressed the same fundamental requirement that kmap_local
operations must follow LIFO ordering.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
adef440691bab824e39c1b17382322d195e1fab0 , < b051f707018967ea8f697d790a1ed8c443f63812
(git)
Affected: adef440691bab824e39c1b17382322d195e1fab0 , < bd1ee62759d0bd4d6b909731c076c230ac89d61e (git) Affected: adef440691bab824e39c1b17382322d195e1fab0 , < 9614d8bee66387501f48718fa306e17f2aa3f2f3 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:29:05.314319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:14.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/userfaultfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b051f707018967ea8f697d790a1ed8c443f63812",
"status": "affected",
"version": "adef440691bab824e39c1b17382322d195e1fab0",
"versionType": "git"
},
{
"lessThan": "bd1ee62759d0bd4d6b909731c076c230ac89d61e",
"status": "affected",
"version": "adef440691bab824e39c1b17382322d195e1fab0",
"versionType": "git"
},
{
"lessThan": "9614d8bee66387501f48718fa306e17f2aa3f2f3",
"status": "affected",
"version": "adef440691bab824e39c1b17382322d195e1fab0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/userfaultfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE\n\nWith CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using\nkmap_local_page(), which requires unmapping in Last-In-First-Out order.\n\nThe current code maps dst_pte first, then src_pte, but unmaps them in the\nsame order (dst_pte, src_pte), violating the LIFO requirement. This\ncauses the warning in kunmap_local_indexed():\n\n WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c\n addr \\!= __fix_to_virt(FIX_KMAP_BEGIN + idx)\n\nFix this by reversing the unmap order to respect LIFO ordering.\n\nThis issue follows the same pattern as similar fixes:\n- commit eca6828403b8 (\"crypto: skcipher - fix mismatch between mapping and unmapping order\")\n- commit 8cf57c6df818 (\"nilfs2: eliminate staggered calls to kunmap in nilfs_rename\")\n\nBoth of which addressed the same fundamental requirement that kmap_local\noperations must follow LIFO ordering."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:47.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b051f707018967ea8f697d790a1ed8c443f63812"
},
{
"url": "https://git.kernel.org/stable/c/bd1ee62759d0bd4d6b909731c076c230ac89d61e"
},
{
"url": "https://git.kernel.org/stable/c/9614d8bee66387501f48718fa306e17f2aa3f2f3"
}
],
"title": "mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39899",
"datePublished": "2025-10-01T07:42:47.100Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2026-01-14T19:33:14.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68179 (GCVE-0-2025-68179)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP
As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible
crashes. The problem is that kernel page tables are modified without
flushing corresponding TLB entries.
Even if it looks like the empty flush_tlb_all() implementation on s390 is
the problem, it is actually a different problem: on s390 it is not allowed
to replace an active/valid page table entry with another valid page table
entry without the detour over an invalid entry. A direct replacement may
lead to random crashes and/or data corruption.
In order to invalidate an entry special instructions have to be used
(e.g. ipte or idte). Alternatively there are also special instructions
available which allow to replace a valid entry with a different valid
entry (e.g. crdte or cspg).
Given that the HVO code currently does not provide the hooks to allow for
an implementation which is compliant with the s390 architecture
requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is
basically a revert of the original patch which enabled it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00a34d5a99c0631bd780b14cbe3813d0b39c3886 , < 7088465f10816d9425b95740b37c95f082041d76
(git)
Affected: 00a34d5a99c0631bd780b14cbe3813d0b39c3886 , < 5e23918e4352288323d13fb511116cdea0234b71 (git) Affected: 00a34d5a99c0631bd780b14cbe3813d0b39c3886 , < d4a8238e5729505b7394ccb007e5dc3e557aa66b (git) Affected: 00a34d5a99c0631bd780b14cbe3813d0b39c3886 , < 64e2f60f355e556337fcffe80b9bcff1b22c9c42 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/Kconfig"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7088465f10816d9425b95740b37c95f082041d76",
"status": "affected",
"version": "00a34d5a99c0631bd780b14cbe3813d0b39c3886",
"versionType": "git"
},
{
"lessThan": "5e23918e4352288323d13fb511116cdea0234b71",
"status": "affected",
"version": "00a34d5a99c0631bd780b14cbe3813d0b39c3886",
"versionType": "git"
},
{
"lessThan": "d4a8238e5729505b7394ccb007e5dc3e557aa66b",
"status": "affected",
"version": "00a34d5a99c0631bd780b14cbe3813d0b39c3886",
"versionType": "git"
},
{
"lessThan": "64e2f60f355e556337fcffe80b9bcff1b22c9c42",
"status": "affected",
"version": "00a34d5a99c0631bd780b14cbe3813d0b39c3886",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/Kconfig"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP\n\nAs reported by Luiz Capitulino enabling HVO on s390 leads to reproducible\ncrashes. The problem is that kernel page tables are modified without\nflushing corresponding TLB entries.\n\nEven if it looks like the empty flush_tlb_all() implementation on s390 is\nthe problem, it is actually a different problem: on s390 it is not allowed\nto replace an active/valid page table entry with another valid page table\nentry without the detour over an invalid entry. A direct replacement may\nlead to random crashes and/or data corruption.\n\nIn order to invalidate an entry special instructions have to be used\n(e.g. ipte or idte). Alternatively there are also special instructions\navailable which allow to replace a valid entry with a different valid\nentry (e.g. crdte or cspg).\n\nGiven that the HVO code currently does not provide the hooks to allow for\nan implementation which is compliant with the s390 architecture\nrequirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is\nbasically a revert of the original patch which enabled it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:57.817Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7088465f10816d9425b95740b37c95f082041d76"
},
{
"url": "https://git.kernel.org/stable/c/5e23918e4352288323d13fb511116cdea0234b71"
},
{
"url": "https://git.kernel.org/stable/c/d4a8238e5729505b7394ccb007e5dc3e557aa66b"
},
{
"url": "https://git.kernel.org/stable/c/64e2f60f355e556337fcffe80b9bcff1b22c9c42"
}
],
"title": "s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68179",
"datePublished": "2025-12-16T13:42:57.817Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2025-12-16T13:42:57.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40053 (GCVE-0-2025-40053)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
net: dlink: handle copy_thresh allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dlink: handle copy_thresh allocation failure
The driver did not handle failure of `netdev_alloc_skb_ip_align()`.
If the allocation failed, dereferencing `skb->protocol` could lead to
a NULL pointer dereference.
This patch tries to allocate `skb`. If the allocation fails, it falls
back to the normal path.
Tested-on: D-Link DGE-550T Rev-A3
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 84fd710a704f3d53d4120e452e86cea558cf73a8
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5aa9b885602811a026a3f45c92ea2b4b04c54f09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d49e4b14609e1a20d931e718962c4b6b5485174 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ea87151df398d407a632c7bf63013290f01c5009 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7ed5010fef0930f4322d620052edc854ef3ec41f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd7b6b2c920d7fd370a612be416a904d6e1ebe55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8169a6011c5fecc6cb1c3654c541c567d3318de8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/dlink/dl2k.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84fd710a704f3d53d4120e452e86cea558cf73a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5aa9b885602811a026a3f45c92ea2b4b04c54f09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d49e4b14609e1a20d931e718962c4b6b5485174",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea87151df398d407a632c7bf63013290f01c5009",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ed5010fef0930f4322d620052edc854ef3ec41f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd7b6b2c920d7fd370a612be416a904d6e1ebe55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8169a6011c5fecc6cb1c3654c541c567d3318de8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/dlink/dl2k.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dlink: handle copy_thresh allocation failure\n\nThe driver did not handle failure of `netdev_alloc_skb_ip_align()`.\nIf the allocation failed, dereferencing `skb-\u003eprotocol` could lead to\na NULL pointer dereference.\n\nThis patch tries to allocate `skb`. If the allocation fails, it falls\nback to the normal path.\n\nTested-on: D-Link DGE-550T Rev-A3"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:00.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84fd710a704f3d53d4120e452e86cea558cf73a8"
},
{
"url": "https://git.kernel.org/stable/c/5aa9b885602811a026a3f45c92ea2b4b04c54f09"
},
{
"url": "https://git.kernel.org/stable/c/9d49e4b14609e1a20d931e718962c4b6b5485174"
},
{
"url": "https://git.kernel.org/stable/c/ea87151df398d407a632c7bf63013290f01c5009"
},
{
"url": "https://git.kernel.org/stable/c/7ed5010fef0930f4322d620052edc854ef3ec41f"
},
{
"url": "https://git.kernel.org/stable/c/fd7b6b2c920d7fd370a612be416a904d6e1ebe55"
},
{
"url": "https://git.kernel.org/stable/c/8169a6011c5fecc6cb1c3654c541c567d3318de8"
}
],
"title": "net: dlink: handle copy_thresh allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40053",
"datePublished": "2025-10-28T11:48:28.444Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:17:00.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40047 (GCVE-0-2025-40047)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f31ecf671ddc498f20219453395794ff2383e06b , < 696ba6032081e617564a8113a001b8d7943cb928
(git)
Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 3e2205db2f0608898d535da1964e1b376aacfdaa (git) Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 2f8229d53d984c6a05b71ac9e9583d4354e3b91f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "696ba6032081e617564a8113a001b8d7943cb928",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "3e2205db2f0608898d535da1964e1b376aacfdaa",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "2f8229d53d984c6a05b71ac9e9583d4354e3b91f",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/waitid: always prune wait queue entry in io_waitid_wait()\n\nFor a successful return, always remove our entry from the wait queue\nentry list. Previously this was skipped if a cancelation was in\nprogress, but this can race with another invocation of the wait queue\nentry callback."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:52.611Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/696ba6032081e617564a8113a001b8d7943cb928"
},
{
"url": "https://git.kernel.org/stable/c/3e2205db2f0608898d535da1964e1b376aacfdaa"
},
{
"url": "https://git.kernel.org/stable/c/2f8229d53d984c6a05b71ac9e9583d4354e3b91f"
}
],
"title": "io_uring/waitid: always prune wait queue entry in io_waitid_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40047",
"datePublished": "2025-10-28T11:48:24.625Z",
"dateReserved": "2025-04-16T07:20:57.156Z",
"dateUpdated": "2025-12-01T06:16:52.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68352 (GCVE-0-2025-68352)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
spi: ch341: fix out-of-bounds memory access in ch341_transfer_one
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: ch341: fix out-of-bounds memory access in ch341_transfer_one
Discovered by Atuin - Automated Vulnerability Discovery Engine.
The 'len' variable is calculated as 'min(32, trans->len + 1)',
which includes the 1-byte command header.
When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len'
as the length is incorrect because:
1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size
'trans->len', i.e., 'len - 1' in this context).
2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is
CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1
overflows the buffer.
Fix this by copying 'len - 1' bytes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8846739f52afa07e63395c80227dc544f54bd7b1 , < cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974
(git)
Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < ea1e43966cd03098fcd5f0d72e6c2901d45fa08d (git) Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 81841da1f30f66a850cc8796d99ba330aad9d696 (git) Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 545d1287e40a55242f6ab68bcc1ba3b74088b1bc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ch341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "ea1e43966cd03098fcd5f0d72e6c2901d45fa08d",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "81841da1f30f66a850cc8796d99ba330aad9d696",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "545d1287e40a55242f6ab68bcc1ba3b74088b1bc",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ch341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix out-of-bounds memory access in ch341_transfer_one\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nThe \u0027len\u0027 variable is calculated as \u0027min(32, trans-\u003elen + 1)\u0027,\nwhich includes the 1-byte command header.\n\nWhen copying data from \u0027trans-\u003etx_buf\u0027 to \u0027ch341-\u003etx_buf + 1\u0027, using \u0027len\u0027\nas the length is incorrect because:\n\n1. It causes an out-of-bounds read from \u0027trans-\u003etx_buf\u0027 (which has size\n \u0027trans-\u003elen\u0027, i.e., \u0027len - 1\u0027 in this context).\n2. It can cause an out-of-bounds write to \u0027ch341-\u003etx_buf\u0027 if \u0027len\u0027 is\n CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341-\u003etx_buf + 1\n overflows the buffer.\n\nFix this by copying \u0027len - 1\u0027 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:47.523Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974"
},
{
"url": "https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d"
},
{
"url": "https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696"
},
{
"url": "https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc"
}
],
"title": "spi: ch341: fix out-of-bounds memory access in ch341_transfer_one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68352",
"datePublished": "2025-12-24T10:32:43.366Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:47.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40115 (GCVE-0-2025-40115)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
During mpt3sas_transport_port_remove(), messages were logged with
dev_printk() against &mpt3sas_port->port->dev. At this point the SAS
transport device may already be partially unregistered or freed, leading
to a crash when accessing its struct device.
Using ioc_info(), which logs via the PCI device (ioc->pdev->dev),
guaranteed to remain valid until driver removal.
[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI
[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)
[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024
[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70
[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff
[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206
[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32
[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845
[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8
[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000
[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30
[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000
[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0
[83428.295844] PKRU: 55555554
[83428.295846] Call Trace:
[83428.295848] <TASK>
[83428.295850] _dev_printk+0x5c/0x80
[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]
[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]
[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]
[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]
[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]
[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]
[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]
[83428.295957] pci_device_remove+0x3b/0xb0
[83428.295962] device_release_driver_internal+0x193/0x200
[83428.295968] driver_detach+0x44/0x90
[83428.295971] bus_remove_driver+0x69/0xf0
[83428.295975] pci_unregister_driver+0x2a/0xb0
[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]
[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310
[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296000] ? __x64_sys_getdents64+0x9a/0x110
[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296009] ? syscall_trace_enter+0xf6/0x1b0
[83428.296014] do_syscall_64+0x7b/0x2c0
[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f92363d12359498f9a9960511de1a550f0ec41c2 , < b3a6d153861d0f29b80882470d14aafb8d687dc2
(git)
Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 4e1442bae50ed633c2fe8058f47cd79b4ad88b9b (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < a89253eb4e648deace48a4e38996afd182eb95e3 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < fa153fb40c61f8ca01237427c97a0b93ba32c403 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 6459dba4f35017448535a799cf699d5205eb5489 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 1703fe4f8ae50d1fb6449854e1fcaed1053e3a14 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3a6d153861d0f29b80882470d14aafb8d687dc2",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "4e1442bae50ed633c2fe8058f47cd79b4ad88b9b",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "a89253eb4e648deace48a4e38996afd182eb95e3",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "fa153fb40c61f8ca01237427c97a0b93ba32c403",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6459dba4f35017448535a799cf699d5205eb5489",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "1703fe4f8ae50d1fb6449854e1fcaed1053e3a14",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix crash in transport port remove by using ioc_info()\n\nDuring mpt3sas_transport_port_remove(), messages were logged with\ndev_printk() against \u0026mpt3sas_port-\u003eport-\u003edev. At this point the SAS\ntransport device may already be partially unregistered or freed, leading\nto a crash when accessing its struct device.\n\nUsing ioc_info(), which logs via the PCI device (ioc-\u003epdev-\u003edev),\nguaranteed to remain valid until driver removal.\n\n[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI\n[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)\n[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024\n[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70\n[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 \u003c48\u003e 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff\n[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206\n[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32\n[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845\n[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8\n[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000\n[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30\n[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000\n[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0\n[83428.295844] PKRU: 55555554\n[83428.295846] Call Trace:\n[83428.295848] \u003cTASK\u003e\n[83428.295850] _dev_printk+0x5c/0x80\n[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]\n[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]\n[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]\n[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]\n[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]\n[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]\n[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]\n[83428.295957] pci_device_remove+0x3b/0xb0\n[83428.295962] device_release_driver_internal+0x193/0x200\n[83428.295968] driver_detach+0x44/0x90\n[83428.295971] bus_remove_driver+0x69/0xf0\n[83428.295975] pci_unregister_driver+0x2a/0xb0\n[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]\n[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310\n[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296000] ? __x64_sys_getdents64+0x9a/0x110\n[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296009] ? syscall_trace_enter+0xf6/0x1b0\n[83428.296014] do_syscall_64+0x7b/0x2c0\n[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:18.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3a6d153861d0f29b80882470d14aafb8d687dc2"
},
{
"url": "https://git.kernel.org/stable/c/4e1442bae50ed633c2fe8058f47cd79b4ad88b9b"
},
{
"url": "https://git.kernel.org/stable/c/a89253eb4e648deace48a4e38996afd182eb95e3"
},
{
"url": "https://git.kernel.org/stable/c/fa153fb40c61f8ca01237427c97a0b93ba32c403"
},
{
"url": "https://git.kernel.org/stable/c/6459dba4f35017448535a799cf699d5205eb5489"
},
{
"url": "https://git.kernel.org/stable/c/1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62"
},
{
"url": "https://git.kernel.org/stable/c/970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8"
},
{
"url": "https://git.kernel.org/stable/c/1703fe4f8ae50d1fb6449854e1fcaed1053e3a14"
}
],
"title": "scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40115",
"datePublished": "2025-11-12T10:23:17.283Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:18.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68257 (GCVE-0-2025-68257)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
comedi: check device's attached status in compat ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: check device's attached status in compat ioctls
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.
Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.
[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
<TASK>
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
__do_compat_sys_ioctl fs/ioctl.c:695 [inline]
__se_compat_sys_ioctl fs/ioctl.c:638 [inline]
__ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3fbfd2223a271426509830e6340c386a1054cfad , < 4836ba483a22ebd076c8faaf8293a7295fad4142
(git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 7141915bf0c41cb57d83cdbaf695b8c731b16b71 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f13895c03620933a58907e3250016f087e39b78c (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < b975f91de5f8f63cf490f0393775cc795f8b0557 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f6e629dfe6f590091c662a87c9fcf118b1c1c7dc (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 573b07d2e3d473ee7eb625ef87519922cf01168d (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < aac80e912de306815297a3b74f0426873ffa7dc3 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4836ba483a22ebd076c8faaf8293a7295fad4142",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "7141915bf0c41cb57d83cdbaf695b8c731b16b71",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f13895c03620933a58907e3250016f087e39b78c",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "b975f91de5f8f63cf490f0393775cc795f8b0557",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f6e629dfe6f590091c662a87c9fcf118b1c1c7dc",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "573b07d2e3d473ee7eb625ef87519922cf01168d",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "aac80e912de306815297a3b74f0426873ffa7dc3",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "0de7d9cd07a2671fa6089173bccc0b2afe6b93ee",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device\u0027s attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev-\u003eget_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device\u0027s attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev-\u003eget_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device\u0027s attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:10.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142"
},
{
"url": "https://git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71"
},
{
"url": "https://git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78c"
},
{
"url": "https://git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557"
},
{
"url": "https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"
},
{
"url": "https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d"
},
{
"url": "https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3"
},
{
"url": "https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"
}
],
"title": "comedi: check device\u0027s attached status in compat ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68257",
"datePublished": "2025-12-16T14:44:59.535Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:10.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68194 (GCVE-0-2025-68194)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
media: imon: make send_packet() more robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: imon: make send_packet() more robust
syzbot is reporting that imon has three problems which result in
hung tasks due to forever holding device lock [1].
First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).
Alan Stern commented [2] that
In theory it's okay to resubmit _if_ the driver has a robust
error-recovery scheme (such as giving up after some fixed limit on the
number of errors or after some fixed time has elapsed, perhaps with a
time delay to prevent a flood of errors). Most drivers don't bother to
do this; they simply give up right away. This makes them more
vulnerable to short-term noise interference during USB transfers, but in
reality such interference is quite rare. There's nothing really wrong
with giving up right away.
but imon has a poor error-recovery scheme which just retries forever;
this behavior should be fixed.
Since I'm not sure whether it is safe for imon users to give up upon any
error code, this patch takes care of only union of error codes chosen from
modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.
ir_toy, mceusb and igorplugusb).
Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). Move the ictx->dev_present_intf0 test
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured") to immediately before imon_incoming_packet(), or
the first problem explained above happens without printk() flooding (i.e.
hung task).
Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with timeout of 10 seconds.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
21677cfc562a27e099719d413287bc8d1d24deb7 , < 519737af11c03590819a6eec2ad532cfdb87ea63
(git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < f58ab83b7b7133e6baefe03a46846c4f6ce45e2f (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 26f6a1dd5d81ad61a875a747698da6f27abf389b (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 667afd4681781f60a644cd0d2ee6c59cb1c36208 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 8231e80118463be5598daaf266c1c83650f1948b (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 0213e4175abbb9dfcbf7c197e3817d527f459ad5 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < f7f3ecb4934fff782fa9bb1cd16e2290c041b22d (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < eecd203ada43a4693ce6fdd3a58ae10c7819252c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "519737af11c03590819a6eec2ad532cfdb87ea63",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "f58ab83b7b7133e6baefe03a46846c4f6ce45e2f",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "26f6a1dd5d81ad61a875a747698da6f27abf389b",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "667afd4681781f60a644cd0d2ee6c59cb1c36208",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "8231e80118463be5598daaf266c1c83650f1948b",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "0213e4175abbb9dfcbf7c197e3817d527f459ad5",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "f7f3ecb4934fff782fa9bb1cd16e2290c041b22d",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "eecd203ada43a4693ce6fdd3a58ae10c7819252c",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: make send_packet() more robust\n\nsyzbot is reporting that imon has three problems which result in\nhung tasks due to forever holding device lock [1].\n\nFirst problem is that when usb_rx_callback_intf0() once got -EPROTO error\nafter ictx-\u003edev_present_intf0 became true, usb_rx_callback_intf0()\nresubmits urb after printk(), and resubmitted urb causes\nusb_rx_callback_intf0() to again get -EPROTO error. This results in\nprintk() flooding (RCU stalls).\n\nAlan Stern commented [2] that\n\n In theory it\u0027s okay to resubmit _if_ the driver has a robust\n error-recovery scheme (such as giving up after some fixed limit on the\n number of errors or after some fixed time has elapsed, perhaps with a\n time delay to prevent a flood of errors). Most drivers don\u0027t bother to\n do this; they simply give up right away. This makes them more\n vulnerable to short-term noise interference during USB transfers, but in\n reality such interference is quite rare. There\u0027s nothing really wrong\n with giving up right away.\n\nbut imon has a poor error-recovery scheme which just retries forever;\nthis behavior should be fixed.\n\nSince I\u0027m not sure whether it is safe for imon users to give up upon any\nerror code, this patch takes care of only union of error codes chosen from\nmodules in drivers/media/rc/ directory which handle -EPROTO error (i.e.\nir_toy, mceusb and igorplugusb).\n\nSecond problem is that when usb_rx_callback_intf0() once got -EPROTO error\nbefore ictx-\u003edev_present_intf0 becomes true, usb_rx_callback_intf0() always\nresubmits urb due to commit 8791d63af0cf (\"[media] imon: don\u0027t wedge\nhardware after early callbacks\"). Move the ictx-\u003edev_present_intf0 test\nintroduced by commit 6f6b90c9231a (\"[media] imon: don\u0027t parse scancodes\nuntil intf configured\") to immediately before imon_incoming_packet(), or\nthe first problem explained above happens without printk() flooding (i.e.\nhung task).\n\nThird problem is that when usb_rx_callback_intf0() is not called for some\nreason (e.g. flaky hardware; the reproducer for this problem sometimes\nprevents usb_rx_callback_intf0() from being called),\nwait_for_completion_interruptible() in send_packet() never returns (i.e.\nhung task). As a workaround for such situation, change send_packet() to\nwait for completion with timeout of 10 seconds."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:22.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/519737af11c03590819a6eec2ad532cfdb87ea63"
},
{
"url": "https://git.kernel.org/stable/c/f58ab83b7b7133e6baefe03a46846c4f6ce45e2f"
},
{
"url": "https://git.kernel.org/stable/c/26f6a1dd5d81ad61a875a747698da6f27abf389b"
},
{
"url": "https://git.kernel.org/stable/c/667afd4681781f60a644cd0d2ee6c59cb1c36208"
},
{
"url": "https://git.kernel.org/stable/c/8231e80118463be5598daaf266c1c83650f1948b"
},
{
"url": "https://git.kernel.org/stable/c/0213e4175abbb9dfcbf7c197e3817d527f459ad5"
},
{
"url": "https://git.kernel.org/stable/c/f7f3ecb4934fff782fa9bb1cd16e2290c041b22d"
},
{
"url": "https://git.kernel.org/stable/c/eecd203ada43a4693ce6fdd3a58ae10c7819252c"
}
],
"title": "media: imon: make send_packet() more robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68194",
"datePublished": "2025-12-16T13:43:20.525Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:22.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68819 (GCVE-0-2025-68819)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < c2c293ea7b61f12cdaad1e99a5b4efc58c88960a
(git)
Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < c2305b4c5fc15e20ac06c35738e0578eb4323750 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < 61f214a878e96e2a8750bf96a98f78c658dba60c (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < 4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < ac92151ff2494130d9fc686055d6bbb9743a673e (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < b91e6aafe8d356086cc621bc03e35ba2299e4788 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2c293ea7b61f12cdaad1e99a5b4efc58c88960a",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "c2305b4c5fc15e20ac06c35738e0578eb4323750",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "61f214a878e96e2a8750bf96a98f78c658dba60c",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "4a54d8fcb093761e4c56eb211cf4e39bf8401fa1",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "fe3e129ab49806aaaa3f22067ebc75c2dfbe4658",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "ac92151ff2494130d9fc686055d6bbb9743a673e",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "b91e6aafe8d356086cc621bc03e35ba2299e4788",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()\n\nrlen value is a user-controlled value, but dtv5100_i2c_msg() does not\ncheck the size of the rlen value. Therefore, if it is set to a value\nlarger than sizeof(st-\u003edata), an out-of-bounds vuln occurs for st-\u003edata.\n\nTherefore, we need to add proper range checking to prevent this vuln."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:09.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a"
},
{
"url": "https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750"
},
{
"url": "https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c"
},
{
"url": "https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1"
},
{
"url": "https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658"
},
{
"url": "https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e"
},
{
"url": "https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788"
}
],
"title": "media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68819",
"datePublished": "2026-01-13T15:29:22.695Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:09.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68751 (GCVE-0-2025-68751)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
s390/fpu: Fix false-positive kmsan report in fpu_vstl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/fpu: Fix false-positive kmsan report in fpu_vstl()
A false-positive kmsan report is detected when running ping command.
An inline assembly instruction 'vstl' can write varied amount of bytes
depending on value of 'index' argument. If 'index' > 0, 'vstl' writes
at least 2 bytes.
clang generates kmsan write helper call depending on inline assembly
constraints. Constraints are evaluated compile-time, but value of
'index' argument is known only at runtime.
clang currently generates call to __msan_instrument_asm_store with 1 byte
as size. Manually call kmsan function to indicate correct amount of bytes
written and fix false-positive report.
This change fixes following kmsan reports:
[ 36.563119] =====================================================
[ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70
[ 36.563852] virtqueue_add+0x35c6/0x7c70
[ 36.564016] virtqueue_add_outbuf+0xa0/0xb0
[ 36.564266] start_xmit+0x288c/0x4a20
[ 36.564460] dev_hard_start_xmit+0x302/0x900
[ 36.564649] sch_direct_xmit+0x340/0xea0
[ 36.564894] __dev_queue_xmit+0x2e94/0x59b0
[ 36.565058] neigh_resolve_output+0x936/0xb40
[ 36.565278] __neigh_update+0x2f66/0x3a60
[ 36.565499] neigh_update+0x52/0x60
[ 36.565683] arp_process+0x1588/0x2de0
[ 36.565916] NF_HOOK+0x1da/0x240
[ 36.566087] arp_rcv+0x3e4/0x6e0
[ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0
[ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0
[ 36.566710] napi_complete_done+0x376/0x740
[ 36.566918] virtnet_poll+0x1bae/0x2910
[ 36.567130] __napi_poll+0xf4/0x830
[ 36.567294] net_rx_action+0x97c/0x1ed0
[ 36.567556] handle_softirqs+0x306/0xe10
[ 36.567731] irq_exit_rcu+0x14c/0x2e0
[ 36.567910] do_io_irq+0xd4/0x120
[ 36.568139] io_int_handler+0xc2/0xe8
[ 36.568299] arch_cpu_idle+0xb0/0xc0
[ 36.568540] arch_cpu_idle+0x76/0xc0
[ 36.568726] default_idle_call+0x40/0x70
[ 36.568953] do_idle+0x1d6/0x390
[ 36.569486] cpu_startup_entry+0x9a/0xb0
[ 36.569745] rest_init+0x1ea/0x290
[ 36.570029] start_kernel+0x95e/0xb90
[ 36.570348] startup_continue+0x2e/0x40
[ 36.570703]
[ 36.570798] Uninit was created at:
[ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0
[ 36.571261] kmalloc_reserve+0x12a/0x470
[ 36.571553] __alloc_skb+0x310/0x860
[ 36.571844] __ip_append_data+0x483e/0x6a30
[ 36.572170] ip_append_data+0x11c/0x1e0
[ 36.572477] raw_sendmsg+0x1c8c/0x2180
[ 36.572818] inet_sendmsg+0xe6/0x190
[ 36.573142] __sys_sendto+0x55e/0x8e0
[ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0
[ 36.573571] __do_syscall+0x12e/0x240
[ 36.573823] system_call+0x6e/0x90
[ 36.573976]
[ 36.574017] Byte 35 of 98 is uninitialized
[ 36.574082] Memory access of size 98 starts at 0000000007aa0012
[ 36.574218]
[ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE
[ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST
[ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)
[ 36.574755] =====================================================
[ 63.532541] =====================================================
[ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70
[ 63.533989] virtqueue_add+0x35c6/0x7c70
[ 63.534940] virtqueue_add_outbuf+0xa0/0xb0
[ 63.535861] start_xmit+0x288c/0x4a20
[ 63.536708] dev_hard_start_xmit+0x302/0x900
[ 63.537020] sch_direct_xmit+0x340/0xea0
[ 63.537997] __dev_queue_xmit+0x2e94/0x59b0
[ 63.538819] neigh_resolve_output+0x936/0xb40
[ 63.539793] ip_finish_output2+0x1ee2/0x2200
[ 63.540784] __ip_finish_output+0x272/0x7a0
[ 63.541765] ip_finish_output+0x4e/0x5e0
[ 63.542791] ip_output+0x166/0x410
[ 63.543771] ip_push_pending_frames+0x1a2/0x470
[ 63.544753] raw_sendmsg+0x1f06/0x2180
[ 63.545033] inet_sendmsg+0xe6/0x190
[ 63.546006] __sys_sendto+0x55e/0x8e0
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dcd3e1de9d17dc43dfed87a9fc814b9dec508043 , < 946357a538bb47740635c25520924351d2d91544
(git)
Affected: dcd3e1de9d17dc43dfed87a9fc814b9dec508043 , < 13dcd6308cb8f67134ee5d5d762b2a66363c695b (git) Affected: dcd3e1de9d17dc43dfed87a9fc814b9dec508043 , < 14e4e4175b64dd9216b522f6ece8af6997d063b2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/include/asm/fpu-insn.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "946357a538bb47740635c25520924351d2d91544",
"status": "affected",
"version": "dcd3e1de9d17dc43dfed87a9fc814b9dec508043",
"versionType": "git"
},
{
"lessThan": "13dcd6308cb8f67134ee5d5d762b2a66363c695b",
"status": "affected",
"version": "dcd3e1de9d17dc43dfed87a9fc814b9dec508043",
"versionType": "git"
},
{
"lessThan": "14e4e4175b64dd9216b522f6ece8af6997d063b2",
"status": "affected",
"version": "dcd3e1de9d17dc43dfed87a9fc814b9dec508043",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/include/asm/fpu-insn.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/fpu: Fix false-positive kmsan report in fpu_vstl()\n\nA false-positive kmsan report is detected when running ping command.\n\nAn inline assembly instruction \u0027vstl\u0027 can write varied amount of bytes\ndepending on value of \u0027index\u0027 argument. If \u0027index\u0027 \u003e 0, \u0027vstl\u0027 writes\nat least 2 bytes.\n\nclang generates kmsan write helper call depending on inline assembly\nconstraints. Constraints are evaluated compile-time, but value of\n\u0027index\u0027 argument is known only at runtime.\n\nclang currently generates call to __msan_instrument_asm_store with 1 byte\nas size. Manually call kmsan function to indicate correct amount of bytes\nwritten and fix false-positive report.\n\nThis change fixes following kmsan reports:\n\n[ 36.563119] =====================================================\n[ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[ 36.563852] virtqueue_add+0x35c6/0x7c70\n[ 36.564016] virtqueue_add_outbuf+0xa0/0xb0\n[ 36.564266] start_xmit+0x288c/0x4a20\n[ 36.564460] dev_hard_start_xmit+0x302/0x900\n[ 36.564649] sch_direct_xmit+0x340/0xea0\n[ 36.564894] __dev_queue_xmit+0x2e94/0x59b0\n[ 36.565058] neigh_resolve_output+0x936/0xb40\n[ 36.565278] __neigh_update+0x2f66/0x3a60\n[ 36.565499] neigh_update+0x52/0x60\n[ 36.565683] arp_process+0x1588/0x2de0\n[ 36.565916] NF_HOOK+0x1da/0x240\n[ 36.566087] arp_rcv+0x3e4/0x6e0\n[ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0\n[ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0\n[ 36.566710] napi_complete_done+0x376/0x740\n[ 36.566918] virtnet_poll+0x1bae/0x2910\n[ 36.567130] __napi_poll+0xf4/0x830\n[ 36.567294] net_rx_action+0x97c/0x1ed0\n[ 36.567556] handle_softirqs+0x306/0xe10\n[ 36.567731] irq_exit_rcu+0x14c/0x2e0\n[ 36.567910] do_io_irq+0xd4/0x120\n[ 36.568139] io_int_handler+0xc2/0xe8\n[ 36.568299] arch_cpu_idle+0xb0/0xc0\n[ 36.568540] arch_cpu_idle+0x76/0xc0\n[ 36.568726] default_idle_call+0x40/0x70\n[ 36.568953] do_idle+0x1d6/0x390\n[ 36.569486] cpu_startup_entry+0x9a/0xb0\n[ 36.569745] rest_init+0x1ea/0x290\n[ 36.570029] start_kernel+0x95e/0xb90\n[ 36.570348] startup_continue+0x2e/0x40\n[ 36.570703]\n[ 36.570798] Uninit was created at:\n[ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0\n[ 36.571261] kmalloc_reserve+0x12a/0x470\n[ 36.571553] __alloc_skb+0x310/0x860\n[ 36.571844] __ip_append_data+0x483e/0x6a30\n[ 36.572170] ip_append_data+0x11c/0x1e0\n[ 36.572477] raw_sendmsg+0x1c8c/0x2180\n[ 36.572818] inet_sendmsg+0xe6/0x190\n[ 36.573142] __sys_sendto+0x55e/0x8e0\n[ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0\n[ 36.573571] __do_syscall+0x12e/0x240\n[ 36.573823] system_call+0x6e/0x90\n[ 36.573976]\n[ 36.574017] Byte 35 of 98 is uninitialized\n[ 36.574082] Memory access of size 98 starts at 0000000007aa0012\n[ 36.574218]\n[ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE\n[ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST\n[ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)\n[ 36.574755] =====================================================\n\n[ 63.532541] =====================================================\n[ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[ 63.533989] virtqueue_add+0x35c6/0x7c70\n[ 63.534940] virtqueue_add_outbuf+0xa0/0xb0\n[ 63.535861] start_xmit+0x288c/0x4a20\n[ 63.536708] dev_hard_start_xmit+0x302/0x900\n[ 63.537020] sch_direct_xmit+0x340/0xea0\n[ 63.537997] __dev_queue_xmit+0x2e94/0x59b0\n[ 63.538819] neigh_resolve_output+0x936/0xb40\n[ 63.539793] ip_finish_output2+0x1ee2/0x2200\n[ 63.540784] __ip_finish_output+0x272/0x7a0\n[ 63.541765] ip_finish_output+0x4e/0x5e0\n[ 63.542791] ip_output+0x166/0x410\n[ 63.543771] ip_push_pending_frames+0x1a2/0x470\n[ 63.544753] raw_sendmsg+0x1f06/0x2180\n[ 63.545033] inet_sendmsg+0xe6/0x190\n[ 63.546006] __sys_sendto+0x55e/0x8e0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:55.231Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/946357a538bb47740635c25520924351d2d91544"
},
{
"url": "https://git.kernel.org/stable/c/13dcd6308cb8f67134ee5d5d762b2a66363c695b"
},
{
"url": "https://git.kernel.org/stable/c/14e4e4175b64dd9216b522f6ece8af6997d063b2"
}
],
"title": "s390/fpu: Fix false-positive kmsan report in fpu_vstl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68751",
"datePublished": "2026-01-05T09:32:25.534Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-02-09T08:32:55.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68292 (GCVE-0-2025-68292)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
mm/memfd: fix information leak in hugetlb folios
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memfd: fix information leak in hugetlb folios
When allocating hugetlb folios for memfd, three initialization steps are
missing:
1. Folios are not zeroed, leading to kernel memory disclosure to userspace
2. Folios are not marked uptodate before adding to page cache
3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache()
The memfd allocation path bypasses the normal page fault handler
(hugetlb_no_page) which would handle all of these initialization steps.
This is problematic especially for udmabuf use cases where folios are
pinned and directly accessed by userspace via DMA.
Fix by matching the initialization pattern used in hugetlb_no_page():
- Zero the folio using folio_zero_user() which is optimized for huge pages
- Mark it uptodate with folio_mark_uptodate()
- Take hugetlb_fault_mutex before adding to page cache to prevent races
The folio_zero_user() change also fixes a potential security issue where
uninitialized kernel memory could be disclosed to userspace through read()
or mmap() operations on the memfd.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
89c1905d9c140372b7f50ef48f42378cf85d9bc5 , < 50b4c1c28733a536d637d2f0401d60bcfef60ef2
(git)
Affected: 89c1905d9c140372b7f50ef48f42378cf85d9bc5 , < b09d7c4dc642849d9a96753233c6d00364017fd6 (git) Affected: 89c1905d9c140372b7f50ef48f42378cf85d9bc5 , < de8798965fd0d9a6c47fc2ac57767ec32de12b49 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50b4c1c28733a536d637d2f0401d60bcfef60ef2",
"status": "affected",
"version": "89c1905d9c140372b7f50ef48f42378cf85d9bc5",
"versionType": "git"
},
{
"lessThan": "b09d7c4dc642849d9a96753233c6d00364017fd6",
"status": "affected",
"version": "89c1905d9c140372b7f50ef48f42378cf85d9bc5",
"versionType": "git"
},
{
"lessThan": "de8798965fd0d9a6c47fc2ac57767ec32de12b49",
"status": "affected",
"version": "89c1905d9c140372b7f50ef48f42378cf85d9bc5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memfd: fix information leak in hugetlb folios\n\nWhen allocating hugetlb folios for memfd, three initialization steps are\nmissing:\n\n1. Folios are not zeroed, leading to kernel memory disclosure to userspace\n2. Folios are not marked uptodate before adding to page cache\n3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache()\n\nThe memfd allocation path bypasses the normal page fault handler\n(hugetlb_no_page) which would handle all of these initialization steps. \nThis is problematic especially for udmabuf use cases where folios are\npinned and directly accessed by userspace via DMA.\n\nFix by matching the initialization pattern used in hugetlb_no_page():\n- Zero the folio using folio_zero_user() which is optimized for huge pages\n- Mark it uptodate with folio_mark_uptodate()\n- Take hugetlb_fault_mutex before adding to page cache to prevent races\n\nThe folio_zero_user() change also fixes a potential security issue where\nuninitialized kernel memory could be disclosed to userspace through read()\nor mmap() operations on the memfd."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:12.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50b4c1c28733a536d637d2f0401d60bcfef60ef2"
},
{
"url": "https://git.kernel.org/stable/c/b09d7c4dc642849d9a96753233c6d00364017fd6"
},
{
"url": "https://git.kernel.org/stable/c/de8798965fd0d9a6c47fc2ac57767ec32de12b49"
}
],
"title": "mm/memfd: fix information leak in hugetlb folios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68292",
"datePublished": "2025-12-16T15:06:12.772Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:12.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39987 (GCVE-0-2025-39987)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, hi3110_hard_start_xmit() receives a CAN XL frame which it is
not able to correctly handle and will thus misinterpret it as a CAN
frame. The driver will consume frame->len as-is with no further
checks.
This can result in a buffer overflow later on in hi3110_hw_tx() on
this line:
memcpy(buf + HI3110_FIFO_EXT_DATA_OFF,
frame->data, frame->len);
Here, frame->len corresponds to the flags field of the CAN XL frame.
In our previous example, we set canxl_frame->flags to 0xff. Because
the maximum expected length is 8, a buffer overflow of 247 bytes
occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
57e83fb9b7468c75cb65cde1d23043553c346c6d , < f2c247e9581024d8b3dd44cbe086bf2bebbef42c
(git)
Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < 8f351db6b2367991f0736b2cff082f5de4872113 (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < 7ab85762274c0fa997f0ef9a2307b2001aae43c4 (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < 57d332ce8c921d0e340650470bb0c1d707f216ee (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < be1b25005fd0f9d4e78bec6695711ef87ee33398 (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < def814b4ba31b563584061d6895d5ff447d5bc14 (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < e77fdf9e33a83a08f04ab0cb68c19ddb365a622f (git) Affected: 57e83fb9b7468c75cb65cde1d23043553c346c6d , < ac1c7656fa717f29fac3ea073af63f0b9919ec9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2c247e9581024d8b3dd44cbe086bf2bebbef42c",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "8f351db6b2367991f0736b2cff082f5de4872113",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "7ab85762274c0fa997f0ef9a2307b2001aae43c4",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "57d332ce8c921d0e340650470bb0c1d707f216ee",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "be1b25005fd0f9d4e78bec6695711ef87ee33398",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "def814b4ba31b563584061d6895d5ff447d5bc14",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "e77fdf9e33a83a08f04ab0cb68c19ddb365a622f",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "ac1c7656fa717f29fac3ea073af63f0b9919ec9a",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, hi3110_hard_start_xmit() receives a CAN XL frame which it is\nnot able to correctly handle and will thus misinterpret it as a CAN\nframe. The driver will consume frame-\u003elen as-is with no further\nchecks.\n\nThis can result in a buffer overflow later on in hi3110_hw_tx() on\nthis line:\n\n\tmemcpy(buf + HI3110_FIFO_EXT_DATA_OFF,\n\t frame-\u003edata, frame-\u003elen);\n\nHere, frame-\u003elen corresponds to the flags field of the CAN XL frame.\nIn our previous example, we set canxl_frame-\u003eflags to 0xff. Because\nthe maximum expected length is 8, a buffer overflow of 247 bytes\noccurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:05.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2c247e9581024d8b3dd44cbe086bf2bebbef42c"
},
{
"url": "https://git.kernel.org/stable/c/8f351db6b2367991f0736b2cff082f5de4872113"
},
{
"url": "https://git.kernel.org/stable/c/7ab85762274c0fa997f0ef9a2307b2001aae43c4"
},
{
"url": "https://git.kernel.org/stable/c/57d332ce8c921d0e340650470bb0c1d707f216ee"
},
{
"url": "https://git.kernel.org/stable/c/be1b25005fd0f9d4e78bec6695711ef87ee33398"
},
{
"url": "https://git.kernel.org/stable/c/def814b4ba31b563584061d6895d5ff447d5bc14"
},
{
"url": "https://git.kernel.org/stable/c/e77fdf9e33a83a08f04ab0cb68c19ddb365a622f"
},
{
"url": "https://git.kernel.org/stable/c/ac1c7656fa717f29fac3ea073af63f0b9919ec9a"
}
],
"title": "can: hi311x: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39987",
"datePublished": "2025-10-15T07:56:05.878Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:05.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68261 (GCVE-0-2025-68261)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Fix a race between inline data destruction and block mapping.
The function ext4_destroy_inline_data_nolock() changes the inode data
layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.
At the same time, another thread may execute ext4_map_blocks(), which
tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()
or ext4_ind_map_blocks().
Without i_data_sem protection, ext4_ind_map_blocks() may receive inode
with EXT4_INODE_EXTENTS flag and triggering assert.
kernel BUG at fs/ext4/indirect.c:546!
EXT4-fs (loop2): unmounting filesystem.
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546
Call Trace:
<TASK>
ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681
_ext4_get_block+0x242/0x590 fs/ext4/inode.c:822
ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124
ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255
ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000
generic_perform_write+0x259/0x5d0 mm/filemap.c:3846
ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285
ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679
call_write_iter include/linux/fs.h:2271 [inline]
do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735
do_iter_write+0x186/0x710 fs/read_write.c:861
vfs_iter_write+0x70/0xa0 fs/read_write.c:902
iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
do_splice_from fs/splice.c:763 [inline]
direct_splice_actor+0x10f/0x170 fs/splice.c:950
splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896
do_splice_direct+0x1a9/0x280 fs/splice.c:1002
do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c755e251357a0cee0679081f08c3f4ba797a8009 , < b322bac9f01d03190b5abc52be5d9dd9f22a2b41
(git)
Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 61e03dc3794ebf77a706b85e5a36c9c6d70be6de (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 5b266cf6851ce72b11b067fe02adf5a8687104ad (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 144c48da33a01d92995aeccd8208eb47d2a8e659 (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 22a76b0861ae61a299c8e126c1aca8c4fda820fd (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < ba8aeff294ac7ff6dfe293663d815c54c5ee218c (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 5cad18e527ba8a9ca5463cc170073eeb5a4826f4 (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 0cd8feea8777f8d9b9a862b89c688b049a5c8475 (git) Affected: 3e96c3fdcfccb321a9e1623f78cc71b44593e965 (git) Affected: 5781ac24bbd998ebb1ff30143bb06244d847af48 (git) Affected: 9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2 (git) Affected: da1e40237f8f3516581b534c484c236a79ccfd14 (git) Affected: 7cf6b709b6412afd1d93b2c4b37163c3602e3b95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b322bac9f01d03190b5abc52be5d9dd9f22a2b41",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "61e03dc3794ebf77a706b85e5a36c9c6d70be6de",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "5b266cf6851ce72b11b067fe02adf5a8687104ad",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "144c48da33a01d92995aeccd8208eb47d2a8e659",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "22a76b0861ae61a299c8e126c1aca8c4fda820fd",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "ba8aeff294ac7ff6dfe293663d815c54c5ee218c",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "5cad18e527ba8a9ca5463cc170073eeb5a4826f4",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "0cd8feea8777f8d9b9a862b89c688b049a5c8475",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"status": "affected",
"version": "3e96c3fdcfccb321a9e1623f78cc71b44593e965",
"versionType": "git"
},
{
"status": "affected",
"version": "5781ac24bbd998ebb1ff30143bb06244d847af48",
"versionType": "git"
},
{
"status": "affected",
"version": "9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2",
"versionType": "git"
},
{
"status": "affected",
"version": "da1e40237f8f3516581b534c484c236a79ccfd14",
"versionType": "git"
},
{
"status": "affected",
"version": "7cf6b709b6412afd1d93b2c4b37163c3602e3b95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add i_data_sem protection in ext4_destroy_inline_data_nolock()\n\nFix a race between inline data destruction and block mapping.\n\nThe function ext4_destroy_inline_data_nolock() changes the inode data\nlayout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.\nAt the same time, another thread may execute ext4_map_blocks(), which\ntests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()\nor ext4_ind_map_blocks().\n\nWithout i_data_sem protection, ext4_ind_map_blocks() may receive inode\nwith EXT4_INODE_EXTENTS flag and triggering assert.\n\nkernel BUG at fs/ext4/indirect.c:546!\nEXT4-fs (loop2): unmounting filesystem.\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546\n\nCall Trace:\n \u003cTASK\u003e\n ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681\n _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822\n ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124\n ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255\n ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000\n generic_perform_write+0x259/0x5d0 mm/filemap.c:3846\n ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285\n ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679\n call_write_iter include/linux/fs.h:2271 [inline]\n do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10f/0x170 fs/splice.c:950\n splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:20.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b322bac9f01d03190b5abc52be5d9dd9f22a2b41"
},
{
"url": "https://git.kernel.org/stable/c/61e03dc3794ebf77a706b85e5a36c9c6d70be6de"
},
{
"url": "https://git.kernel.org/stable/c/5b266cf6851ce72b11b067fe02adf5a8687104ad"
},
{
"url": "https://git.kernel.org/stable/c/144c48da33a01d92995aeccd8208eb47d2a8e659"
},
{
"url": "https://git.kernel.org/stable/c/22a76b0861ae61a299c8e126c1aca8c4fda820fd"
},
{
"url": "https://git.kernel.org/stable/c/ba8aeff294ac7ff6dfe293663d815c54c5ee218c"
},
{
"url": "https://git.kernel.org/stable/c/5cad18e527ba8a9ca5463cc170073eeb5a4826f4"
},
{
"url": "https://git.kernel.org/stable/c/0cd8feea8777f8d9b9a862b89c688b049a5c8475"
}
],
"title": "ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68261",
"datePublished": "2025-12-16T14:45:03.252Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:20.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39869 (GCVE-0-2025-39869)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
Fix a critical memory allocation bug in edma_setup_from_hw() where
queue_priority_map was allocated with insufficient memory. The code
declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),
but allocated memory using sizeof(s8) instead of the correct size.
This caused out-of-bounds memory writes when accessing:
queue_priority_map[i][0] = i;
queue_priority_map[i][1] = i;
The bug manifested as kernel crashes with "Oops - undefined instruction"
on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
memory corruption triggered kernel hardening features on Clang.
Change the allocation to use sizeof(*queue_priority_map) which
automatically gets the correct size for the 2D array structure.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2b6b3b7420190888793c49e97276e1e73bd7eaed , < 7d4de60d6db02d9b01d5890d5156b04fad65d07a
(git)
Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < d722de80ce037dccf6931e778f4a46499d51bdf9 (git) Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < 301a96cc4dc006c9a285913d301e681cfbf7edb6 (git) Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < 5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93 (git) Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < 1baed10553fc8b388351d8fc803e3ae6f1a863bc (git) Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < 069fd1688c57c0cc8a3de64d108579b31676f74b (git) Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < d5e82f3f2c918d446df46e8d65f8083fd97cdec5 (git) Affected: 2b6b3b7420190888793c49e97276e1e73bd7eaed , < e63419dbf2ceb083c1651852209c7f048089ac0f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:18.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d4de60d6db02d9b01d5890d5156b04fad65d07a",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d722de80ce037dccf6931e778f4a46499d51bdf9",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "301a96cc4dc006c9a285913d301e681cfbf7edb6",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "1baed10553fc8b388351d8fc803e3ae6f1a863bc",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "069fd1688c57c0cc8a3de64d108579b31676f74b",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d5e82f3f2c918d446df46e8d65f8083fd97cdec5",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "e63419dbf2ceb083c1651852209c7f048089ac0f",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n\nFix a critical memory allocation bug in edma_setup_from_hw() where\nqueue_priority_map was allocated with insufficient memory. The code\ndeclared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),\nbut allocated memory using sizeof(s8) instead of the correct size.\n\nThis caused out-of-bounds memory writes when accessing:\n queue_priority_map[i][0] = i;\n queue_priority_map[i][1] = i;\n\nThe bug manifested as kernel crashes with \"Oops - undefined instruction\"\non ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the\nmemory corruption triggered kernel hardening features on Clang.\n\nChange the allocation to use sizeof(*queue_priority_map) which\nautomatically gets the correct size for the 2D array structure."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:04.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d4de60d6db02d9b01d5890d5156b04fad65d07a"
},
{
"url": "https://git.kernel.org/stable/c/d722de80ce037dccf6931e778f4a46499d51bdf9"
},
{
"url": "https://git.kernel.org/stable/c/301a96cc4dc006c9a285913d301e681cfbf7edb6"
},
{
"url": "https://git.kernel.org/stable/c/5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93"
},
{
"url": "https://git.kernel.org/stable/c/1baed10553fc8b388351d8fc803e3ae6f1a863bc"
},
{
"url": "https://git.kernel.org/stable/c/069fd1688c57c0cc8a3de64d108579b31676f74b"
},
{
"url": "https://git.kernel.org/stable/c/d5e82f3f2c918d446df46e8d65f8083fd97cdec5"
},
{
"url": "https://git.kernel.org/stable/c/e63419dbf2ceb083c1651852209c7f048089ac0f"
}
],
"title": "dmaengine: ti: edma: Fix memory allocation size for queue_priority_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39869",
"datePublished": "2025-09-23T06:00:43.852Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:18.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40196 (GCVE-0-2025-40196)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
fs: quota: create dedicated workqueue for quota_release_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: quota: create dedicated workqueue for quota_release_work
There is a kernel panic due to WARN_ONCE when panic_on_warn is set.
This issue occurs when writeback is triggered due to sync call for an
opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance
is needed at sync path, flush for quota_release_work is triggered.
By default quota_release_work is queued to "events_unbound" queue which
does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback"
workqueue tries to flush quota_release_work causing kernel panic due to
MEM_RECLAIM flag mismatch errors.
This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag
for work quota_release_work.
------------[ cut here ]------------
WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148
Call trace:
check_flush_dependency+0x13c/0x148
__flush_work+0xd0/0x398
flush_delayed_work+0x44/0x5c
dquot_writeback_dquots+0x54/0x318
f2fs_do_quota_sync+0xb8/0x1a8
f2fs_write_checkpoint+0x3cc/0x99c
f2fs_gc+0x190/0x750
f2fs_balance_fs+0x110/0x168
f2fs_write_single_data_page+0x474/0x7dc
f2fs_write_data_pages+0x7d0/0xd0c
do_writepages+0xe0/0x2f4
__writeback_single_inode+0x44/0x4ac
writeback_sb_inodes+0x30c/0x538
wb_writeback+0xf4/0x440
wb_workfn+0x128/0x5d4
process_scheduled_works+0x1c4/0x45c
worker_thread+0x32c/0x3e8
kthread+0x11c/0x1b0
ret_from_fork+0x10/0x20
Kernel panic - not syncing: kernel: panic_on_warn set ...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bcacb52a985f1b6d280f698a470b873dfe52728a , < f846eacde280ecc3daedfe001580e3033565179e
(git)
Affected: 8ea87e34792258825d290f4dc5216276e91cb224 , < f12039df1515d5daf7d92e586ece5cefeb39561b (git) Affected: ac6f420291b3fee1113f21d612fa88b628afab5b , < 8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0 (git) Affected: ac6f420291b3fee1113f21d612fa88b628afab5b , < 72b7ceca857f38a8ca7c5629feffc63769638974 (git) Affected: a5abba5e0e586e258ded3e798fe5f69c66fec198 (git) Affected: 6f3821acd7c3143145999248087de5fb4b48cf26 (git) Affected: ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb (git) Affected: 3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f846eacde280ecc3daedfe001580e3033565179e",
"status": "affected",
"version": "bcacb52a985f1b6d280f698a470b873dfe52728a",
"versionType": "git"
},
{
"lessThan": "f12039df1515d5daf7d92e586ece5cefeb39561b",
"status": "affected",
"version": "8ea87e34792258825d290f4dc5216276e91cb224",
"versionType": "git"
},
{
"lessThan": "8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0",
"status": "affected",
"version": "ac6f420291b3fee1113f21d612fa88b628afab5b",
"versionType": "git"
},
{
"lessThan": "72b7ceca857f38a8ca7c5629feffc63769638974",
"status": "affected",
"version": "ac6f420291b3fee1113f21d612fa88b628afab5b",
"versionType": "git"
},
{
"status": "affected",
"version": "a5abba5e0e586e258ded3e798fe5f69c66fec198",
"versionType": "git"
},
{
"status": "affected",
"version": "6f3821acd7c3143145999248087de5fb4b48cf26",
"versionType": "git"
},
{
"status": "affected",
"version": "ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb",
"versionType": "git"
},
{
"status": "affected",
"version": "3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.120",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: quota: create dedicated workqueue for quota_release_work\n\nThere is a kernel panic due to WARN_ONCE when panic_on_warn is set.\n\nThis issue occurs when writeback is triggered due to sync call for an\nopened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance\nis needed at sync path, flush for quota_release_work is triggered.\nBy default quota_release_work is queued to \"events_unbound\" queue which\ndoes not have WQ_MEM_RECLAIM flag. During f2fs balance \"writeback\"\nworkqueue tries to flush quota_release_work causing kernel panic due to\nMEM_RECLAIM flag mismatch errors.\n\nThis patch creates dedicated workqueue with WQ_MEM_RECLAIM flag\nfor work quota_release_work.\n\n------------[ cut here ]------------\nWARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148\nCall trace:\n check_flush_dependency+0x13c/0x148\n __flush_work+0xd0/0x398\n flush_delayed_work+0x44/0x5c\n dquot_writeback_dquots+0x54/0x318\n f2fs_do_quota_sync+0xb8/0x1a8\n f2fs_write_checkpoint+0x3cc/0x99c\n f2fs_gc+0x190/0x750\n f2fs_balance_fs+0x110/0x168\n f2fs_write_single_data_page+0x474/0x7dc\n f2fs_write_data_pages+0x7d0/0xd0c\n do_writepages+0xe0/0x2f4\n __writeback_single_inode+0x44/0x4ac\n writeback_sb_inodes+0x30c/0x538\n wb_writeback+0xf4/0x440\n wb_workfn+0x128/0x5d4\n process_scheduled_works+0x1c4/0x45c\n worker_thread+0x32c/0x3e8\n kthread+0x11c/0x1b0\n ret_from_fork+0x10/0x20\nKernel panic - not syncing: kernel: panic_on_warn set ..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:56.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f846eacde280ecc3daedfe001580e3033565179e"
},
{
"url": "https://git.kernel.org/stable/c/f12039df1515d5daf7d92e586ece5cefeb39561b"
},
{
"url": "https://git.kernel.org/stable/c/8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0"
},
{
"url": "https://git.kernel.org/stable/c/72b7ceca857f38a8ca7c5629feffc63769638974"
}
],
"title": "fs: quota: create dedicated workqueue for quota_release_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40196",
"datePublished": "2025-11-12T21:56:32.578Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:56.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39996 (GCVE-0-2025-39996)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
The original code uses cancel_delayed_work() in flexcop_pci_remove(), which
does not guarantee that the delayed work item irq_check_work has fully
completed if it was already running. This leads to use-after-free scenarios
where flexcop_pci_remove() may free the flexcop_device while irq_check_work
is still active and attempts to dereference the device.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
flexcop_pci_remove() | flexcop_pci_irq_check_work()
cancel_delayed_work() |
flexcop_device_kfree(fc_pci->fc_dev) |
| fc = fc_pci->fc_dev; // UAF
This is confirmed by a KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff8880093aa8c8 by task bash/135
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? __pfx___run_timer_base.part.0+0x10/0x10
? __pfx_read_tsc+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
run_timer_softirq+0xd1/0x190
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 1:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x1be/0x460
flexcop_device_kmalloc+0x54/0xe0
flexcop_pci_probe+0x1f/0x9d0
local_pci_probe+0xdc/0x190
pci_device_probe+0x2fe/0x470
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__driver_attach+0xd2/0x310
bus_for_each_dev+0xed/0x170
bus_add_driver+0x208/0x500
driver_register+0x132/0x460
do_one_initcall+0x89/0x300
kernel_init_freeable+0x40d/0x720
kernel_init+0x1a/0x150
ret_from_fork+0x10c/0x1a0
ret_from_fork_asm+0x1a/0x30
Freed by task 135:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
flexcop_device_kfree+0x32/0x50
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0xf8/0x210
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device_locked+0x15/0x30
remove_store+0xcc/0xe0
kernfs_fop_write_iter+0x2c3/0x440
vfs_write+0x871/0xd70
ksys_write+0xee/0x1c0
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing delayed
work has finished before the device memory is deallocated.
This bug was initially identified through static analysis. To reproduce
and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced
artificial delays within the flexcop_pci_irq_check_work() function to
increase the likelihood of triggering the bug.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
382c5546d618f24dc7d6ae7ca33412083720efbf , < 607010d07b8a509b01ed15ea12744acac6536a98
(git)
Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < bde8173def374230226e8554efb51b271f4066ec (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < 120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < d502df8a716d993fa0f9d8c00684f1190750e28e (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < bb10a9ddc8d6c5dbf098f21eb1055a652652e524 (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < 514a519baa9e2be7ddc2714bd730bc5a883e1244 (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < 3ffabc79388e68877d9c02f724a0b7a38d519daf (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < 6a92f5796880f5aa345f0fed53ef511e3fd6f706 (git) Affected: 382c5546d618f24dc7d6ae7ca33412083720efbf , < 01e03fb7db419d39e18d6090d4873c1bff103914 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/b2c2/flexcop-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "607010d07b8a509b01ed15ea12744acac6536a98",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "bde8173def374230226e8554efb51b271f4066ec",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "d502df8a716d993fa0f9d8c00684f1190750e28e",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "bb10a9ddc8d6c5dbf098f21eb1055a652652e524",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "514a519baa9e2be7ddc2714bd730bc5a883e1244",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "3ffabc79388e68877d9c02f724a0b7a38d519daf",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "6a92f5796880f5aa345f0fed53ef511e3fd6f706",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "01e03fb7db419d39e18d6090d4873c1bff103914",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/b2c2/flexcop-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n\nThe original code uses cancel_delayed_work() in flexcop_pci_remove(), which\ndoes not guarantee that the delayed work item irq_check_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere flexcop_pci_remove() may free the flexcop_device while irq_check_work\nis still active and attempts to dereference the device.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nflexcop_pci_remove() | flexcop_pci_irq_check_work()\n cancel_delayed_work() |\n flexcop_device_kfree(fc_pci-\u003efc_dev) |\n | fc = fc_pci-\u003efc_dev; // UAF\n\nThis is confirmed by a KASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff8880093aa8c8 by task bash/135\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x1be/0x460\n flexcop_device_kmalloc+0x54/0xe0\n flexcop_pci_probe+0x1f/0x9d0\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 135:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n flexcop_device_kfree+0x32/0x50\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing delayed\nwork has finished before the device memory is deallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced\nartificial delays within the flexcop_pci_irq_check_work() function to\nincrease the likelihood of triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:07.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/607010d07b8a509b01ed15ea12744acac6536a98"
},
{
"url": "https://git.kernel.org/stable/c/bde8173def374230226e8554efb51b271f4066ec"
},
{
"url": "https://git.kernel.org/stable/c/120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b"
},
{
"url": "https://git.kernel.org/stable/c/d502df8a716d993fa0f9d8c00684f1190750e28e"
},
{
"url": "https://git.kernel.org/stable/c/bb10a9ddc8d6c5dbf098f21eb1055a652652e524"
},
{
"url": "https://git.kernel.org/stable/c/514a519baa9e2be7ddc2714bd730bc5a883e1244"
},
{
"url": "https://git.kernel.org/stable/c/3ffabc79388e68877d9c02f724a0b7a38d519daf"
},
{
"url": "https://git.kernel.org/stable/c/6a92f5796880f5aa345f0fed53ef511e3fd6f706"
},
{
"url": "https://git.kernel.org/stable/c/01e03fb7db419d39e18d6090d4873c1bff103914"
}
],
"title": "media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39996",
"datePublished": "2025-10-15T07:58:21.049Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:07.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23020 (GCVE-0-2026-23020)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
pdev can be null and free_ring: can be called in 1297 with a null
pdev.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55c82617c3e82210b7471e9334e8fc5df6a9961f , < 053ac9e37eee435e999277c0f1ef890dad6064bf
(git)
Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 606872c8e8bf96066730f6a2317502c5633c37f1 (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 28b2a805609699be7b90020ae7dccfb234be1ceb (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 2f05f7737e16d9a40038cc1c38a96a3f7964898b (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7 (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < a4e305ed60f7c41bbf9aabc16dd75267194e0de3 (git) Affected: d30fdc02c49ad9965bba25015ae66c22dae967d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "053ac9e37eee435e999277c0f1ef890dad6064bf",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "606872c8e8bf96066730f6a2317502c5633c37f1",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "28b2a805609699be7b90020ae7dccfb234be1ceb",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "2f05f7737e16d9a40038cc1c38a96a3f7964898b",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "a4e305ed60f7c41bbf9aabc16dd75267194e0de3",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"status": "affected",
"version": "d30fdc02c49ad9965bba25015ae66c22dae967d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: 3com: 3c59x: fix possible null dereference in vortex_probe1()\n\npdev can be null and free_ring: can be called in 1297 with a null\npdev."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:13.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf"
},
{
"url": "https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d"
},
{
"url": "https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1"
},
{
"url": "https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb"
},
{
"url": "https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b"
},
{
"url": "https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7"
},
{
"url": "https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3"
}
],
"title": "net: 3com: 3c59x: fix possible null dereference in vortex_probe1()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23020",
"datePublished": "2026-01-31T11:39:04.023Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-02-09T08:37:13.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39863 (GCVE-0-2025-39863)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:
1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
is executing, it may observe timer_on as false and skip the call to
timer_shutdown_sync().
2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
worker after the cancel_work_sync() has been executed, resulting in
use-after-free bugs.
The use-after-free bugs occur in two distinct scenarios, depending on
the timing of when the brcmf_btcoex_info struct is freed relative to
the execution of its worker thread.
Scenario 1: Freed before the worker is scheduled
The brcmf_btcoex_info is deallocated before the worker is scheduled.
A race condition can occur when schedule_work(&bt_local->work) is
called after the target memory has been freed. The sequence of events
is detailed below:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... |
kfree(cfg->btcoex); // FREE |
| schedule_work(&bt_local->work); // USE
Scenario 2: Freed after the worker is scheduled
The brcmf_btcoex_info is freed after the worker has been scheduled
but before or during its execution. In this case, statements within
the brcmf_btcoex_handler() — such as the container_of macro and
subsequent dereferences of the brcmf_btcoex_info object will cause
a use-after-free access. The following timeline illustrates this
scenario:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... | schedule_work(); // Reschedule
|
kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
/* | btci = container_of(....); // USE
The kfree() above could | ...
also occur at any point | btci-> // USE
during the worker's execution|
*/ |
To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
61730d4dfffc2cc9d3a49fad87633008105c18ba , < f1150153c4e5940fe49ab51136343c5b4fe49d63
(git)
Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < 3e789f8475f6c857c88de5c5bf4b24b11a477dd7 (git) Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < 2f6fbc8e04ca1d1d5c560be694199f847229c625 (git) Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:23:53.735650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:11.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1150153c4e5940fe49ab51136343c5b4fe49d63",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "3e789f8475f6c857c88de5c5bf4b24b11a477dd7",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "2f6fbc8e04ca1d1d5c560be694199f847229c625",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "9cb83d4be0b9b697eae93d321e0da999f9cdfcfc",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(\u0026bt_local-\u003ework) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local-\u003etimer_on = false;\n if (cfg-\u003ebtcoex-\u003etimer_on) |\n ... |\n cancel_work_sync(); |\n ... |\n kfree(cfg-\u003ebtcoex); // FREE |\n | schedule_work(\u0026bt_local-\u003ework); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() \u2014 such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local-\u003etimer_on = false;\n if (cfg-\u003ebtcoex-\u003etimer_on) |\n ... |\n cancel_work_sync(); |\n ... | schedule_work(); // Reschedule\n |\n kfree(cfg-\u003ebtcoex); // FREE | brcmf_btcoex_handler() // Worker\n /* | btci = container_of(....); // USE\n The kfree() above could | ...\n also occur at any point | btci-\u003e // USE\n during the worker\u0027s execution|\n */ |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:18.732Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63"
},
{
"url": "https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7"
},
{
"url": "https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625"
},
{
"url": "https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"
}
],
"title": "wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39863",
"datePublished": "2025-09-19T15:26:33.069Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2026-01-14T19:33:11.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71154 (GCVE-0-2025-71154)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < a4e2442d3c48355a84463342f397134f149936d7
(git)
Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 2f966186b99550e3c665dbfb87b8314e30acea02 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < db2244c580540306d60ce783ed340190720cd429 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 4bd4ea3eb326608ffc296db12c105f92dc2f2190 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 6492ad6439ff1a479fc94dc6052df3628faed8b6 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 151403e903840c9cf06754097b6732c14f26c532 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 12cab1191d9890097171156d06bfa8d31f1e39c8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4e2442d3c48355a84463342f397134f149936d7",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "2f966186b99550e3c665dbfb87b8314e30acea02",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "db2244c580540306d60ce783ed340190720cd429",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "4bd4ea3eb326608ffc296db12c105f92dc2f2190",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "6492ad6439ff1a479fc94dc6052df3628faed8b6",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "151403e903840c9cf06754097b6732c14f26c532",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "12cab1191d9890097171156d06bfa8d31f1e39c8",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:52.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7"
},
{
"url": "https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02"
},
{
"url": "https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429"
},
{
"url": "https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190"
},
{
"url": "https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6"
},
{
"url": "https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532"
},
{
"url": "https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8"
}
],
"title": "net: usb: rtl8150: fix memory leak on usb_submit_urb() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71154",
"datePublished": "2026-01-23T14:25:53.818Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:52.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68212 (GCVE-0-2025-68212)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-01-17 15:46
VLAI?
EPSS
Title
fs: Fix uninitialized 'offp' in statmount_string()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: Fix uninitialized 'offp' in statmount_string()
In statmount_string(), most flags assign an output offset pointer (offp)
which is later updated with the string offset. However, the
STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
struct fields instead of using offp. This leaves offp uninitialized,
leading to a possible uninitialized dereference when *offp is updated.
Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
path consistent.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "acfde9400e611c8d2668f1c70053c4a1d6ecfc36",
"status": "affected",
"version": "37c4a9590e1efcae7749682239fc22a330d2d325",
"versionType": "git"
},
{
"lessThan": "0778ac7df5137d5041783fadfc201f8fd55a1d9b",
"status": "affected",
"version": "37c4a9590e1efcae7749682239fc22a330d2d325",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Fix uninitialized \u0027offp\u0027 in statmount_string()\n\nIn statmount_string(), most flags assign an output offset pointer (offp)\nwhich is later updated with the string offset. However, the\nSTATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the\nstruct fields instead of using offp. This leaves offp uninitialized,\nleading to a possible uninitialized dereference when *offp is updated.\n\nFix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code\npath consistent."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T15:46:46.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/acfde9400e611c8d2668f1c70053c4a1d6ecfc36"
},
{
"url": "https://git.kernel.org/stable/c/0778ac7df5137d5041783fadfc201f8fd55a1d9b"
}
],
"title": "fs: Fix uninitialized \u0027offp\u0027 in statmount_string()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68212",
"datePublished": "2025-12-16T13:57:08.327Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2026-01-17T15:46:46.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40278 (GCVE-0-2025-40278)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
Fix a KMSAN kernel-infoleak detected by the syzbot .
[net?] KMSAN: kernel-infoleak in __skb_datagram_iter
In tcf_ife_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.
This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link and ensures no infoleak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 918e063304f945fb93be9bb70cacea07d0b730ea
(git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 5e3644ef147bf7140259dfa4cace680c9b26fe8b (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 37f0680887c5aeba9a433fe04b35169010568bb1 (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 2191662058443e0bcc28d11694293d8339af6dde (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < a676a296af65d33725bdf7396803180957dbd92e (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < d1dbbbe839647486c9b893e5011fe84a052962df (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < ce50039be49eea9b4cd8873ca6eccded1b4a130a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918e063304f945fb93be9bb70cacea07d0b730ea",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "5e3644ef147bf7140259dfa4cace680c9b26fe8b",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "37f0680887c5aeba9a433fe04b35169010568bb1",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "2191662058443e0bcc28d11694293d8339af6dde",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "a676a296af65d33725bdf7396803180957dbd92e",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "d1dbbbe839647486c9b893e5011fe84a052962df",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "ce50039be49eea9b4cd8873ca6eccded1b4a130a",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:01.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea"
},
{
"url": "https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b"
},
{
"url": "https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1"
},
{
"url": "https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde"
},
{
"url": "https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e"
},
{
"url": "https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df"
},
{
"url": "https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e"
},
{
"url": "https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a"
}
],
"title": "net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40278",
"datePublished": "2025-12-06T21:51:01.693Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:01.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68258 (GCVE-0-2025-68258)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
comedi: multiq3: sanitize config options in multiq3_attach()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: multiq3: sanitize config options in multiq3_attach()
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.
This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.
While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.
[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5254 [inline]
__schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
__schedule_loop kernel/sched/core.c:6944 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6959
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x953/0x13f0 fs/open.c:965
vfs_open+0x3b/0x340 fs/open.c:1097
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77e01cdbad5175f56027fd6fae00bd0fc175651a , < f9ff87aac7b37d462246c46d28912d382a8e2ea6
(git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 4cde9a7e025cc09b88097c70606f6b30c22880f4 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < ad7ed3c9c7b8408e8612697bc43a5441fe386c71 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 049f14557450351750f929ebfff36d849511e132 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8952bc1973cd54158c35e06bfb8c29ace7375a48 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 543f4c380c2e1f35e60528df7cb54705cda7fee3 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < f24c6e3a39fa355dabfb684c9ca82db579534e72 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9ff87aac7b37d462246c46d28912d382a8e2ea6",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "4cde9a7e025cc09b88097c70606f6b30c22880f4",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "ad7ed3c9c7b8408e8612697bc43a5441fe386c71",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "049f14557450351750f929ebfff36d849511e132",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8952bc1973cd54158c35e06bfb8c29ace7375a48",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "543f4c380c2e1f35e60528df7cb54705cda7fee3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "f24c6e3a39fa355dabfb684c9ca82db579534e72",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: multiq3: sanitize config options in multiq3_attach()\n\nSyzbot identified an issue [1] in multiq3_attach() that induces a\ntask timeout due to open() or COMEDI_DEVCONFIG ioctl operations,\nspecifically, in the case of multiq3 driver.\n\nThis problem arose when syzkaller managed to craft weird configuration\noptions used to specify the number of channels in encoder subdevice.\nIf a particularly great number is passed to s-\u003en_chan in\nmultiq3_attach() via it-\u003eoptions[2], then multiple calls to\nmultiq3_encoder_reset() at the end of driver-specific attach() method\nwill be running for minutes, thus blocking tasks and affected devices\nas well.\n\nWhile this issue is most likely not too dangerous for real-life\ndevices, it still makes sense to sanitize configuration inputs. Enable\na sensible limit on the number of encoder chips (4 chips max, each\nwith 2 channels) to stop this behaviour from manifesting.\n\n[1] Syzbot crash:\nINFO: task syz.2.19:6067 blocked for more than 143 seconds.\n...\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5254 [inline]\n __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862\n __schedule_loop kernel/sched/core.c:6944 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:6959\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016\n __mutex_lock_common kernel/locking/mutex.c:676 [inline]\n __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760\n comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868\n chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414\n do_dentry_open+0x953/0x13f0 fs/open.c:965\n vfs_open+0x3b/0x340 fs/open.c:1097\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:11.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9ff87aac7b37d462246c46d28912d382a8e2ea6"
},
{
"url": "https://git.kernel.org/stable/c/4cde9a7e025cc09b88097c70606f6b30c22880f4"
},
{
"url": "https://git.kernel.org/stable/c/ad7ed3c9c7b8408e8612697bc43a5441fe386c71"
},
{
"url": "https://git.kernel.org/stable/c/049f14557450351750f929ebfff36d849511e132"
},
{
"url": "https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48"
},
{
"url": "https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3"
},
{
"url": "https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3"
},
{
"url": "https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72"
}
],
"title": "comedi: multiq3: sanitize config options in multiq3_attach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68258",
"datePublished": "2025-12-16T14:45:00.920Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:11.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68301 (GCVE-0-2025-68301)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
net: atlantic: fix fragment overflow handling in RX path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: fix fragment overflow handling in RX path
The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.
This crash occurred in production with an Aquantia AQC113 10G NIC.
Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```
Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.
Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd66ab20a8f84474564a68fffffd37d998f6c340 , < 34147477eeab24077fcfe9649e282849347d760c
(git)
Affected: 948ddbdc56636773401f2cb9c7a932eb9c43ccfd , < b0c4d5135b04ea100988e2458c98f2d8564cda16 (git) Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 5d6051ea1b0417ae2f06a8440d22e48fbc8f8997 (git) Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 3be37c3c96b16462394fcb8e15e757c691377038 (git) Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 3fd2105e1b7e041cc24be151c9a31a14d5fc50ab (git) Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 64e47cd1fd631a21bf5a630cebefec6c8fc381cd (git) Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 5ffcb7b890f61541201461580bb6622ace405aec (git) Affected: dd4fb02847e737cc38ca75e708b1a836fba45faf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34147477eeab24077fcfe9649e282849347d760c",
"status": "affected",
"version": "cd66ab20a8f84474564a68fffffd37d998f6c340",
"versionType": "git"
},
{
"lessThan": "b0c4d5135b04ea100988e2458c98f2d8564cda16",
"status": "affected",
"version": "948ddbdc56636773401f2cb9c7a932eb9c43ccfd",
"versionType": "git"
},
{
"lessThan": "5d6051ea1b0417ae2f06a8440d22e48fbc8f8997",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "3be37c3c96b16462394fcb8e15e757c691377038",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "3fd2105e1b7e041cc24be151c9a31a14d5fc50ab",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "64e47cd1fd631a21bf5a630cebefec6c8fc381cd",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "5ffcb7b890f61541201461580bb6622ace405aec",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"status": "affected",
"version": "dd4fb02847e737cc38ca75e708b1a836fba45faf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix fragment overflow handling in RX path\n\nThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)\nfragments when handling large multi-descriptor packets. This causes an\nout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.\n\nThe issue occurs because the driver doesn\u0027t check the total number of\nfragments before calling skb_add_rx_frag(). When a packet requires more\nthan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.\n\nFix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\nthen all fragments are accounted for. And reusing the existing check to\nprevent the overflow earlier in the code path.\n\nThis crash occurred in production with an Aquantia AQC113 10G NIC.\n\nStack trace from production environment:\n```\nRIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0\nCode: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89\nca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90\nc8 00 00 00 \u003c48\u003e 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48\n89 fa 83\nRSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287\nRAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:\nfffffffe0a0c8000\nRDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:\n0000000000037a40\nRBP: 0000000000000024 R08: 0000000000000000 R09:\n0000000000000021\nR10: 0000000000000848 R11: 0000000000000000 R12:\nffffa9bec02a8e24\nR13: ffff925ad8615570 R14: 0000000000000000 R15:\nffff925b22e80a00\nFS: 0000000000000000(0000)\nGS:ffff925e47880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:\n0000000000f72ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\naq_ring_rx_clean+0x175/0xe60 [atlantic]\n? aq_ring_rx_clean+0x14d/0xe60 [atlantic]\n? aq_ring_tx_clean+0xdf/0x190 [atlantic]\n? kmem_cache_free+0x348/0x450\n? aq_vec_poll+0x81/0x1d0 [atlantic]\n? __napi_poll+0x28/0x1c0\n? net_rx_action+0x337/0x420\n```\n\nChanges in v4:\n- Add Fixes: tag to satisfy patch validation requirements.\n\nChanges in v3:\n- Fix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\n then all fragments are accounted for."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:19.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c"
},
{
"url": "https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16"
},
{
"url": "https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997"
},
{
"url": "https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038"
},
{
"url": "https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab"
},
{
"url": "https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd"
},
{
"url": "https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec"
}
],
"title": "net: atlantic: fix fragment overflow handling in RX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68301",
"datePublished": "2025-12-16T15:06:19.688Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:19.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68366 (GCVE-0-2025-68366)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
nbd: defer config unlock in nbd_genl_connect
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 330d688a5ca53857828081a3cf31b92ad1b0b3ed
(git)
Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < cd93db1b1b4460e6ee77564024ea461e5940f69c (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < ae3e7bc1f4b393ae20e5c85583eb2c6977374716 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 2e5e0665a594f076ef2b9439447bae8be293d09d (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9b99c948b4fb014812afe7b5ccf2db121d22e46 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 9a38306643874566d20f7aba7dff9e6f657b51a9 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9e805f6a35d1dd189a9345595a5c20e87611942 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 1649714b930f9ea6233ce0810ba885999da3b5d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "330d688a5ca53857828081a3cf31b92ad1b0b3ed",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "cd93db1b1b4460e6ee77564024ea461e5940f69c",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "ae3e7bc1f4b393ae20e5c85583eb2c6977374716",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "2e5e0665a594f076ef2b9439447bae8be293d09d",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9b99c948b4fb014812afe7b5ccf2db121d22e46",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "9a38306643874566d20f7aba7dff9e6f657b51a9",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9e805f6a35d1dd189a9345595a5c20e87611942",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "1649714b930f9ea6233ce0810ba885999da3b5d4",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n nbd_alloc_and_init_config // config_refs=1\n nbd_start_device // config_refs=2\n set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n refcount_inc -\u003e uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\n\n mutex_unlock(\u0026nbd-\u003econfig_lock);\n if (!ret) {\n set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\n+ printk(\"before sleep\\n\");\n+ mdelay(5 * 1000);\n+ printk(\"after sleep\\n\");\n refcount_inc(\u0026nbd-\u003econfig_refs);\n nbd_connect_reply(info, nbd-\u003eindex);\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:02.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/330d688a5ca53857828081a3cf31b92ad1b0b3ed"
},
{
"url": "https://git.kernel.org/stable/c/cd93db1b1b4460e6ee77564024ea461e5940f69c"
},
{
"url": "https://git.kernel.org/stable/c/ae3e7bc1f4b393ae20e5c85583eb2c6977374716"
},
{
"url": "https://git.kernel.org/stable/c/2e5e0665a594f076ef2b9439447bae8be293d09d"
},
{
"url": "https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46"
},
{
"url": "https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9"
},
{
"url": "https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942"
},
{
"url": "https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4"
}
],
"title": "nbd: defer config unlock in nbd_genl_connect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68366",
"datePublished": "2025-12-24T10:32:53.399Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:32:02.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68734 (GCVE-0-2025-68734)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:58 – Updated: 2025-12-24 10:58
VLAI?
EPSS
Title
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
setup_instance() fails with an error code. Fix that by freeing the urb
before freeing the hw structure. Also change the error paths to use the
goto ladder style.
Compile tested only. Issue found using a prototype static analysis tool.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69f52adb2d534afc41fcc658f155e01f0b322f9e , < 475032fa2bb82ffb592c321885e917e39f47357f
(git)
Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < adb7577e23a431fc53aa1b6107733c0d751015fb (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < b70c24827e11fdc71465f9207e974526fb457bb9 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 3f7c72bc73c4e542fde14cce017549d8a0b61a3c (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 03695541b3349bc40bf5d6563d44d6147fb20260 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 6dce43433e0635e7b00346bc937b69ce48ea71bb (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < ea7936304ed74ab7f965d17f942a173ce91a5ca8 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 3f978e3f1570155a1327ffa25f60968bc7b9398f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "475032fa2bb82ffb592c321885e917e39f47357f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "adb7577e23a431fc53aa1b6107733c0d751015fb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "b70c24827e11fdc71465f9207e974526fb457bb9",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f7c72bc73c4e542fde14cce017549d8a0b61a3c",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "03695541b3349bc40bf5d6563d44d6147fb20260",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "6dce43433e0635e7b00346bc937b69ce48ea71bb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "ea7936304ed74ab7f965d17f942a173ce91a5ca8",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f978e3f1570155a1327ffa25f60968bc7b9398f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()\n\nIn hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when\nsetup_instance() fails with an error code. Fix that by freeing the urb\nbefore freeing the hw structure. Also change the error paths to use the\ngoto ladder style.\n\nCompile tested only. Issue found using a prototype static analysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:58:49.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f"
},
{
"url": "https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb"
},
{
"url": "https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9"
},
{
"url": "https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c"
},
{
"url": "https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260"
},
{
"url": "https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb"
},
{
"url": "https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8"
},
{
"url": "https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f"
}
],
"title": "isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68734",
"datePublished": "2025-12-24T10:58:49.938Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:58:49.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47599 (GCVE-0-2021-47599)
Vulnerability from cvelistv5 – Published: 2024-06-19 14:54 – Updated: 2025-12-18 11:38
VLAI?
EPSS
Title
btrfs: use latest_dev in btrfs_show_devname
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: use latest_dev in btrfs_show_devname
The test case btrfs/238 reports the warning below:
WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]
CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
btrfs_show_devname+0x108/0x1b4 [btrfs]
show_mountinfo+0x234/0x2c4
m_show+0x28/0x34
seq_read_iter+0x12c/0x3c4
vfs_read+0x29c/0x2c8
ksys_read+0x80/0xec
__arm64_sys_read+0x28/0x34
invoke_syscall+0x50/0xf8
do_el0_svc+0x88/0x138
el0_svc+0x2c/0x8c
el0t_64_sync_handler+0x84/0xe4
el0t_64_sync+0x198/0x19c
Reason:
While btrfs_prepare_sprout() moves the fs_devices::devices into
fs_devices::seed_list, the btrfs_show_devname() searches for the devices
and found none, leading to the warning as in above.
Fix:
latest_dev is updated according to the changes to the device list.
That means we could use the latest_dev->name to show the device name in
/proc/self/mounts, the pointer will be always valid as it's assigned
before the device is deleted from the list in remove or replace.
The RCU protection is sufficient as the device structure is freed after
synchronization.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4faf55b03823e96c44dc4e364520000ed3b12fdb , < e342c2558016ead462f376b6c6c2ac5efc17f3b1
(git)
Affected: 4faf55b03823e96c44dc4e364520000ed3b12fdb , < 6605fd2f394bba0a0059df2b6cfc87b0b6d393a2 (git) Affected: fa511954694cbea4d0cb59c81c8670276920c08c (git) Affected: 3d3452920cacc3a46444ecca26af5d181410ff19 (git) Affected: ca21728e18d34fd5f449bb0581160e0eaee498a6 (git) Affected: 1c986b7e8c1bf8fabbc294036b003286cc3a8c7e (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:47:39.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:12:17.610471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:51.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e342c2558016ead462f376b6c6c2ac5efc17f3b1",
"status": "affected",
"version": "4faf55b03823e96c44dc4e364520000ed3b12fdb",
"versionType": "git"
},
{
"lessThan": "6605fd2f394bba0a0059df2b6cfc87b0b6d393a2",
"status": "affected",
"version": "4faf55b03823e96c44dc4e364520000ed3b12fdb",
"versionType": "git"
},
{
"status": "affected",
"version": "fa511954694cbea4d0cb59c81c8670276920c08c",
"versionType": "git"
},
{
"status": "affected",
"version": "3d3452920cacc3a46444ecca26af5d181410ff19",
"versionType": "git"
},
{
"status": "affected",
"version": "ca21728e18d34fd5f449bb0581160e0eaee498a6",
"versionType": "git"
},
{
"status": "affected",
"version": "1c986b7e8c1bf8fabbc294036b003286cc3a8c7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev-\u003ename to show the device name in\n/proc/self/mounts, the pointer will be always valid as it\u0027s assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T11:38:03.389Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1"
},
{
"url": "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2"
}
],
"title": "btrfs: use latest_dev in btrfs_show_devname",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47599",
"datePublished": "2024-06-19T14:54:00.272Z",
"dateReserved": "2024-05-24T15:11:00.735Z",
"dateUpdated": "2025-12-18T11:38:03.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40292 (GCVE-0-2025-40292)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
virtio-net: fix received length check in big packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: fix received length check in big packets
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
for big packets"), when guest gso is off, the allocated size for big
packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on
negotiated MTU. The number of allocated frags for big packets is stored
in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host
vhost_net driver's get_rx_bufs is modified to announce incorrect
length), we need a check in virtio_net receive path. Currently, the
check is not adapted to the new change which can lead to NULL page
pointer dereference in the below while loop when receiving length that
is larger than the allocated one.
This commit fixes the received length check corresponding to the new
change.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4959aebba8c06992abafa09d1e80965e0825af54 , < 82f9028e83944a9eee5229cbc6fee9be1de8a62d
(git)
Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 946dec89c41726b94d31147ec528b96af0be1b5a (git) Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 82fe78065450d2d07f36a22e2b6b44955cf5ca5b (git) Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 (git) Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 0c716703965ffc5ef4311b65cb5d84a703784717 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82f9028e83944a9eee5229cbc6fee9be1de8a62d",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "946dec89c41726b94d31147ec528b96af0be1b5a",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "82fe78065450d2d07f36a22e2b6b44955cf5ca5b",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "0c716703965ffc5ef4311b65cb5d84a703784717",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix received length check in big packets\n\nSince commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length\nfor big packets\"), when guest gso is off, the allocated size for big\npackets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on\nnegotiated MTU. The number of allocated frags for big packets is stored\nin vi-\u003ebig_packets_num_skbfrags.\n\nBecause the host announced buffer length can be malicious (e.g. the host\nvhost_net driver\u0027s get_rx_bufs is modified to announce incorrect\nlength), we need a check in virtio_net receive path. Currently, the\ncheck is not adapted to the new change which can lead to NULL page\npointer dereference in the below while loop when receiving length that\nis larger than the allocated one.\n\nThis commit fixes the received length check corresponding to the new\nchange."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:15.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d"
},
{
"url": "https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a"
},
{
"url": "https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b"
},
{
"url": "https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2"
},
{
"url": "https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717"
}
],
"title": "virtio-net: fix received length check in big packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40292",
"datePublished": "2025-12-08T00:46:15.761Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:15.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23021 (GCVE-0-2026-23021)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
net: usb: pegasus: fix memory leak in update_eth_regs_async()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: fix memory leak in update_eth_regs_async()
When asynchronously writing to the device registers and if usb_submit_urb()
fail, the code fail to release allocated to this point resources.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
323b34963d113efb566635f43858f40cce01d5f9 , < 5397ea6d21c35a17707e201a60761bdee00bcc4e
(git)
Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < a40af9a2904a1ab8ce61866ebe2a894ef30754ba (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < ac5d92d2826dec51e5d4c6854865bc5817277452 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < 93f18eaa190374e0f2d253e3b1a65cee19a7abe6 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < 471dfb97599eec74e0476046b3ef8e7037f27b34 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < ce6eef731aba23a988decea1df3b08cf978f7b01 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < afa27621a28af317523e0836dad430bec551eb54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5397ea6d21c35a17707e201a60761bdee00bcc4e",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "a40af9a2904a1ab8ce61866ebe2a894ef30754ba",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ac5d92d2826dec51e5d4c6854865bc5817277452",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "93f18eaa190374e0f2d253e3b1a65cee19a7abe6",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "471dfb97599eec74e0476046b3ef8e7037f27b34",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ce6eef731aba23a988decea1df3b08cf978f7b01",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "afa27621a28af317523e0836dad430bec551eb54",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: fix memory leak in update_eth_regs_async()\n\nWhen asynchronously writing to the device registers and if usb_submit_urb()\nfail, the code fail to release allocated to this point resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:14.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e"
},
{
"url": "https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba"
},
{
"url": "https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452"
},
{
"url": "https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6"
},
{
"url": "https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34"
},
{
"url": "https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01"
},
{
"url": "https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54"
}
],
"title": "net: usb: pegasus: fix memory leak in update_eth_regs_async()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23021",
"datePublished": "2026-01-31T11:39:05.152Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-02-09T08:37:14.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40008 (GCVE-0-2025-40008)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
EPSS
Title
kmsan: fix out-of-bounds access to shadow memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
kmsan: fix out-of-bounds access to shadow memory
Running sha224_kunit on a KMSAN-enabled kernel results in a crash in
kmsan_internal_set_shadow_origin():
BUG: unable to handle page fault for address: ffffbc3840291000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0
Oops: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)
Tainted: [N]=TEST
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100
[...]
Call Trace:
<TASK>
__msan_memset+0xee/0x1a0
sha224_final+0x9e/0x350
test_hash_buffer_overruns+0x46f/0x5f0
? kmsan_get_shadow_origin_ptr+0x46/0xa0
? __pfx_test_hash_buffer_overruns+0x10/0x10
kunit_try_run_case+0x198/0xa00
This occurs when memset() is called on a buffer that is not 4-byte aligned
and extends to the end of a guard page, i.e. the next page is unmapped.
The bug is that the loop at the end of kmsan_internal_set_shadow_origin()
accesses the wrong shadow memory bytes when the address is not 4-byte
aligned. Since each 4 bytes are associated with an origin, it rounds the
address and size so that it can access all the origins that contain the
buffer. However, when it checks the corresponding shadow bytes for a
particular origin, it incorrectly uses the original unrounded shadow
address. This results in reads from shadow memory beyond the end of the
buffer's shadow memory, which crashes when that memory is not mapped.
To fix this, correctly align the shadow address before accessing the 4
shadow bytes corresponding to each origin.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9ff078f5bad8990091f1639347de5e02636e9536 , < e6684ed39edc35401a3341f85b1ab50a6f89a45d
(git)
Affected: 19e85d939001946671643f4c16e1de8c633a6ce0 , < df1fa034c0fc229a63d01ffb20bb919b839cb576 (git) Affected: 2ef3cec44c60ae171b287db7fc2aa341586d65ba , < f84e48707051812289b6c2684d4df2daa9d3bfbc (git) Affected: 2ef3cec44c60ae171b287db7fc2aa341586d65ba , < 5855792c6bb9a825607845db3feaddaff0414ec3 (git) Affected: 2ef3cec44c60ae171b287db7fc2aa341586d65ba , < 85e1ff61060a765d91ee62dc5606d4d547d9d105 (git) Affected: abeede7011da6c88e83ed260b909c140b8c9c250 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/kmsan/core.c",
"mm/kmsan/kmsan_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6684ed39edc35401a3341f85b1ab50a6f89a45d",
"status": "affected",
"version": "9ff078f5bad8990091f1639347de5e02636e9536",
"versionType": "git"
},
{
"lessThan": "df1fa034c0fc229a63d01ffb20bb919b839cb576",
"status": "affected",
"version": "19e85d939001946671643f4c16e1de8c633a6ce0",
"versionType": "git"
},
{
"lessThan": "f84e48707051812289b6c2684d4df2daa9d3bfbc",
"status": "affected",
"version": "2ef3cec44c60ae171b287db7fc2aa341586d65ba",
"versionType": "git"
},
{
"lessThan": "5855792c6bb9a825607845db3feaddaff0414ec3",
"status": "affected",
"version": "2ef3cec44c60ae171b287db7fc2aa341586d65ba",
"versionType": "git"
},
{
"lessThan": "85e1ff61060a765d91ee62dc5606d4d547d9d105",
"status": "affected",
"version": "2ef3cec44c60ae171b287db7fc2aa341586d65ba",
"versionType": "git"
},
{
"status": "affected",
"version": "abeede7011da6c88e83ed260b909c140b8c9c250",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/kmsan/core.c",
"mm/kmsan/kmsan_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "6.1.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkmsan: fix out-of-bounds access to shadow memory\n\nRunning sha224_kunit on a KMSAN-enabled kernel results in a crash in\nkmsan_internal_set_shadow_origin():\n\n BUG: unable to handle page fault for address: ffffbc3840291000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)\n Tainted: [N]=TEST\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100\n [...]\n Call Trace:\n \u003cTASK\u003e\n __msan_memset+0xee/0x1a0\n sha224_final+0x9e/0x350\n test_hash_buffer_overruns+0x46f/0x5f0\n ? kmsan_get_shadow_origin_ptr+0x46/0xa0\n ? __pfx_test_hash_buffer_overruns+0x10/0x10\n kunit_try_run_case+0x198/0xa00\n\nThis occurs when memset() is called on a buffer that is not 4-byte aligned\nand extends to the end of a guard page, i.e. the next page is unmapped.\n\nThe bug is that the loop at the end of kmsan_internal_set_shadow_origin()\naccesses the wrong shadow memory bytes when the address is not 4-byte\naligned. Since each 4 bytes are associated with an origin, it rounds the\naddress and size so that it can access all the origins that contain the\nbuffer. However, when it checks the corresponding shadow bytes for a\nparticular origin, it incorrectly uses the original unrounded shadow\naddress. This results in reads from shadow memory beyond the end of the\nbuffer\u0027s shadow memory, which crashes when that memory is not mapped.\n\nTo fix this, correctly align the shadow address before accessing the 4\nshadow bytes corresponding to each origin."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:54.568Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6684ed39edc35401a3341f85b1ab50a6f89a45d"
},
{
"url": "https://git.kernel.org/stable/c/df1fa034c0fc229a63d01ffb20bb919b839cb576"
},
{
"url": "https://git.kernel.org/stable/c/f84e48707051812289b6c2684d4df2daa9d3bfbc"
},
{
"url": "https://git.kernel.org/stable/c/5855792c6bb9a825607845db3feaddaff0414ec3"
},
{
"url": "https://git.kernel.org/stable/c/85e1ff61060a765d91ee62dc5606d4d547d9d105"
}
],
"title": "kmsan: fix out-of-bounds access to shadow memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40008",
"datePublished": "2025-10-20T15:26:54.568Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:54.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40140 (GCVE-0-2025-40140)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
This is the sequence of events that leads to the warning:
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb);
}
rtl8150_set_multicast() {
netif_stop_queue();
netif_wake_queue(); <-- wakes up TX queue before URB is done
}
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb); <-- double submission
}
rtl8150_set_multicast being the ndo_set_rx_mode callback should not be
calling netif_stop_queue and notif_start_queue as these handle
TX queue synchronization.
The net core function dev_set_rx_mode handles the synchronization
for rtl8150_set_multicast making it safe to remove these locks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cce3c0e21cdd15bcba5c35d3af1700186de8f187
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a08a37ac03d07a1608a1592791041cac979fbc3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 54f8ef1a970a8376e5846ed90854decf7c00555d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 114e05344763a102a8844efd96ec06ba99293ccd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6394bade9daab8e318c165fe43bba012bf13cd8e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6053e47bbf212b93c051beb4261d7d5a409d0ce3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d72df7f5eac946f853bf49c428c4e87a17d91da (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 958baf5eaee394e5fd976979b0791a875f14a179 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cce3c0e21cdd15bcba5c35d3af1700186de8f187",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a08a37ac03d07a1608a1592791041cac979fbc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "54f8ef1a970a8376e5846ed90854decf7c00555d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "114e05344763a102a8844efd96ec06ba99293ccd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6394bade9daab8e318c165fe43bba012bf13cd8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6053e47bbf212b93c051beb4261d7d5a409d0ce3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d72df7f5eac946f853bf49c428c4e87a17d91da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "958baf5eaee394e5fd976979b0791a875f14a179",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\n\nsyzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.\nThis is the sequence of events that leads to the warning:\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev-\u003etx_urb);\n}\n\nrtl8150_set_multicast() {\n\tnetif_stop_queue();\n\tnetif_wake_queue();\t\t\u003c-- wakes up TX queue before URB is done\n}\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev-\u003etx_urb);\t\u003c-- double submission\n}\n\nrtl8150_set_multicast being the ndo_set_rx_mode callback should not be\ncalling netif_stop_queue and notif_start_queue as these handle\nTX queue synchronization.\n\nThe net core function dev_set_rx_mode handles the synchronization\nfor rtl8150_set_multicast making it safe to remove these locks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:48.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cce3c0e21cdd15bcba5c35d3af1700186de8f187"
},
{
"url": "https://git.kernel.org/stable/c/1a08a37ac03d07a1608a1592791041cac979fbc3"
},
{
"url": "https://git.kernel.org/stable/c/54f8ef1a970a8376e5846ed90854decf7c00555d"
},
{
"url": "https://git.kernel.org/stable/c/114e05344763a102a8844efd96ec06ba99293ccd"
},
{
"url": "https://git.kernel.org/stable/c/6394bade9daab8e318c165fe43bba012bf13cd8e"
},
{
"url": "https://git.kernel.org/stable/c/6053e47bbf212b93c051beb4261d7d5a409d0ce3"
},
{
"url": "https://git.kernel.org/stable/c/9d72df7f5eac946f853bf49c428c4e87a17d91da"
},
{
"url": "https://git.kernel.org/stable/c/958baf5eaee394e5fd976979b0791a875f14a179"
}
],
"title": "net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40140",
"datePublished": "2025-11-12T10:23:24.586Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:48.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68796 (GCVE-0-2025-68796)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
f2fs: fix to avoid updating zero-sized extent in extent cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating zero-sized extent in extent cache
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6e9619499f53b22ead972e476c0e8341c997d929 , < 9c07bd262c13ca922adad6e7613d48505f97f548
(git)
Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 72c58a82e6fb7b327e8701f5786c70c3edc56188 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < e50b81c50fcbe63f50405bb40f262162ff32af88 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < efe3371001f50a2d6f746b50bdc6f9f26b2089ec (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 4f244c64efe628d277b916f47071adf480eb8646 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < bac23833220a1f8fe8dfab7e16efa20ff64d7589 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 7c37c79510329cd951a4dedf3f7bf7e2b18dccec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c07bd262c13ca922adad6e7613d48505f97f548",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "72c58a82e6fb7b327e8701f5786c70c3edc56188",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "e50b81c50fcbe63f50405bb40f262162ff32af88",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "efe3371001f50a2d6f746b50bdc6f9f26b2089ec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "4f244c64efe628d277b916f47071adf480eb8646",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "bac23833220a1f8fe8dfab7e16efa20ff64d7589",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "7c37c79510329cd951a4dedf3f7bf7e2b18dccec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating zero-sized extent in extent cache\n\nAs syzbot reported:\n\nF2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/extent_cache.c:678!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678\nCall Trace:\n \u003cTASK\u003e\n f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085\n f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]\n f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737\n f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030\n vfs_fallocate+0x669/0x7e0 fs/open.c:342\n ioctl_preallocate fs/ioctl.c:289 [inline]\n file_ioctl+0x611/0x780 fs/ioctl.c:-1\n do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576\n __do_sys_ioctl fs/ioctl.c:595 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f07bc58eec9\n\nIn error path of f2fs_zero_range(), it may add a zero-sized extent\ninto extent cache, it should be avoided."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:44.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548"
},
{
"url": "https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188"
},
{
"url": "https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88"
},
{
"url": "https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec"
},
{
"url": "https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646"
},
{
"url": "https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589"
},
{
"url": "https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec"
}
],
"title": "f2fs: fix to avoid updating zero-sized extent in extent cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68796",
"datePublished": "2026-01-13T15:29:06.892Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:44.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40055 (GCVE-0-2025-40055)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ocfs2: fix double free in user_cluster_connect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix double free in user_cluster_connect()
user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then
the error handling frees "lc" a second time. Set "lc" to NULL on this
path to avoid a double free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 283333079d96c84baa91f0c62b5e0cbec246b7a2
(git)
Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < f992bc72f681c32a682d474a29c2135a64d4f4e5 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 827c8efa0d1afe817b90f3618afff552e88348d2 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < bfe011297ddd2d0cd64752978baaa0c04cd20573 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 694d5b401036a614f8080085a9de6f86ff0742dc (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 892f41e12c8689130d552a9eb2b77bafd26484ab (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 8f45f089337d924db24397f55697cda0e6960516 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "283333079d96c84baa91f0c62b5e0cbec246b7a2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "f992bc72f681c32a682d474a29c2135a64d4f4e5",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "827c8efa0d1afe817b90f3618afff552e88348d2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "bfe011297ddd2d0cd64752978baaa0c04cd20573",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "694d5b401036a614f8080085a9de6f86ff0742dc",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "892f41e12c8689130d552a9eb2b77bafd26484ab",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "8f45f089337d924db24397f55697cda0e6960516",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix double free in user_cluster_connect()\n\nuser_cluster_disconnect() frees \"conn-\u003ecc_private\" which is \"lc\" but then\nthe error handling frees \"lc\" a second time. Set \"lc\" to NULL on this\npath to avoid a double free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:03.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/283333079d96c84baa91f0c62b5e0cbec246b7a2"
},
{
"url": "https://git.kernel.org/stable/c/f992bc72f681c32a682d474a29c2135a64d4f4e5"
},
{
"url": "https://git.kernel.org/stable/c/827c8efa0d1afe817b90f3618afff552e88348d2"
},
{
"url": "https://git.kernel.org/stable/c/bfe011297ddd2d0cd64752978baaa0c04cd20573"
},
{
"url": "https://git.kernel.org/stable/c/7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2"
},
{
"url": "https://git.kernel.org/stable/c/694d5b401036a614f8080085a9de6f86ff0742dc"
},
{
"url": "https://git.kernel.org/stable/c/892f41e12c8689130d552a9eb2b77bafd26484ab"
},
{
"url": "https://git.kernel.org/stable/c/8f45f089337d924db24397f55697cda0e6960516"
}
],
"title": "ocfs2: fix double free in user_cluster_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40055",
"datePublished": "2025-10-28T11:48:29.665Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:17:03.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68815 (GCVE-0-2025-68815)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
net/sched: ets: Remove drr class from the active list if it changes to strict
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Remove drr class from the active list if it changes to strict
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f517335a61ff8037b18ba1b0a002c1f82926a934 , < 58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
(git)
Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 8067db5c95aab9461d23117679338cd8869831fa (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 2f125ebe47d6369e562f3cbd9b6227cff51eaf34 (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < cca2ed931b734fe48139bc6f020e47367346630f (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 43d9a530c8c094d137159784e7c951c65f11ec6c (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < b1e125ae425aba9b45252e933ca8df52a843ec70 (git) Affected: d05330672afe2e142ba97e63bd7c1faef76781bb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58fdce6bc005e964f1dbc3ca716f5fe0f68839a2",
"status": "affected",
"version": "f517335a61ff8037b18ba1b0a002c1f82926a934",
"versionType": "git"
},
{
"lessThan": "02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "8067db5c95aab9461d23117679338cd8869831fa",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "2f125ebe47d6369e562f3cbd9b6227cff51eaf34",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "cca2ed931b734fe48139bc6f020e47367346630f",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "43d9a530c8c094d137159784e7c951c65f11ec6c",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "b1e125ae425aba9b45252e933ca8df52a843ec70",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"status": "affected",
"version": "d05330672afe2e142ba97e63bd7c1faef76781bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Remove drr class from the active list if it changes to strict\n\nWhenever a user issues an ets qdisc change command, transforming a\ndrr class into a strict one, the ets code isn\u0027t checking whether that\nclass was in the active list and removing it. This means that, if a\nuser changes a strict class (which was in the active list) back to a drr\none, that class will be added twice to the active list [1].\n\nDoing so with the following commands:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nWill trigger the following splat with list debug turned on:\n\n[ 59.279014][ T365] ------------[ cut here ]------------\n[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[ 59.280860][ T365] Modules linked in:\n[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 \u003c0f\u003e 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[ 59.288812][ T365] Call Trace:\n[ 59.289056][ T365] \u003cTASK\u003e\n[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80\n[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0\n[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10\n[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240\n[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10\n[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110\n[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0\n\nFix this by always checking and removing an ets class from the active list\nwhen changing it to strict.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:05.037Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2"
},
{
"url": "https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87"
},
{
"url": "https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa"
},
{
"url": "https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34"
},
{
"url": "https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f"
},
{
"url": "https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c"
},
{
"url": "https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70"
}
],
"title": "net/sched: ets: Remove drr class from the active list if it changes to strict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68815",
"datePublished": "2026-01-13T15:29:19.789Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:05.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40126 (GCVE-0-2025-40126)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
Summary
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations. This will fix the return value of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 0bf3dc3a2156f1c5ddaba4b85d09767874634114
(git)
Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 41c18baee66134e6ef786eb075c1b6adb22432b0 (git) Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 59424dc0d0e044b2eb007686a4724ddd91d57db5 (git) Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 9b137f277cc3297044aabd950f589e505d30104c (git) Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 674ff598148a28bae0b5372339de56f2abf0b1d1 (git) Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 7de3a75bbc8465d816336c74d50109e73501efab (git) Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 57c278500fce3cd4e1c540700c0b05426a958393 (git) Affected: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada , < 4fba1713001195e59cfc001ff1f2837dab877efb (git) Affected: 1731d90d8a558ecb20cdee0c2c001ae8e15c251d (git) Affected: b0580eadc19ff3a617a7d07cfaf2a985153c114e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U1memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bf3dc3a2156f1c5ddaba4b85d09767874634114",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "41c18baee66134e6ef786eb075c1b6adb22432b0",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "59424dc0d0e044b2eb007686a4724ddd91d57db5",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "9b137f277cc3297044aabd950f589e505d30104c",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "674ff598148a28bae0b5372339de56f2abf0b1d1",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "7de3a75bbc8465d816336c74d50109e73501efab",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "57c278500fce3cd4e1c540700c0b05426a958393",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "4fba1713001195e59cfc001ff1f2837dab877efb",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"status": "affected",
"version": "1731d90d8a558ecb20cdee0c2c001ae8e15c251d",
"versionType": "git"
},
{
"status": "affected",
"version": "b0580eadc19ff3a617a7d07cfaf2a985153c114e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U1memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. This commit fixes a couple of bad\ncalculations. This will fix the return value of copy_from_user and\ncopy_to_user in the faulting case. The behaviour of memcpy stays unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:32.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bf3dc3a2156f1c5ddaba4b85d09767874634114"
},
{
"url": "https://git.kernel.org/stable/c/41c18baee66134e6ef786eb075c1b6adb22432b0"
},
{
"url": "https://git.kernel.org/stable/c/59424dc0d0e044b2eb007686a4724ddd91d57db5"
},
{
"url": "https://git.kernel.org/stable/c/9b137f277cc3297044aabd950f589e505d30104c"
},
{
"url": "https://git.kernel.org/stable/c/674ff598148a28bae0b5372339de56f2abf0b1d1"
},
{
"url": "https://git.kernel.org/stable/c/7de3a75bbc8465d816336c74d50109e73501efab"
},
{
"url": "https://git.kernel.org/stable/c/57c278500fce3cd4e1c540700c0b05426a958393"
},
{
"url": "https://git.kernel.org/stable/c/4fba1713001195e59cfc001ff1f2837dab877efb"
}
],
"title": "sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40126",
"datePublished": "2025-11-12T10:23:20.460Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:32.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40092 (GCVE-0-2025-40092)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
usb: gadget: f_ncm: Refactor bind path to use __free()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Refactor bind path to use __free()
After an bind/unbind cycle, the ncm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
Call trace:
usb_ep_free_request+0x2c/0xec
ncm_bind+0x39c/0x3dc
usb_add_function+0xcc/0x1f0
configfs_composite_bind+0x468/0x588
gadget_bind_driver+0x104/0x270
really_probe+0x190/0x374
__driver_probe_device+0xa0/0x12c
driver_probe_device+0x3c/0x218
__device_attach_driver+0x14c/0x188
bus_for_each_drv+0x10c/0x168
__device_attach+0xfc/0x198
device_initial_probe+0x14/0x24
bus_probe_device+0x94/0x11c
device_add+0x268/0x48c
usb_add_gadget+0x198/0x28c
dwc3_gadget_init+0x700/0x858
__dwc3_set_mode+0x3cc/0x664
process_scheduled_works+0x1d8/0x488
worker_thread+0x244/0x334
kthread+0x114/0x1bc
ret_from_fork+0x10/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f6ce4240a2bf456402c15c06768059e5973f28c , < 185193a4714aa9c78437a7a1858fbe5771f0f45c
(git)
Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < f37de8dec6a4c379b4b8486003a1de00ff8cff3b (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < 1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2 (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < ed78f4d6079d872432b1ed54f155ef61965d3137 (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "185193a4714aa9c78437a7a1858fbe5771f0f45c",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "f37de8dec6a4c379b4b8486003a1de00ff8cff3b",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "ed78f4d6079d872432b1ed54f155ef61965d3137",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the ncm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n ncm_bind+0x39c/0x3dc\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:51.389Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/185193a4714aa9c78437a7a1858fbe5771f0f45c"
},
{
"url": "https://git.kernel.org/stable/c/f37de8dec6a4c379b4b8486003a1de00ff8cff3b"
},
{
"url": "https://git.kernel.org/stable/c/1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2"
},
{
"url": "https://git.kernel.org/stable/c/d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee"
},
{
"url": "https://git.kernel.org/stable/c/ed78f4d6079d872432b1ed54f155ef61965d3137"
},
{
"url": "https://git.kernel.org/stable/c/75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef"
}
],
"title": "usb: gadget: f_ncm: Refactor bind path to use __free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40092",
"datePublished": "2025-10-30T09:47:59.910Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:51.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40261 (GCVE-0-2025-40261)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:39
VLAI?
EPSS
Title
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
nvme_fc_delete_assocation() waits for pending I/O to complete before
returning, and an error can cause ->ioerr_work to be queued after
cancel_work_sync() had been called. Move the call to cancel_work_sync() to
be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
[ 1135.917705] ------------[ cut here ]------------
[ 1135.922336] kernel BUG at lib/list_debug.c:52!
[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
[ 1135.950969] Workqueue: 0x0 (nvme-wq)
[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 1136.055910] PKRU: 55555554
[ 1136.058623] Call Trace:
[ 1136.061074] <TASK>
[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
[ 1136.071898] ? move_linked_works+0x4a/0xa0
[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.081744] ? __die_body.cold+0x8/0x12
[ 1136.085584] ? die+0x2e/0x50
[ 1136.088469] ? do_trap+0xca/0x110
[ 1136.091789] ? do_error_trap+0x65/0x80
[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.101289] ? exc_invalid_op+0x50/0x70
[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.120806] move_linked_works+0x4a/0xa0
[ 1136.124733] worker_thread+0x216/0x3a0
[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
[ 1136.132758] kthread+0xfa/0x240
[ 1136.135904] ? __pfx_kthread+0x10/0x10
[ 1136.139657] ret_from_fork+0x31/0x50
[ 1136.143236] ? __pfx_kthread+0x10/0x10
[ 1136.146988] ret_from_fork_asm+0x1a/0x30
[ 1136.150915] </TASK>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1cd8c40936ff2b560e1f35159dd6a4602b558e5 , < 3d78e8e01251da032a5f7cbc9728e4ab1a5a5464
(git)
Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 60ba31330faf5677e2eebef7eac62ea9e42a200d (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 3d81beae4753db3b3dc5b70dc300d4036e0d9cb8 (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 33f64600a12055219bda38b55320c62cdeda9167 (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 48ae433c6cc6985f647b1b37d8bb002972cf9bdb (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < fbd5741a556eaaa63d0908132ca79d335b58b1cd (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 0a2c5495b6d1ecb0fa18ef6631450f391a888256 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d78e8e01251da032a5f7cbc9728e4ab1a5a5464",
"status": "affected",
"version": "f1cd8c40936ff2b560e1f35159dd6a4602b558e5",
"versionType": "git"
},
{
"lessThan": "60ba31330faf5677e2eebef7eac62ea9e42a200d",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "3d81beae4753db3b3dc5b70dc300d4036e0d9cb8",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "33f64600a12055219bda38b55320c62cdeda9167",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "48ae433c6cc6985f647b1b37d8bb002972cf9bdb",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "fbd5741a556eaaa63d0908132ca79d335b58b1cd",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "0a2c5495b6d1ecb0fa18ef6631450f391a888256",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause -\u003eioerr_work to be queued after\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure -\u003eioerr_work is not running\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8-\u003enext is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074] \u003cTASK\u003e\n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744] ? __die_body.cold+0x8/0x12\n[ 1136.085584] ? die+0x2e/0x50\n[ 1136.088469] ? do_trap+0xca/0x110\n[ 1136.091789] ? do_error_trap+0x65/0x80\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806] move_linked_works+0x4a/0xa0\n[ 1136.124733] worker_thread+0x216/0x3a0\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758] kthread+0xfa/0x240\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\n[ 1136.139657] ret_from_fork+0x31/0x50\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\n[ 1136.150915] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:39:00.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d78e8e01251da032a5f7cbc9728e4ab1a5a5464"
},
{
"url": "https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d"
},
{
"url": "https://git.kernel.org/stable/c/3d81beae4753db3b3dc5b70dc300d4036e0d9cb8"
},
{
"url": "https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167"
},
{
"url": "https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb"
},
{
"url": "https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd"
},
{
"url": "https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256"
}
],
"title": "nvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40261",
"datePublished": "2025-12-04T16:08:21.345Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:39:00.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68752 (GCVE-0-2025-68752)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
iavf: Implement settime64 with -EOPNOTSUPP
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Implement settime64 with -EOPNOTSUPP
ptp_clock_settime() assumes every ptp_clock has implemented settime64().
Stub it with -EOPNOTSUPP to prevent a NULL dereference.
The fix is similar to commit 329d050bbe63 ("gve: Implement settime64
with -EOPNOTSUPP").
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d734223b2f0dc4f5826204ee628ad6273148223d , < 9e3dbc3bb2e2aa728b49422b2e5344488f93f690
(git)
Affected: d734223b2f0dc4f5826204ee628ad6273148223d , < 6d080f810ffd6b8e002ce5bee8b9c551ca2535c2 (git) Affected: d734223b2f0dc4f5826204ee628ad6273148223d , < 1e43ebcd5152b3e681a334cc6542fb21770c3a2e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e3dbc3bb2e2aa728b49422b2e5344488f93f690",
"status": "affected",
"version": "d734223b2f0dc4f5826204ee628ad6273148223d",
"versionType": "git"
},
{
"lessThan": "6d080f810ffd6b8e002ce5bee8b9c551ca2535c2",
"status": "affected",
"version": "d734223b2f0dc4f5826204ee628ad6273148223d",
"versionType": "git"
},
{
"lessThan": "1e43ebcd5152b3e681a334cc6542fb21770c3a2e",
"status": "affected",
"version": "d734223b2f0dc4f5826204ee628ad6273148223d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Implement settime64 with -EOPNOTSUPP\n\nptp_clock_settime() assumes every ptp_clock has implemented settime64().\nStub it with -EOPNOTSUPP to prevent a NULL dereference.\n\nThe fix is similar to commit 329d050bbe63 (\"gve: Implement settime64\nwith -EOPNOTSUPP\")."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:56.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e3dbc3bb2e2aa728b49422b2e5344488f93f690"
},
{
"url": "https://git.kernel.org/stable/c/6d080f810ffd6b8e002ce5bee8b9c551ca2535c2"
},
{
"url": "https://git.kernel.org/stable/c/1e43ebcd5152b3e681a334cc6542fb21770c3a2e"
}
],
"title": "iavf: Implement settime64 with -EOPNOTSUPP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68752",
"datePublished": "2026-01-05T09:32:26.308Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:32:56.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68765 (GCVE-0-2025-68765)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99c457d902cf90bdc0df5d57e6156ec108711068 , < d6c91fc732698642f70c688324c98551b97b412c
(git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 594ff8bb69e239678a8baa461827ce4bb90eff8f (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 1c3c234af9407256ed670c8752923a672eea4225 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 278bfed4529a0c9c9119f5a52ddafe69db61a75c (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < fb905e69941b44e03fe1a24e95328d45442b6d6d (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 53d1548612670aa8b5d89745116cc33d9d172863 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6c91fc732698642f70c688324c98551b97b412c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "594ff8bb69e239678a8baa461827ce4bb90eff8f",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "1c3c234af9407256ed670c8752923a672eea4225",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "278bfed4529a0c9c9119f5a52ddafe69db61a75c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "fb905e69941b44e03fe1a24e95328d45442b6d6d",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "53d1548612670aa8b5d89745116cc33d9d172863",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:10.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6c91fc732698642f70c688324c98551b97b412c"
},
{
"url": "https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f"
},
{
"url": "https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225"
},
{
"url": "https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c"
},
{
"url": "https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d"
},
{
"url": "https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49"
},
{
"url": "https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863"
}
],
"title": "mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68765",
"datePublished": "2026-01-05T09:44:13.242Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:10.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68818 (GCVE-0-2025-68818)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
231cfa78ec5badd84a1a2b09465bfad1a926aba1 , < b04b3733fff7e94566386b962e4795550fbdfd3d
(git)
Affected: d6f7377528d2abf338e504126e44439541be8f7d , < 50b097d92c99f718831b8b349722bc79f718ba1b (git) Affected: cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 , < c5c37a821bd1708f26a9522b4a6f47b9f7a20003 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < e9e601b7df58ba0c667baf30263331df2c02ffe1 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < 1c728951bc769b795d377852eae1abddad88635d (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b57fbc88715b6d18f379463f48a15b560b087ffe (git) Affected: 9189f20b4c5307c0998682bb522e481b4567a8b8 (git) Affected: 415d614344a4f1bbddf55d724fc7eb9ef4b39aad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b04b3733fff7e94566386b962e4795550fbdfd3d",
"status": "affected",
"version": "231cfa78ec5badd84a1a2b09465bfad1a926aba1",
"versionType": "git"
},
{
"lessThan": "50b097d92c99f718831b8b349722bc79f718ba1b",
"status": "affected",
"version": "d6f7377528d2abf338e504126e44439541be8f7d",
"versionType": "git"
},
{
"lessThan": "c5c37a821bd1708f26a9522b4a6f47b9f7a20003",
"status": "affected",
"version": "cd0a1804ac5bab2545ac700c8d0fe9ae9284c567",
"versionType": "git"
},
{
"lessThan": "e9e601b7df58ba0c667baf30263331df2c02ffe1",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b10ebbfd59a535c8d22f4ede6e8389622ce98dc0",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "1c728951bc769b795d377852eae1abddad88635d",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b57fbc88715b6d18f379463f48a15b560b087ffe",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"status": "affected",
"version": "9189f20b4c5307c0998682bb522e481b4567a8b8",
"versionType": "git"
},
{
"status": "affected",
"version": "415d614344a4f1bbddf55d724fc7eb9ef4b39aad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock. But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n 0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n 0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash. But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:08.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d"
},
{
"url": "https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b"
},
{
"url": "https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003"
},
{
"url": "https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1"
},
{
"url": "https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0"
},
{
"url": "https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d"
},
{
"url": "https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe"
}
],
"title": "scsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68818",
"datePublished": "2026-01-13T15:29:22.018Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:08.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71096 (GCVE-0-2025-71096)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 376f46c8983458ead26cac83aa897a0b78491831
(git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < bfe10318fc23e0b3f1d0a18dad387d29473a624d (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 45532638de5da24c201aa2a9b3dd4b054064de7b (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 9d85524789c2f17c0e87de8d596bcccc3683a1fc (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 0b948afc1ded88b3562c893114387f34389eeb94 (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < a7b8e876e0ef0232b8076972c57ce9a7286b47ca (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "376f46c8983458ead26cac83aa897a0b78491831",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "bfe10318fc23e0b3f1d0a18dad387d29473a624d",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "45532638de5da24c201aa2a9b3dd4b054064de7b",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "9d85524789c2f17c0e87de8d596bcccc3683a1fc",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "0b948afc1ded88b3562c893114387f34389eeb94",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "a7b8e876e0ef0232b8076972c57ce9a7286b47ca",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n hex_byte_pack include/linux/hex.h:13 [inline]\n ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n __compat_sys_sendmsg net/compat.c:346 [inline]\n __do_compat_sys_sendmsg net/compat.c:353 [inline]\n __se_compat_sys_sendmsg net/compat.c:350 [inline]\n __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:48.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831"
},
{
"url": "https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d"
},
{
"url": "https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b"
},
{
"url": "https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc"
},
{
"url": "https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec"
},
{
"url": "https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94"
},
{
"url": "https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca"
}
],
"title": "RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71096",
"datePublished": "2026-01-13T15:34:56.118Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:48.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39970 (GCVE-0-2025-39970)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: fix input validation logic for action_meta
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix input validation logic for action_meta
Fix condition to check 'greater or equal' to prevent OOB dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e284fc280473bed23f2e1ed324e102a48f7d17e1 , < a88c1b2746eccf00e2094b187945f0f1e990b400
(git)
Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 28465770ca3b694286ff9ed6dfd558413f57d98f (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < f8c8e11825b24661596fa8db2f0981ba17ed0817 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 461e0917eedcd159d87f3ea846754a1e07d7e78a (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 3883e9702b6a4945e93b16c070f338a9f5b496f9 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 560e1683410585fbd5df847f43433c4296f0d222 (git) Affected: e284fc280473bed23f2e1ed324e102a48f7d17e1 , < 9739d5830497812b0bdeaee356ddefbe60830b88 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a88c1b2746eccf00e2094b187945f0f1e990b400",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "28465770ca3b694286ff9ed6dfd558413f57d98f",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "f8c8e11825b24661596fa8db2f0981ba17ed0817",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "461e0917eedcd159d87f3ea846754a1e07d7e78a",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "3883e9702b6a4945e93b16c070f338a9f5b496f9",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "560e1683410585fbd5df847f43433c4296f0d222",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "9739d5830497812b0bdeaee356ddefbe60830b88",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix input validation logic for action_meta\n\nFix condition to check \u0027greater or equal\u0027 to prevent OOB dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:53.610Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a88c1b2746eccf00e2094b187945f0f1e990b400"
},
{
"url": "https://git.kernel.org/stable/c/28465770ca3b694286ff9ed6dfd558413f57d98f"
},
{
"url": "https://git.kernel.org/stable/c/f8c8e11825b24661596fa8db2f0981ba17ed0817"
},
{
"url": "https://git.kernel.org/stable/c/461e0917eedcd159d87f3ea846754a1e07d7e78a"
},
{
"url": "https://git.kernel.org/stable/c/3883e9702b6a4945e93b16c070f338a9f5b496f9"
},
{
"url": "https://git.kernel.org/stable/c/3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b"
},
{
"url": "https://git.kernel.org/stable/c/560e1683410585fbd5df847f43433c4296f0d222"
},
{
"url": "https://git.kernel.org/stable/c/9739d5830497812b0bdeaee356ddefbe60830b88"
}
],
"title": "i40e: fix input validation logic for action_meta",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39970",
"datePublished": "2025-10-15T07:55:53.610Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:53.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68354 (GCVE-0-2025-68354)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a06ccd9c3785fa5550917ae036944f4e080b5749 , < e1587064137028e7edcca14fb766b68d27bec94b
(git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 9d041a7ba13f21adfac052eb3fda1df62f2166c1 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 09811a83b214cc15521e0d818e43ae9043e9a28d (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a9864d42ebcdd394ebb864643b961b36e7b515be (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 431a1d44ad4866362cc28fc1cc4ca93d84989239 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1587064137028e7edcca14fb766b68d27bec94b",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "9d041a7ba13f21adfac052eb3fda1df62f2166c1",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "09811a83b214cc15521e0d818e43ae9043e9a28d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a9864d42ebcdd394ebb864643b961b36e7b515be",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "431a1d44ad4866362cc28fc1cc4ca93d84989239",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:49.898Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1587064137028e7edcca14fb766b68d27bec94b"
},
{
"url": "https://git.kernel.org/stable/c/9d041a7ba13f21adfac052eb3fda1df62f2166c1"
},
{
"url": "https://git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61"
},
{
"url": "https://git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28d"
},
{
"url": "https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be"
},
{
"url": "https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239"
},
{
"url": "https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf"
},
{
"url": "https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d"
}
],
"title": "regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68354",
"datePublished": "2025-12-24T10:32:44.840Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:49.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22124 (GCVE-0-2025-22124)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-09-09 17:05
VLAI?
EPSS
Title
md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb
In clustermd, separate write-intent-bitmaps are used for each cluster
node:
0 4k 8k 12k
-------------------------------------------------------------------
| idle | md super | bm super [0] + bits |
| bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] |
| bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits |
| bm bits [3, contd] | | |
So in node 1, pg_index in __write_sb_page() could equal to
bitmap->storage.file_pages. Then bitmap_limit will be calculated to
0. md_super_write() will be called with 0 size.
That means the first 4k sb area of node 1 will never be updated
through filemap_write_page().
This bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize.
Here use (pg_index % bitmap->storage.file_pages) to make calculation
of bitmap_limit correct.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ab99a87542f194f28e2364a42afbf9fb48b1c724 , < 60196f92bbc7901eb5cfa5d456651b87ea50a4a3
(git)
Affected: ab99a87542f194f28e2364a42afbf9fb48b1c724 , < bc3a9788961631359527763d7e1fcf26554c7cb1 (git) Affected: ab99a87542f194f28e2364a42afbf9fb48b1c724 , < 6130825f34d41718c98a9b1504a79a23e379701e (git) Affected: 655cc01889fa9b65441922565cddee64af49e6d6 (git) Affected: 5600d6013c634c2b6b6c6c55c8ecb50c3a6211f2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60196f92bbc7901eb5cfa5d456651b87ea50a4a3",
"status": "affected",
"version": "ab99a87542f194f28e2364a42afbf9fb48b1c724",
"versionType": "git"
},
{
"lessThan": "bc3a9788961631359527763d7e1fcf26554c7cb1",
"status": "affected",
"version": "ab99a87542f194f28e2364a42afbf9fb48b1c724",
"versionType": "git"
},
{
"lessThan": "6130825f34d41718c98a9b1504a79a23e379701e",
"status": "affected",
"version": "ab99a87542f194f28e2364a42afbf9fb48b1c724",
"versionType": "git"
},
{
"status": "affected",
"version": "655cc01889fa9b65441922565cddee64af49e6d6",
"versionType": "git"
},
{
"status": "affected",
"version": "5600d6013c634c2b6b6c6c55c8ecb50c3a6211f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: fix wrong bitmap_limit for clustermd when write sb\n\nIn clustermd, separate write-intent-bitmaps are used for each cluster\nnode:\n\n0 4k 8k 12k\n-------------------------------------------------------------------\n| idle | md super | bm super [0] + bits |\n| bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] |\n| bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits |\n| bm bits [3, contd] | | |\n\nSo in node 1, pg_index in __write_sb_page() could equal to\nbitmap-\u003estorage.file_pages. Then bitmap_limit will be calculated to\n0. md_super_write() will be called with 0 size.\nThat means the first 4k sb area of node 1 will never be updated\nthrough filemap_write_page().\nThis bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize.\n\nHere use (pg_index % bitmap-\u003estorage.file_pages) to make calculation\nof bitmap_limit correct."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:05:52.349Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60196f92bbc7901eb5cfa5d456651b87ea50a4a3"
},
{
"url": "https://git.kernel.org/stable/c/bc3a9788961631359527763d7e1fcf26554c7cb1"
},
{
"url": "https://git.kernel.org/stable/c/6130825f34d41718c98a9b1504a79a23e379701e"
}
],
"title": "md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22124",
"datePublished": "2025-04-16T14:13:08.134Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2025-09-09T17:05:52.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40093 (GCVE-0-2025-40093)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
usb: gadget: f_ecm: Refactor bind path to use __free()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ecm: Refactor bind path to use __free()
After an bind/unbind cycle, the ecm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
da741b8c56d612b5dd26ffa31341911a5fea23ee , < d3745aaef19198d0c81637a7dd50ef53c4f879b7
(git)
Affected: da741b8c56d612b5dd26ffa31341911a5fea23ee , < 070f341d86cf2c098d63e484a86c7c1d2696a868 (git) Affected: da741b8c56d612b5dd26ffa31341911a5fea23ee , < 15b9faf53ba8719700596e7ef78879ce200e8c2e (git) Affected: da741b8c56d612b5dd26ffa31341911a5fea23ee , < 4630c68bade82f087eaaab22e9a361da2f18d139 (git) Affected: da741b8c56d612b5dd26ffa31341911a5fea23ee , < 42988380ac67c76bb9dff8f77d7ef3eefd50b7b5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ecm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3745aaef19198d0c81637a7dd50ef53c4f879b7",
"status": "affected",
"version": "da741b8c56d612b5dd26ffa31341911a5fea23ee",
"versionType": "git"
},
{
"lessThan": "070f341d86cf2c098d63e484a86c7c1d2696a868",
"status": "affected",
"version": "da741b8c56d612b5dd26ffa31341911a5fea23ee",
"versionType": "git"
},
{
"lessThan": "15b9faf53ba8719700596e7ef78879ce200e8c2e",
"status": "affected",
"version": "da741b8c56d612b5dd26ffa31341911a5fea23ee",
"versionType": "git"
},
{
"lessThan": "4630c68bade82f087eaaab22e9a361da2f18d139",
"status": "affected",
"version": "da741b8c56d612b5dd26ffa31341911a5fea23ee",
"versionType": "git"
},
{
"lessThan": "42988380ac67c76bb9dff8f77d7ef3eefd50b7b5",
"status": "affected",
"version": "da741b8c56d612b5dd26ffa31341911a5fea23ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ecm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ecm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the ecm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:52.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3745aaef19198d0c81637a7dd50ef53c4f879b7"
},
{
"url": "https://git.kernel.org/stable/c/070f341d86cf2c098d63e484a86c7c1d2696a868"
},
{
"url": "https://git.kernel.org/stable/c/15b9faf53ba8719700596e7ef78879ce200e8c2e"
},
{
"url": "https://git.kernel.org/stable/c/4630c68bade82f087eaaab22e9a361da2f18d139"
},
{
"url": "https://git.kernel.org/stable/c/42988380ac67c76bb9dff8f77d7ef3eefd50b7b5"
}
],
"title": "usb: gadget: f_ecm: Refactor bind path to use __free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40093",
"datePublished": "2025-10-30T09:48:00.807Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:52.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21780 (GCVE-0-2025-21780)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 20:59
VLAI?
EPSS
Title
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
It malicious user provides a small pptable through sysfs and then
a bigger pptable, it may cause buffer overflow attack in function
smu_sys_set_pp_table().
Severity ?
7.8 (High)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
137d63abbf6a0859e79b662e81d21170ecb75e59 , < 3484ea33157bc7334f57e64826ec5a4bf992151a
(git)
Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < e43a8b9c4d700ffec819c5043a48769b3e7d9cab (git) Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < 2498d2db1d35e88a2060ea191ae75dce853dd084 (git) Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < 231075c5a8ea54f34b7c4794687baa980814e6de (git) Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < 1abb2648698bf10783d2236a6b4a7ca5e8021699 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:25.628048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:40.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:26.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3484ea33157bc7334f57e64826ec5a4bf992151a",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "e43a8b9c4d700ffec819c5043a48769b3e7d9cab",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "2498d2db1d35e88a2060ea191ae75dce853dd084",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "231075c5a8ea54f34b7c4794687baa980814e6de",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "1abb2648698bf10783d2236a6b4a7ca5e8021699",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:06.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3484ea33157bc7334f57e64826ec5a4bf992151a"
},
{
"url": "https://git.kernel.org/stable/c/e43a8b9c4d700ffec819c5043a48769b3e7d9cab"
},
{
"url": "https://git.kernel.org/stable/c/2498d2db1d35e88a2060ea191ae75dce853dd084"
},
{
"url": "https://git.kernel.org/stable/c/231075c5a8ea54f34b7c4794687baa980814e6de"
},
{
"url": "https://git.kernel.org/stable/c/1abb2648698bf10783d2236a6b4a7ca5e8021699"
}
],
"title": "drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21780",
"datePublished": "2025-02-27T02:18:23.543Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2025-11-03T20:59:26.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40101 (GCVE-0-2025-40101)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST
At the end of btrfs_load_block_group_zone_info() the first thing we do
is to ensure that if the mapping type is not a SINGLE one and there is
no RAID stripe tree, then we return early with an error.
Doing that, though, prevents the code from running the last calls from
this function which are about freeing memory allocated during its
run. Hence, in this case, instead of returning early, we set the ret
value and fall through the rest of the cleanup code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5906333cc4af7b3fdb8cfff1cb3e8e579bd13174 , < 187333e6d484c6630286bfdd07c79d6815a63887
(git)
Affected: 5906333cc4af7b3fdb8cfff1cb3e8e579bd13174 , < 602701d00439e113331ee9c1283e95afdcb8849d (git) Affected: 5906333cc4af7b3fdb8cfff1cb3e8e579bd13174 , < fec9b9d3ced39f16be8d7afdf81f4dd2653da319 (git) Affected: 6ffeca99bf6e84800133d21afd41c79d2f002db7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zoned.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "187333e6d484c6630286bfdd07c79d6815a63887",
"status": "affected",
"version": "5906333cc4af7b3fdb8cfff1cb3e8e579bd13174",
"versionType": "git"
},
{
"lessThan": "602701d00439e113331ee9c1283e95afdcb8849d",
"status": "affected",
"version": "5906333cc4af7b3fdb8cfff1cb3e8e579bd13174",
"versionType": "git"
},
{
"lessThan": "fec9b9d3ced39f16be8d7afdf81f4dd2653da319",
"status": "affected",
"version": "5906333cc4af7b3fdb8cfff1cb3e8e579bd13174",
"versionType": "git"
},
{
"status": "affected",
"version": "6ffeca99bf6e84800133d21afd41c79d2f002db7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zoned.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST\n\nAt the end of btrfs_load_block_group_zone_info() the first thing we do\nis to ensure that if the mapping type is not a SINGLE one and there is\nno RAID stripe tree, then we return early with an error.\n\nDoing that, though, prevents the code from running the last calls from\nthis function which are about freeing memory allocated during its\nrun. Hence, in this case, instead of returning early, we set the ret\nvalue and fall through the rest of the cleanup code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:03.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/187333e6d484c6630286bfdd07c79d6815a63887"
},
{
"url": "https://git.kernel.org/stable/c/602701d00439e113331ee9c1283e95afdcb8849d"
},
{
"url": "https://git.kernel.org/stable/c/fec9b9d3ced39f16be8d7afdf81f4dd2653da319"
}
],
"title": "btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40101",
"datePublished": "2025-10-30T09:48:07.155Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-12-01T06:18:03.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39805 (GCVE-0-2025-39805)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
net: macb: fix unregister_netdev call order in macb_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix unregister_netdev call order in macb_remove()
When removing a macb device, the driver calls phy_exit() before
unregister_netdev(). This leads to a WARN from kernfs:
------------[ cut here ]------------
kernfs: can not remove 'attached_dev', no directory
WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683
Call trace:
kernfs_remove_by_name_ns+0xd8/0xf0
sysfs_remove_link+0x24/0x58
phy_detach+0x5c/0x168
phy_disconnect+0x4c/0x70
phylink_disconnect_phy+0x6c/0xc0 [phylink]
macb_close+0x6c/0x170 [macb]
...
macb_remove+0x60/0x168 [macb]
platform_remove+0x5c/0x80
...
The warning happens because the PHY is being exited while the netdev
is still registered. The correct order is to unregister the netdev
before shutting down the PHY and cleaning up the MDIO bus.
Fix this by moving unregister_netdev() ahead of phy_exit() in
macb_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8b73fa3ae02b2401960de41b0454c0321377b203 , < 7351782f2fc8ac31ced52e3d4e6fa120f819a7ab
(git)
Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 2b9719ccad38dffad7dbdd2f39896f723f9b9011 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < ff0d3bad32108b57265e5b48f15327549af771d3 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 775fe690fd4a3337ad2115de2adb41b227d4dae7 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 01b9128c5db1b470575d07b05b67ffa3cb02ebf1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7351782f2fc8ac31ced52e3d4e6fa120f819a7ab",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "2b9719ccad38dffad7dbdd2f39896f723f9b9011",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "ff0d3bad32108b57265e5b48f15327549af771d3",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "775fe690fd4a3337ad2115de2adb41b227d4dae7",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "01b9128c5db1b470575d07b05b67ffa3cb02ebf1",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix unregister_netdev call order in macb_remove()\n\nWhen removing a macb device, the driver calls phy_exit() before\nunregister_netdev(). This leads to a WARN from kernfs:\n\n ------------[ cut here ]------------\n kernfs: can not remove \u0027attached_dev\u0027, no directory\n WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683\n Call trace:\n kernfs_remove_by_name_ns+0xd8/0xf0\n sysfs_remove_link+0x24/0x58\n phy_detach+0x5c/0x168\n phy_disconnect+0x4c/0x70\n phylink_disconnect_phy+0x6c/0xc0 [phylink]\n macb_close+0x6c/0x170 [macb]\n ...\n macb_remove+0x60/0x168 [macb]\n platform_remove+0x5c/0x80\n ...\n\nThe warning happens because the PHY is being exited while the netdev\nis still registered. The correct order is to unregister the netdev\nbefore shutting down the PHY and cleaning up the MDIO bus.\n\nFix this by moving unregister_netdev() ahead of phy_exit() in\nmacb_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:34.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7351782f2fc8ac31ced52e3d4e6fa120f819a7ab"
},
{
"url": "https://git.kernel.org/stable/c/2b9719ccad38dffad7dbdd2f39896f723f9b9011"
},
{
"url": "https://git.kernel.org/stable/c/ff0d3bad32108b57265e5b48f15327549af771d3"
},
{
"url": "https://git.kernel.org/stable/c/775fe690fd4a3337ad2115de2adb41b227d4dae7"
},
{
"url": "https://git.kernel.org/stable/c/01b9128c5db1b470575d07b05b67ffa3cb02ebf1"
}
],
"title": "net: macb: fix unregister_netdev call order in macb_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39805",
"datePublished": "2025-09-16T13:00:06.731Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-12-06T21:38:34.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40204 (GCVE-0-2025-40204)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
sctp: Fix MAC comparison to be constant-time
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b93fa8dc521d00d2d44bf034fb90e0d79b036617
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0e8b8c326c2a6de4d837b1bb034ea704f4690d77 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c05d44ec24126fc283835b68f82dba3ae985209 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8019b3699289fce3f10b63f98601db97b8d105b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b32ff285ff6f6f1ac1d9495787ccce8837d6405 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd91c79e4f58fbe2898dac84858033700e0e99fb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:07.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
},
{
"url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
},
{
"url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
},
{
"url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
},
{
"url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
},
{
"url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
},
{
"url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
},
{
"url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
}
],
"title": "sctp: Fix MAC comparison to be constant-time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40204",
"datePublished": "2025-11-12T21:56:35.110Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:07.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40001 (GCVE-0-2025-40001)
Vulnerability from cvelistv5 – Published: 2025-10-18 08:03 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
During the detaching of Marvell's SAS/SATA controller, the original code
calls cancel_delayed_work() in mvs_free() to cancel the delayed work
item mwq->work_q. However, if mwq->work_q is already running, the
cancel_delayed_work() may fail to cancel it. This can lead to
use-after-free scenarios where mvs_free() frees the mvs_info while
mvs_work_queue() is still executing and attempts to access the
already-freed mvs_info.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
mvs_pci_remove() |
mvs_free() | mvs_work_queue()
cancel_delayed_work() |
kfree(mvi) |
| mvi-> // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing
delayed work item completes before the mvs_info is deallocated.
This bug was found by static analysis.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
20b09c2992fefbe78f8cede7b404fb143a413c52 , < a6f68f219d4d4b92d7c781708d4afc4cc42961ec
(git)
Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < aacd1777d4a795c387a20b9ca776e2c1225d05d7 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 6ba7e73cafd155a5d3abf560d315f0bab2b9d89f (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < c2c35cb2a31844f84f21ab364b38b4309d756d42 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 3c90f583d679c81a5a607a6ae0051251b6dee35b (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 00d3af40b158ebf7c7db2b3bbb1598a54bf28127 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < feb946d2fc9dc754bf3d594d42cd228860ff8647 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 60cd16a3b7439ccb699d0bf533799eeb894fd217 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mvsas/mv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6f68f219d4d4b92d7c781708d4afc4cc42961ec",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "aacd1777d4a795c387a20b9ca776e2c1225d05d7",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "6ba7e73cafd155a5d3abf560d315f0bab2b9d89f",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "c2c35cb2a31844f84f21ab364b38b4309d756d42",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "3c90f583d679c81a5a607a6ae0051251b6dee35b",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "00d3af40b158ebf7c7db2b3bbb1598a54bf28127",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "feb946d2fc9dc754bf3d594d42cd228860ff8647",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "60cd16a3b7439ccb699d0bf533799eeb894fd217",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mvsas/mv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n\nDuring the detaching of Marvell\u0027s SAS/SATA controller, the original code\ncalls cancel_delayed_work() in mvs_free() to cancel the delayed work\nitem mwq-\u003ework_q. However, if mwq-\u003ework_q is already running, the\ncancel_delayed_work() may fail to cancel it. This can lead to\nuse-after-free scenarios where mvs_free() frees the mvs_info while\nmvs_work_queue() is still executing and attempts to access the\nalready-freed mvs_info.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nmvs_pci_remove() |\n mvs_free() | mvs_work_queue()\n cancel_delayed_work() |\n kfree(mvi) |\n | mvi-\u003e // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing\ndelayed work item completes before the mvs_info is deallocated.\n\nThis bug was found by static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:13.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6f68f219d4d4b92d7c781708d4afc4cc42961ec"
},
{
"url": "https://git.kernel.org/stable/c/aacd1777d4a795c387a20b9ca776e2c1225d05d7"
},
{
"url": "https://git.kernel.org/stable/c/6ba7e73cafd155a5d3abf560d315f0bab2b9d89f"
},
{
"url": "https://git.kernel.org/stable/c/c2c35cb2a31844f84f21ab364b38b4309d756d42"
},
{
"url": "https://git.kernel.org/stable/c/3c90f583d679c81a5a607a6ae0051251b6dee35b"
},
{
"url": "https://git.kernel.org/stable/c/00d3af40b158ebf7c7db2b3bbb1598a54bf28127"
},
{
"url": "https://git.kernel.org/stable/c/feb946d2fc9dc754bf3d594d42cd228860ff8647"
},
{
"url": "https://git.kernel.org/stable/c/60cd16a3b7439ccb699d0bf533799eeb894fd217"
}
],
"title": "scsi: mvsas: Fix use-after-free bugs in mvs_work_queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40001",
"datePublished": "2025-10-18T08:03:21.935Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:13.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40290 (GCVE-0-2025-40290)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:09 – Updated: 2025-12-08 00:09
VLAI?
EPSS
Title
xsk: avoid data corruption on cq descriptor number
Summary
In the Linux kernel, the following vulnerability has been resolved:
xsk: avoid data corruption on cq descriptor number
Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor
production"), the descriptor number is stored in skb control block and
xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto
pool's completion queue.
skb control block shouldn't be used for this purpose as after transmit
xsk doesn't have control over it and other subsystems could use it. This
leads to the following kernel panic due to a NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:xsk_destruct_skb+0xd0/0x180
[...]
Call Trace:
<IRQ>
? napi_complete_done+0x7a/0x1a0
ip_rcv_core+0x1bb/0x340
ip_rcv+0x30/0x1f0
__netif_receive_skb_one_core+0x85/0xa0
process_backlog+0x87/0x130
__napi_poll+0x28/0x180
net_rx_action+0x339/0x420
handle_softirqs+0xdc/0x320
? handle_edge_irq+0x90/0x1e0
do_softirq.part.0+0x3b/0x60
</IRQ>
<TASK>
__local_bh_enable_ip+0x60/0x70
__dev_direct_xmit+0x14e/0x1f0
__xsk_generic_xmit+0x482/0xb70
? __remove_hrtimer+0x41/0xa0
? __xsk_generic_xmit+0x51/0xb70
? _raw_spin_unlock_irqrestore+0xe/0x40
xsk_sendmsg+0xda/0x1c0
__sys_sendto+0x1ee/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x84/0x2f0
? __pfx_pollwake+0x10/0x10
? __rseq_handle_notify_resume+0xad/0x4c0
? restore_fpregs_from_fpstate+0x3c/0x90
? switch_fpu_return+0x5b/0xe0
? do_syscall_64+0x204/0x2f0
? do_syscall_64+0x204/0x2f0
? do_syscall_64+0x204/0x2f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
[...]
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Instead use the skb destructor_arg pointer along with pointer tagging.
As pointers are always aligned to 8B, use the bottom bit to indicate
whether this a single address or an allocated struct containing several
addresses.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5ea2e50b5c9aa80c5b53526257540f0c26cd66d",
"status": "affected",
"version": "30f241fcf52aaaef7ac16e66530faa11be78a865",
"versionType": "git"
},
{
"lessThan": "0ebc27a4c67d44e5ce88d21cdad8201862b78837",
"status": "affected",
"version": "30f241fcf52aaaef7ac16e66530faa11be78a865",
"versionType": "git"
},
{
"status": "affected",
"version": "932cb57e675a62982d4719e4b04e9f09a15a5baf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: avoid data corruption on cq descriptor number\n\nSince commit 30f241fcf52a (\"xsk: Fix immature cq descriptor\nproduction\"), the descriptor number is stored in skb control block and\nxsk_cq_submit_addr_locked() relies on it to put the umem addrs onto\npool\u0027s completion queue.\n\nskb control block shouldn\u0027t be used for this purpose as after transmit\nxsk doesn\u0027t have control over it and other subsystems could use it. This\nleads to the following kernel panic due to a NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:xsk_destruct_skb+0xd0/0x180\n [...]\n Call Trace:\n \u003cIRQ\u003e\n ? napi_complete_done+0x7a/0x1a0\n ip_rcv_core+0x1bb/0x340\n ip_rcv+0x30/0x1f0\n __netif_receive_skb_one_core+0x85/0xa0\n process_backlog+0x87/0x130\n __napi_poll+0x28/0x180\n net_rx_action+0x339/0x420\n handle_softirqs+0xdc/0x320\n ? handle_edge_irq+0x90/0x1e0\n do_softirq.part.0+0x3b/0x60\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0x60/0x70\n __dev_direct_xmit+0x14e/0x1f0\n __xsk_generic_xmit+0x482/0xb70\n ? __remove_hrtimer+0x41/0xa0\n ? __xsk_generic_xmit+0x51/0xb70\n ? _raw_spin_unlock_irqrestore+0xe/0x40\n xsk_sendmsg+0xda/0x1c0\n __sys_sendto+0x1ee/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x84/0x2f0\n ? __pfx_pollwake+0x10/0x10\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n [...]\n Kernel panic - not syncing: Fatal exception in interrupt\n Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n\nInstead use the skb destructor_arg pointer along with pointer tagging.\nAs pointers are always aligned to 8B, use the bottom bit to indicate\nwhether this a single address or an allocated struct containing several\naddresses."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:09:08.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d"
},
{
"url": "https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837"
},
{
"url": "https://bugs.debian.org/1118437"
}
],
"title": "xsk: avoid data corruption on cq descriptor number",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40290",
"datePublished": "2025-12-08T00:09:08.370Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:09:08.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39853 (GCVE-0-2025-39853)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
i40e: Fix potential invalid access when MAC list is empty
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix potential invalid access when MAC list is empty
list_first_entry() never returns NULL - if the list is empty, it still
returns a pointer to an invalid object, leading to potential invalid
memory access when dereferenced.
Fix this by using list_first_entry_or_null instead of list_first_entry.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e3219ce6a775468368fb270fae3eb82a6787b436 , < 971feafe157afac443027acdc235badc6838560b
(git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 3c6fb929afa313d9d11f780451d113f73922fe5d (git) Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 1eadabcf5623f1237a539b16586b4ed8ac8dffcd (git) Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < e2a5e74879f9b494bbd66fa93f355feacde450c7 (git) Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < fb216d980fae6561c7c70af8ef826faf059c6515 (git) Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf (git) Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 9c21fc4cebd44dd21016c61261a683af390343f8 (git) Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < a556f06338e1d5a85af0e32ecb46e365547f92b9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:09.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "971feafe157afac443027acdc235badc6838560b",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "3c6fb929afa313d9d11f780451d113f73922fe5d",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "1eadabcf5623f1237a539b16586b4ed8ac8dffcd",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "e2a5e74879f9b494bbd66fa93f355feacde450c7",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "fb216d980fae6561c7c70af8ef826faf059c6515",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "9c21fc4cebd44dd21016c61261a683af390343f8",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "a556f06338e1d5a85af0e32ecb46e365547f92b9",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:05.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/971feafe157afac443027acdc235badc6838560b"
},
{
"url": "https://git.kernel.org/stable/c/3c6fb929afa313d9d11f780451d113f73922fe5d"
},
{
"url": "https://git.kernel.org/stable/c/1eadabcf5623f1237a539b16586b4ed8ac8dffcd"
},
{
"url": "https://git.kernel.org/stable/c/e2a5e74879f9b494bbd66fa93f355feacde450c7"
},
{
"url": "https://git.kernel.org/stable/c/fb216d980fae6561c7c70af8ef826faf059c6515"
},
{
"url": "https://git.kernel.org/stable/c/66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf"
},
{
"url": "https://git.kernel.org/stable/c/9c21fc4cebd44dd21016c61261a683af390343f8"
},
{
"url": "https://git.kernel.org/stable/c/a556f06338e1d5a85af0e32ecb46e365547f92b9"
}
],
"title": "i40e: Fix potential invalid access when MAC list is empty",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39853",
"datePublished": "2025-09-19T15:26:25.101Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:09.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39929 (GCVE-0-2025-39929)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:30 – Updated: 2025-10-04 07:30
VLAI?
EPSS
Title
smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path
During tests of another unrelated patch I was able to trigger this
error: Objects remaining on __kmem_cache_shutdown()
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f198186aa9bbd60fae7a2061f4feec614d880299 , < 3d7c075c878ac844e33c43e506c2fa27ac7e9689
(git)
Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < e7b7a93879558e77d950f1ff9a6f3daa385b33df (git) Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < 922338efaad63cfe30d459dfc59f9d69ff93ded4 (git) Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < 0991418bf98f191d0c320bd25245fcffa1998c7e (git) Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < daac51c7032036a0ca5f1aa419ad1b0471d1c6e0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d7c075c878ac844e33c43e506c2fa27ac7e9689",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
},
{
"lessThan": "e7b7a93879558e77d950f1ff9a6f3daa385b33df",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
},
{
"lessThan": "922338efaad63cfe30d459dfc59f9d69ff93ded4",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
},
{
"lessThan": "0991418bf98f191d0c320bd25245fcffa1998c7e",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
},
{
"lessThan": "daac51c7032036a0ca5f1aa419ad1b0471d1c6e0",
"status": "affected",
"version": "f198186aa9bbd60fae7a2061f4feec614d880299",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path\n\nDuring tests of another unrelated patch I was able to trigger this\nerror: Objects remaining on __kmem_cache_shutdown()"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:30:55.153Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d7c075c878ac844e33c43e506c2fa27ac7e9689"
},
{
"url": "https://git.kernel.org/stable/c/e7b7a93879558e77d950f1ff9a6f3daa385b33df"
},
{
"url": "https://git.kernel.org/stable/c/922338efaad63cfe30d459dfc59f9d69ff93ded4"
},
{
"url": "https://git.kernel.org/stable/c/0991418bf98f191d0c320bd25245fcffa1998c7e"
},
{
"url": "https://git.kernel.org/stable/c/daac51c7032036a0ca5f1aa419ad1b0471d1c6e0"
}
],
"title": "smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39929",
"datePublished": "2025-10-04T07:30:55.153Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-04T07:30:55.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40324 (GCVE-0-2025-40324)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
NFSD: Fix crash in nfsd4_read_release()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix crash in nfsd4_read_release()
When tracing is enabled, the trace_nfsd_read_done trace point
crashes during the pynfs read.testNoFh test.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
65a33135e91e6dd661ecdf1194b9d90c49ae3570 , < 930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1
(git)
Affected: b11d8162c24af4a351d21e2c804d25ca493305e3 , < 375fdd8993cecc48afa359728a6e70b280dde1c8 (git) Affected: b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3 , < 2ac46606b2cc49e78d8e3d8f2685e79e9ba73020 (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 03524ccff698d4a77d096ed529073d91f5edee5d (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < a4948875ed0599c037dc438c11891c9012721b1d (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 8f244b773c63fa480c9a3bd1ae04f5272f285e89 (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < abb1f08a2121dd270193746e43b2a9373db9ad84 (git) Affected: 3d0dcada384af22dec764c8374a2997870ec86ae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1",
"status": "affected",
"version": "65a33135e91e6dd661ecdf1194b9d90c49ae3570",
"versionType": "git"
},
{
"lessThan": "375fdd8993cecc48afa359728a6e70b280dde1c8",
"status": "affected",
"version": "b11d8162c24af4a351d21e2c804d25ca493305e3",
"versionType": "git"
},
{
"lessThan": "2ac46606b2cc49e78d8e3d8f2685e79e9ba73020",
"status": "affected",
"version": "b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3",
"versionType": "git"
},
{
"lessThan": "03524ccff698d4a77d096ed529073d91f5edee5d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "a4948875ed0599c037dc438c11891c9012721b1d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "8f244b773c63fa480c9a3bd1ae04f5272f285e89",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "abb1f08a2121dd270193746e43b2a9373db9ad84",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"status": "affected",
"version": "3d0dcada384af22dec764c8374a2997870ec86ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix crash in nfsd4_read_release()\n\nWhen tracing is enabled, the trace_nfsd_read_done trace point\ncrashes during the pynfs read.testNoFh test."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:51.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1"
},
{
"url": "https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8"
},
{
"url": "https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020"
},
{
"url": "https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d"
},
{
"url": "https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d"
},
{
"url": "https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89"
},
{
"url": "https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84"
}
],
"title": "NFSD: Fix crash in nfsd4_read_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40324",
"datePublished": "2025-12-08T00:46:51.912Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:51.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40328 (GCVE-0-2025-40328)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
smb: client: fix potential UAF in smb2_close_cached_fid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in smb2_close_cached_fid()
find_or_create_cached_dir() could grab a new reference after kref_put()
had seen the refcount drop to zero but before cfid_list_lock is acquired
in smb2_close_cached_fid(), leading to use-after-free.
Switch to kref_put_lock() so cfid_release() is called with
cfid_list_lock held, closing that gap.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < cb52d9c86d70298de0ab7c7953653898cbc0efd6
(git)
Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 065bd62412271a2d734810dd50336cae88c54427 (git) Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < bdb596ceb4b7c3f28786a33840263728217fbcf5 (git) Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb52d9c86d70298de0ab7c7953653898cbc0efd6",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "065bd62412271a2d734810dd50336cae88c54427",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "bdb596ceb4b7c3f28786a33840263728217fbcf5",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "734e99623c5b65bf2c03e35978a0b980ebc3c2f8",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_close_cached_fid()\n\nfind_or_create_cached_dir() could grab a new reference after kref_put()\nhad seen the refcount drop to zero but before cfid_list_lock is acquired\nin smb2_close_cached_fid(), leading to use-after-free.\n\nSwitch to kref_put_lock() so cfid_release() is called with\ncfid_list_lock held, closing that gap."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:44.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6"
},
{
"url": "https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427"
},
{
"url": "https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5"
},
{
"url": "https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8"
}
],
"title": "smb: client: fix potential UAF in smb2_close_cached_fid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40328",
"datePublished": "2025-12-09T04:09:44.876Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:44.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40105 (GCVE-0-2025-40105)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
vfs: Don't leak disconnected dentries on umount
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfs: Don't leak disconnected dentries on umount
When user calls open_by_handle_at() on some inode that is not cached, we
will create disconnected dentry for it. If such dentry is a directory,
exportfs_decode_fh_raw() will then try to connect this dentry to the
dentry tree through reconnect_path(). It may happen for various reasons
(such as corrupted fs or race with rename) that the call to
lookup_one_unlocked() in reconnect_one() will fail to find the dentry we
are trying to reconnect and instead create a new dentry under the
parent. Now this dentry will not be marked as disconnected although the
parent still may well be disconnected (at least in case this
inconsistency happened because the fs is corrupted and .. doesn't point
to the real parent directory). This creates inconsistency in
disconnected flags but AFAICS it was mostly harmless. At least until
commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
which removed adding of most disconnected dentries to sb->s_anon list.
Thus after this commit cleanup of disconnected dentries implicitely
relies on the fact that dput() will immediately reclaim such dentries.
However when some leaf dentry isn't marked as disconnected, as in the
scenario described above, the reclaim doesn't happen and the dentries
are "leaked". Memory reclaim can eventually reclaim them but otherwise
they stay in memory and if umount comes first, we hit infamous "Busy
inodes after unmount" bug. Make sure all dentries created under a
disconnected parent are marked as disconnected as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1ee616214cb22410e939d963bbb2349c2570f02 , < b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4
(git)
Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 20863bb7fbb016379f8227122edfabc5c799bc79 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 8004d4b8cbf1bd68a23c160d57287e177c82cc69 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 7e0c8aaf4e28918abded547a5147c7d52c4af7d2 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < cebfbf40056a4d858b2a3ca59a69936d599bd209 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < eadc49999fa994d6fbd70c332bd5d5051cc42261 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 56094ad3eaa21e6621396cc33811d8f72847a834 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dcache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "20863bb7fbb016379f8227122edfabc5c799bc79",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "8004d4b8cbf1bd68a23c160d57287e177c82cc69",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "7e0c8aaf4e28918abded547a5147c7d52c4af7d2",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "cebfbf40056a4d858b2a3ca59a69936d599bd209",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "eadc49999fa994d6fbd70c332bd5d5051cc42261",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "56094ad3eaa21e6621396cc33811d8f72847a834",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dcache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don\u0027t leak disconnected dentries on umount\n\nWhen user calls open_by_handle_at() on some inode that is not cached, we\nwill create disconnected dentry for it. If such dentry is a directory,\nexportfs_decode_fh_raw() will then try to connect this dentry to the\ndentry tree through reconnect_path(). It may happen for various reasons\n(such as corrupted fs or race with rename) that the call to\nlookup_one_unlocked() in reconnect_one() will fail to find the dentry we\nare trying to reconnect and instead create a new dentry under the\nparent. Now this dentry will not be marked as disconnected although the\nparent still may well be disconnected (at least in case this\ninconsistency happened because the fs is corrupted and .. doesn\u0027t point\nto the real parent directory). This creates inconsistency in\ndisconnected flags but AFAICS it was mostly harmless. At least until\ncommit f1ee616214cb (\"VFS: don\u0027t keep disconnected dentries on d_anon\")\nwhich removed adding of most disconnected dentries to sb-\u003es_anon list.\nThus after this commit cleanup of disconnected dentries implicitely\nrelies on the fact that dput() will immediately reclaim such dentries.\nHowever when some leaf dentry isn\u0027t marked as disconnected, as in the\nscenario described above, the reclaim doesn\u0027t happen and the dentries\nare \"leaked\". Memory reclaim can eventually reclaim them but otherwise\nthey stay in memory and if umount comes first, we hit infamous \"Busy\ninodes after unmount\" bug. Make sure all dentries created under a\ndisconnected parent are marked as disconnected as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:08.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4"
},
{
"url": "https://git.kernel.org/stable/c/20863bb7fbb016379f8227122edfabc5c799bc79"
},
{
"url": "https://git.kernel.org/stable/c/8004d4b8cbf1bd68a23c160d57287e177c82cc69"
},
{
"url": "https://git.kernel.org/stable/c/7e0c8aaf4e28918abded547a5147c7d52c4af7d2"
},
{
"url": "https://git.kernel.org/stable/c/cebfbf40056a4d858b2a3ca59a69936d599bd209"
},
{
"url": "https://git.kernel.org/stable/c/620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b"
},
{
"url": "https://git.kernel.org/stable/c/eadc49999fa994d6fbd70c332bd5d5051cc42261"
},
{
"url": "https://git.kernel.org/stable/c/56094ad3eaa21e6621396cc33811d8f72847a834"
}
],
"title": "vfs: Don\u0027t leak disconnected dentries on umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40105",
"datePublished": "2025-10-30T09:48:09.674Z",
"dateReserved": "2025-04-16T07:20:57.165Z",
"dateUpdated": "2025-12-01T06:18:08.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39697 (GCVE-0-2025-39697)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
NFS: Fix a race when updating an existing write
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix a race when updating an existing write
After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.
So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 0ff42a32784e0f2cb46a46da8e9f473538c13e1b
(git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < f230d40147cc37eb3aef4d50e2e2c06ea73d9a77 (git) Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < c32e3c71aaa1c1ba05da88605e2ddd493c58794f (git) Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 181feb41f0b268e6288bf9a7b984624d7fe2031d (git) Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 92278ae36935a54e65fef9f8ea8efe7e80481ace (git) Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 202a3432d21ac060629a760fff3b0a39859da3ea (git) Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 76d2e3890fb169168c73f2e4f8375c7cc24a765e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:28.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pagelist.c",
"fs/nfs/write.c",
"include/linux/nfs_page.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ff42a32784e0f2cb46a46da8e9f473538c13e1b",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "f230d40147cc37eb3aef4d50e2e2c06ea73d9a77",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "c32e3c71aaa1c1ba05da88605e2ddd493c58794f",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "181feb41f0b268e6288bf9a7b984624d7fe2031d",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "92278ae36935a54e65fef9f8ea8efe7e80481ace",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "202a3432d21ac060629a760fff3b0a39859da3ea",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "76d2e3890fb169168c73f2e4f8375c7cc24a765e",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pagelist.c",
"fs/nfs/write.c",
"include/linux/nfs_page.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn\u0027t\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let\u0027s take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:37.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ff42a32784e0f2cb46a46da8e9f473538c13e1b"
},
{
"url": "https://git.kernel.org/stable/c/f230d40147cc37eb3aef4d50e2e2c06ea73d9a77"
},
{
"url": "https://git.kernel.org/stable/c/c32e3c71aaa1c1ba05da88605e2ddd493c58794f"
},
{
"url": "https://git.kernel.org/stable/c/181feb41f0b268e6288bf9a7b984624d7fe2031d"
},
{
"url": "https://git.kernel.org/stable/c/92278ae36935a54e65fef9f8ea8efe7e80481ace"
},
{
"url": "https://git.kernel.org/stable/c/202a3432d21ac060629a760fff3b0a39859da3ea"
},
{
"url": "https://git.kernel.org/stable/c/76d2e3890fb169168c73f2e4f8375c7cc24a765e"
}
],
"title": "NFS: Fix a race when updating an existing write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39697",
"datePublished": "2025-09-05T17:21:03.178Z",
"dateReserved": "2025-04-16T07:20:57.115Z",
"dateUpdated": "2025-11-03T17:42:28.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68748 (GCVE-0-2025-68748)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
drm/panthor: Fix UAF race between device unplug and FW event processing
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Fix UAF race between device unplug and FW event processing
The function panthor_fw_unplug() will free the FW memory sections.
The problem is that there could still be pending FW events which are yet
not handled at this point. process_fw_events_work() can in this case try
to access said freed memory.
Simply call disable_work_sync() to both drain and prevent future
invocation of process_fw_events_work().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
de85488138247d034eb3241840424a54d660926b , < 31db188355a49337e3e8ec98b99377e482eab22c
(git)
Affected: de85488138247d034eb3241840424a54d660926b , < 5e3ff56d4cb591daea70786d07dc21d06dc34108 (git) Affected: de85488138247d034eb3241840424a54d660926b , < 6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a (git) Affected: de85488138247d034eb3241840424a54d660926b , < 7051f6ba968fa69918d72cc26de4d6cf7ea05b90 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31db188355a49337e3e8ec98b99377e482eab22c",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "5e3ff56d4cb591daea70786d07dc21d06dc34108",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "7051f6ba968fa69918d72cc26de4d6cf7ea05b90",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF race between device unplug and FW event processing\n\nThe function panthor_fw_unplug() will free the FW memory sections.\nThe problem is that there could still be pending FW events which are yet\nnot handled at this point. process_fw_events_work() can in this case try\nto access said freed memory.\n\nSimply call disable_work_sync() to both drain and prevent future\ninvocation of process_fw_events_work()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:53.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31db188355a49337e3e8ec98b99377e482eab22c"
},
{
"url": "https://git.kernel.org/stable/c/5e3ff56d4cb591daea70786d07dc21d06dc34108"
},
{
"url": "https://git.kernel.org/stable/c/6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a"
},
{
"url": "https://git.kernel.org/stable/c/7051f6ba968fa69918d72cc26de4d6cf7ea05b90"
}
],
"title": "drm/panthor: Fix UAF race between device unplug and FW event processing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68748",
"datePublished": "2025-12-24T12:09:43.620Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-02-09T08:32:53.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40011 (GCVE-0-2025-40011)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
EPSS
Title
drm/gma500: Fix null dereference in hdmi teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gma500: Fix null dereference in hdmi teardown
pci_set_drvdata sets the value of pdev->driver_data to NULL,
after which the driver_data obtained from the same dev is
dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
extracted from it. To prevent this, swap these calls.
Found by Linux Verification Center (linuxtesting.org) with Svacer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1b082ccf5901108d3acd860a73d8c0442556c0bb , < 70b0c11483d3b90b2d0f416026e475e084a77e62
(git)
Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < 4bbfd1b290857b9d14ea9d91562bde55ff2bc85e (git) Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < e15de80737d444ed743b1c60ced4a3a97913169b (git) Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < 02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7 (git) Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < 6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba (git) Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < f800f7054d2cf28b51296c7c575da27c29e3859b (git) Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < 0fc650fa475b50c1da8236c5e900b9460c7027bc (git) Affected: 1b082ccf5901108d3acd860a73d8c0442556c0bb , < 352e66900cde63f3dadb142364d3c35170bbaaff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gma500/oaktrail_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70b0c11483d3b90b2d0f416026e475e084a77e62",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "4bbfd1b290857b9d14ea9d91562bde55ff2bc85e",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "e15de80737d444ed743b1c60ced4a3a97913169b",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "f800f7054d2cf28b51296c7c575da27c29e3859b",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "0fc650fa475b50c1da8236c5e900b9460c7027bc",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "352e66900cde63f3dadb142364d3c35170bbaaff",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gma500/oaktrail_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix null dereference in hdmi teardown\n\npci_set_drvdata sets the value of pdev-\u003edriver_data to NULL,\nafter which the driver_data obtained from the same dev is\ndereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is\nextracted from it. To prevent this, swap these calls.\n\nFound by Linux Verification Center (linuxtesting.org) with Svacer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:56.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70b0c11483d3b90b2d0f416026e475e084a77e62"
},
{
"url": "https://git.kernel.org/stable/c/4bbfd1b290857b9d14ea9d91562bde55ff2bc85e"
},
{
"url": "https://git.kernel.org/stable/c/e15de80737d444ed743b1c60ced4a3a97913169b"
},
{
"url": "https://git.kernel.org/stable/c/02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7"
},
{
"url": "https://git.kernel.org/stable/c/6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba"
},
{
"url": "https://git.kernel.org/stable/c/f800f7054d2cf28b51296c7c575da27c29e3859b"
},
{
"url": "https://git.kernel.org/stable/c/0fc650fa475b50c1da8236c5e900b9460c7027bc"
},
{
"url": "https://git.kernel.org/stable/c/352e66900cde63f3dadb142364d3c35170bbaaff"
}
],
"title": "drm/gma500: Fix null dereference in hdmi teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40011",
"datePublished": "2025-10-20T15:26:56.558Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:56.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68296 (GCVE-0-2025-68296)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
access in fbcon_remap_all(). Without holding the console lock the call
races with switching outputs.
VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
function uses struct fb_info.node, which is set by register_framebuffer().
As the fb-helper code currently sets up VGA switcheroo before registering
the framebuffer, the value of node is -1 and therefore not a legal value.
For example, fbcon uses the value within set_con2fb_map() [1] as an index
into an array.
Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
result in VGA switching that does not switch fbcon correctly.
Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
which already holds the console lock. Fbdev calls fbcon_fb_registered()
from within register_framebuffer(). Serializes the helper with VGA
switcheroo's call to fbcon_remap_all().
Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
as parameter, it really only needs the contained fbcon state. Moving the
call to fbcon initialization is therefore cleaner than before. Only amdgpu,
i915, nouveau and radeon support vga_switcheroo. For all other drivers,
this change does nothing.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6a9ee8af344e3bd7dbd61e67037096cdf7f83289 , < 482330f8261b4bea8146d9bd69c1199e5dfcbb5c
(git)
Affected: 6a9ee8af344e3bd7dbd61e67037096cdf7f83289 , < 05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a (git) Affected: 6a9ee8af344e3bd7dbd61e67037096cdf7f83289 , < eb76d0f5553575599561010f24c277cc5b31d003 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fb_helper.c",
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "482330f8261b4bea8146d9bd69c1199e5dfcbb5c",
"status": "affected",
"version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289",
"versionType": "git"
},
{
"lessThan": "05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a",
"status": "affected",
"version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289",
"versionType": "git"
},
{
"lessThan": "eb76d0f5553575599561010f24c277cc5b31d003",
"status": "affected",
"version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fb_helper.c",
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup\n\nProtect vga_switcheroo_client_fb_set() with console lock. Avoids OOB\naccess in fbcon_remap_all(). Without holding the console lock the call\nraces with switching outputs.\n\nVGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon\nfunction uses struct fb_info.node, which is set by register_framebuffer().\nAs the fb-helper code currently sets up VGA switcheroo before registering\nthe framebuffer, the value of node is -1 and therefore not a legal value.\nFor example, fbcon uses the value within set_con2fb_map() [1] as an index\ninto an array.\n\nMoving vga_switcheroo_client_fb_set() after register_framebuffer() can\nresult in VGA switching that does not switch fbcon correctly.\n\nTherefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),\nwhich already holds the console lock. Fbdev calls fbcon_fb_registered()\nfrom within register_framebuffer(). Serializes the helper with VGA\nswitcheroo\u0027s call to fbcon_remap_all().\n\nAlthough vga_switcheroo_client_fb_set() takes an instance of struct fb_info\nas parameter, it really only needs the contained fbcon state. Moving the\ncall to fbcon initialization is therefore cleaner than before. Only amdgpu,\ni915, nouveau and radeon support vga_switcheroo. For all other drivers,\nthis change does nothing."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:15.797Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c"
},
{
"url": "https://git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a"
},
{
"url": "https://git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003"
}
],
"title": "drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68296",
"datePublished": "2025-12-16T15:06:15.797Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:15.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68343 (GCVE-0-2025-68343)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
The driver expects to receive a struct gs_host_frame in
gs_usb_receive_bulk_callback().
Use struct_group to describe the header of the struct gs_host_frame and
check that we have at least received the header before accessing any
members of it.
To resubmit the URB, do not dereference the pointer chain
"dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since
"urb->context" contains "parent", it is always defined, while "dev" is not
defined if the URB it too short.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < 18cbce43363c9f84b90a92d57df341155eee0697
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 3433680b759646efcacc64fe36aa2e51ae34b8f0 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 616eee3e895b8ca0028163fcb1dce5e3e9dea322 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 6fe9f3279f7d2518439a7962c5870c6e9ecbadcf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18cbce43363c9f84b90a92d57df341155eee0697",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "3433680b759646efcacc64fe36aa2e51ae34b8f0",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "616eee3e895b8ca0028163fcb1dce5e3e9dea322",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "f31693dc3a584c0ad3937e857b59dbc1a7ed2b87",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "6fe9f3279f7d2518439a7962c5870c6e9ecbadcf",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header\n\nThe driver expects to receive a struct gs_host_frame in\ngs_usb_receive_bulk_callback().\n\nUse struct_group to describe the header of the struct gs_host_frame and\ncheck that we have at least received the header before accessing any\nmembers of it.\n\nTo resubmit the URB, do not dereference the pointer chain\n\"dev-\u003eparent-\u003ehf_size_rx\" but use \"parent-\u003ehf_size_rx\" instead. Since\n\"urb-\u003econtext\" contains \"parent\", it is always defined, while \"dev\" is not\ndefined if the URB it too short."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:28.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697"
},
{
"url": "https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0"
},
{
"url": "https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322"
},
{
"url": "https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87"
},
{
"url": "https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68343",
"datePublished": "2025-12-23T13:58:28.411Z",
"dateReserved": "2025-12-16T14:48:05.298Z",
"dateUpdated": "2025-12-23T13:58:28.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39880 (GCVE-0-2025-39880)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
libceph: fix invalid accesses to ceph_connection_v1_info
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix invalid accesses to ceph_connection_v1_info
There is a place where generic code in messenger.c is reading and
another place where it is writing to con->v1 union member without
checking that the union member is active (i.e. msgr1 is in use).
On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
so such a read is almost guaranteed to return a bogus value instead of
0 when msgr2 is in use. This ends up being fairly benign because the
side effect is just the invalidation of the authorizer and successive
fetching of new tickets.
con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
it's being written to can cause more serious consequences, but luckily
it's not something that happens often.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < ea12ab684f8ae8a6da11a22c78d94a79e2163096
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 591ea9c30737663a471b2bb07b27ddde86b020d5 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 23538cfbeed87159a5ac6c61e7a6de3d8d4486a8 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 6bd8b56899be0b514945f639a89ccafb8f8dfaef (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < cdbc9836c7afadad68f374791738f118263c5371 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:22.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea12ab684f8ae8a6da11a22c78d94a79e2163096",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "591ea9c30737663a471b2bb07b27ddde86b020d5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "23538cfbeed87159a5ac6c61e7a6de3d8d4486a8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "6bd8b56899be0b514945f639a89ccafb8f8dfaef",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "cdbc9836c7afadad68f374791738f118263c5371",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix invalid accesses to ceph_connection_v1_info\n\nThere is a place where generic code in messenger.c is reading and\nanother place where it is writing to con-\u003ev1 union member without\nchecking that the union member is active (i.e. msgr1 is in use).\n\nOn 64-bit systems, con-\u003ev1.auth_retry overlaps with con-\u003ev2.out_iter,\nso such a read is almost guaranteed to return a bogus value instead of\n0 when msgr2 is in use. This ends up being fairly benign because the\nside effect is just the invalidation of the authorizer and successive\nfetching of new tickets.\n\ncon-\u003ev1.connect_seq overlaps with con-\u003ev2.conn_bufs and the fact that\nit\u0027s being written to can cause more serious consequences, but luckily\nit\u0027s not something that happens often."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:21.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea12ab684f8ae8a6da11a22c78d94a79e2163096"
},
{
"url": "https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5"
},
{
"url": "https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8"
},
{
"url": "https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983"
},
{
"url": "https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef"
},
{
"url": "https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371"
}
],
"title": "libceph: fix invalid accesses to ceph_connection_v1_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39880",
"datePublished": "2025-09-23T06:00:49.897Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:22.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39812 (GCVE-0-2025-39812)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
sctp: initialize more fields in sctp_v6_from_sk()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: initialize more fields in sctp_v6_from_sk()
syzbot found that sin6_scope_id was not properly initialized,
leading to undefined behavior.
Clear sin6_scope_id and sin6_flowinfo.
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649
__sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649
sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983
sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390
sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452
sctp_get_port net/sctp/socket.c:8523 [inline]
sctp_listen_start net/sctp/socket.c:8567 [inline]
sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636
__sys_listen_socket net/socket.c:1912 [inline]
__sys_listen net/socket.c:1927 [inline]
__do_sys_listen net/socket.c:1932 [inline]
__se_sys_listen net/socket.c:1930 [inline]
__x64_sys_listen+0x343/0x4c0 net/socket.c:1930
x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable addr.i.i created at:
sctp_get_port net/sctp/socket.c:8515 [inline]
sctp_listen_start net/sctp/socket.c:8567 [inline]
sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636
__sys_listen_socket net/socket.c:1912 [inline]
__sys_listen net/socket.c:1927 [inline]
__do_sys_listen net/socket.c:1932 [inline]
__se_sys_listen net/socket.c:1930 [inline]
__x64_sys_listen+0x343/0x4c0 net/socket.c:1930
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 45e4b36593edffb7bbee5828ae820bc10a9fa0f3
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9546934c2054bba1bd605c44e936619159a34027 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17d6c7747045e9b802c2f5dfaba260d309d831ae (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 65b4693d8bab5370cfcb44a275b4d8dcb06e56bf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 463aa96fca6209bb205f49f7deea3817d7ddaa3a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1bbc0c02aea1f1c405bd1271466889c25a1fe01b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6c2cc99fc2387ba6499facd6108f6543382792d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e8750469242cad8f01f320131fd5a6f540dbb99 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:36.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45e4b36593edffb7bbee5828ae820bc10a9fa0f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9546934c2054bba1bd605c44e936619159a34027",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17d6c7747045e9b802c2f5dfaba260d309d831ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65b4693d8bab5370cfcb44a275b4d8dcb06e56bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "463aa96fca6209bb205f49f7deea3817d7ddaa3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bbc0c02aea1f1c405bd1271466889c25a1fe01b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6c2cc99fc2387ba6499facd6108f6543382792d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e8750469242cad8f01f320131fd5a6f540dbb99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: initialize more fields in sctp_v6_from_sk()\n\nsyzbot found that sin6_scope_id was not properly initialized,\nleading to undefined behavior.\n\nClear sin6_scope_id and sin6_flowinfo.\n\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\n sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\n sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\n sctp_get_port net/sctp/socket.c:8523 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\n x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable addr.i.i created at:\n sctp_get_port net/sctp/socket.c:8515 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:56.151Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45e4b36593edffb7bbee5828ae820bc10a9fa0f3"
},
{
"url": "https://git.kernel.org/stable/c/9546934c2054bba1bd605c44e936619159a34027"
},
{
"url": "https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae"
},
{
"url": "https://git.kernel.org/stable/c/65b4693d8bab5370cfcb44a275b4d8dcb06e56bf"
},
{
"url": "https://git.kernel.org/stable/c/463aa96fca6209bb205f49f7deea3817d7ddaa3a"
},
{
"url": "https://git.kernel.org/stable/c/1bbc0c02aea1f1c405bd1271466889c25a1fe01b"
},
{
"url": "https://git.kernel.org/stable/c/f6c2cc99fc2387ba6499facd6108f6543382792d"
},
{
"url": "https://git.kernel.org/stable/c/2e8750469242cad8f01f320131fd5a6f540dbb99"
}
],
"title": "sctp: initialize more fields in sctp_v6_from_sk()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39812",
"datePublished": "2025-09-16T13:00:14.103Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-11-03T17:43:36.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40319 (GCVE-0-2025-40319)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
bpf: Sync pending IRQ work before freeing ring buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Sync pending IRQ work before freeing ring buffer
Fix a race where irq_work can be queued in bpf_ringbuf_commit()
but the ring buffer is freed before the work executes.
In the syzbot reproducer, a BPF program attached to sched_switch
triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
is freed before this work executes, the irq_work thread may accesses
freed memory.
Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
complete before freeing the buffer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
457f44363a8894135c85b7a9afd2bd8196db24ab , < 47626748a2a00068dbbd5836d19076637b4e235b
(git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < de2ce6b14bc3e565708a39bdba3ef9162aeffc72 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < e1828c7a8d8135e21ff6adaaa9458c32aae13b11 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 6451141103547f4efd774e912418a3b4318046c6 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 10ca3b2eec384628bc9f5d8190aed9427ad2dde6 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 430e15544f11f8de26b2b5109c7152f71b78295e (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47626748a2a00068dbbd5836d19076637b4e235b",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "de2ce6b14bc3e565708a39bdba3ef9162aeffc72",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "e1828c7a8d8135e21ff6adaaa9458c32aae13b11",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "6451141103547f4efd774e912418a3b4318046c6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "10ca3b2eec384628bc9f5d8190aed9427ad2dde6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "430e15544f11f8de26b2b5109c7152f71b78295e",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "4e9077638301816a7d73fa1e1b4c1db4a7e3b59c",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Sync pending IRQ work before freeing ring buffer\n\nFix a race where irq_work can be queued in bpf_ringbuf_commit()\nbut the ring buffer is freed before the work executes.\nIn the syzbot reproducer, a BPF program attached to sched_switch\ntriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer\nis freed before this work executes, the irq_work thread may accesses\nfreed memory.\nCalling `irq_work_sync(\u0026rb-\u003ework)` ensures that all pending irq_work\ncomplete before freeing the buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:46.448Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b"
},
{
"url": "https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72"
},
{
"url": "https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11"
},
{
"url": "https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6"
},
{
"url": "https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6"
},
{
"url": "https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e"
},
{
"url": "https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c"
}
],
"title": "bpf: Sync pending IRQ work before freeing ring buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40319",
"datePublished": "2025-12-08T00:46:46.448Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:46.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22125 (GCVE-0-2025-22125)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-09-09 17:05
VLAI?
EPSS
Title
md/raid1,raid10: don't ignore IO flags
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid1,raid10: don't ignore IO flags
If blk-wbt is enabled by default, it's found that raid write performance
is quite bad because all IO are throttled by wbt of underlying disks,
due to flag REQ_IDLE is ignored. And turns out this behaviour exist since
blk-wbt is introduced.
Other than REQ_IDLE, other flags should not be ignored as well, for
example REQ_META can be set for filesystems, clearing it can cause priority
reverse problems; And REQ_NOWAIT should not be cleared as well, because
io will wait instead of failing directly in underlying disks.
Fix those problems by keep IO flags from master bio.
Fises: f51d46d0e7cb ("md: add support for REQ_NOWAIT")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5404bc7a87b9949cf61e0174b21f80e73239ab25 , < 73506e581c0b1814cdfd2229d589f30751d7de26
(git)
Affected: 5404bc7a87b9949cf61e0174b21f80e73239ab25 , < 8a0adf3d778c4a0893c6d34a9e1b0082a6f1c495 (git) Affected: 5404bc7a87b9949cf61e0174b21f80e73239ab25 , < e879a0d9cb086c8e52ce6c04e5bfa63825a6213c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c",
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73506e581c0b1814cdfd2229d589f30751d7de26",
"status": "affected",
"version": "5404bc7a87b9949cf61e0174b21f80e73239ab25",
"versionType": "git"
},
{
"lessThan": "8a0adf3d778c4a0893c6d34a9e1b0082a6f1c495",
"status": "affected",
"version": "5404bc7a87b9949cf61e0174b21f80e73239ab25",
"versionType": "git"
},
{
"lessThan": "e879a0d9cb086c8e52ce6c04e5bfa63825a6213c",
"status": "affected",
"version": "5404bc7a87b9949cf61e0174b21f80e73239ab25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c",
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1,raid10: don\u0027t ignore IO flags\n\nIf blk-wbt is enabled by default, it\u0027s found that raid write performance\nis quite bad because all IO are throttled by wbt of underlying disks,\ndue to flag REQ_IDLE is ignored. And turns out this behaviour exist since\nblk-wbt is introduced.\n\nOther than REQ_IDLE, other flags should not be ignored as well, for\nexample REQ_META can be set for filesystems, clearing it can cause priority\nreverse problems; And REQ_NOWAIT should not be cleared as well, because\nio will wait instead of failing directly in underlying disks.\n\nFix those problems by keep IO flags from master bio.\n\nFises: f51d46d0e7cb (\"md: add support for REQ_NOWAIT\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:05:53.880Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73506e581c0b1814cdfd2229d589f30751d7de26"
},
{
"url": "https://git.kernel.org/stable/c/8a0adf3d778c4a0893c6d34a9e1b0082a6f1c495"
},
{
"url": "https://git.kernel.org/stable/c/e879a0d9cb086c8e52ce6c04e5bfa63825a6213c"
}
],
"title": "md/raid1,raid10: don\u0027t ignore IO flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22125",
"datePublished": "2025-04-16T14:13:08.779Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2025-09-09T17:05:53.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40167 (GCVE-0-2025-40167)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
file on a corrupted ext4 filesystem mounted without a journal.
The issue is that the filesystem has an inode with both the INLINE_DATA
and EXTENTS flags set:
EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
Investigation revealed that the inode has both flags set:
DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
This is an invalid combination since an inode should have either:
- INLINE_DATA: data stored directly in the inode
- EXTENTS: data stored in extent-mapped blocks
Having both flags causes ext4_has_inline_data() to return true, skipping
extent tree validation in __ext4_iget(). The unvalidated out-of-order
extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
underflow when calculating hole sizes.
Fix this by detecting this invalid flag combination early in ext4_iget()
and rejecting the corrupted inode.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 4954d297c91d292630ab43ba4d195dc371ce65d3
(git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < f061f7c331fc16250fc82aa68964f35821687217 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 2e9e10657b04152ed0d6ecae8d0c02a3405e28f5 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1437c95ab2a28b138d4521653583729f61ccb48b (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < cb6039b68efa547b676a8a10fc4618d9d1865c23 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < de985264eef64be8a90595908f2e6a87946dad34 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1f5ccd22ff482639133f2a0fe08f6d19d0e68717 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1d3ad183943b38eec2acf72a0ae98e635dc8456b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4954d297c91d292630ab43ba4d195dc371ce65d3",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "f061f7c331fc16250fc82aa68964f35821687217",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "2e9e10657b04152ed0d6ecae8d0c02a3405e28f5",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1437c95ab2a28b138d4521653583729f61ccb48b",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "cb6039b68efa547b676a8a10fc4618d9d1865c23",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "de985264eef64be8a90595908f2e6a87946dad34",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1f5ccd22ff482639133f2a0fe08f6d19d0e68717",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1d3ad183943b38eec2acf72a0ae98e635dc8456b",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: detect invalid INLINE_DATA + EXTENTS flag combination\n\nsyzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity\nfile on a corrupted ext4 filesystem mounted without a journal.\n\nThe issue is that the filesystem has an inode with both the INLINE_DATA\nand EXTENTS flags set:\n\n EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:\n comm syz.0.17: corrupted extent tree: lblk 0 \u003c prev 66\n\nInvestigation revealed that the inode has both flags set:\n DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1\n\nThis is an invalid combination since an inode should have either:\n- INLINE_DATA: data stored directly in the inode\n- EXTENTS: data stored in extent-mapped blocks\n\nHaving both flags causes ext4_has_inline_data() to return true, skipping\nextent tree validation in __ext4_iget(). The unvalidated out-of-order\nextents then trigger a BUG_ON in ext4_es_cache_extent() due to integer\nunderflow when calculating hole sizes.\n\nFix this by detecting this invalid flag combination early in ext4_iget()\nand rejecting the corrupted inode."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:06.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3"
},
{
"url": "https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68964f35821687217"
},
{
"url": "https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5"
},
{
"url": "https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b"
},
{
"url": "https://git.kernel.org/stable/c/cb6039b68efa547b676a8a10fc4618d9d1865c23"
},
{
"url": "https://git.kernel.org/stable/c/de985264eef64be8a90595908f2e6a87946dad34"
},
{
"url": "https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717"
},
{
"url": "https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b"
}
],
"title": "ext4: detect invalid INLINE_DATA + EXTENTS flag combination",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40167",
"datePublished": "2025-11-12T10:26:24.498Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-02T15:33:06.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68771 (GCVE-0-2025-68771)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7
(git)
Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < d0fd1f732ea8063cecd07a3879b7d815c7ee71ed (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < b08a33d5f80efe6979a6e8f905c1a898910c21dd (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 96f1b074c98c20f55a3b23d2ab44d9fb0f619869 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < e24aedae71652d4119049f1fbef6532ccbe3966d (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 7acc0390e0dd7474c4451d05465a677d55ad4268 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 039bef30e320827bac8990c9f29d2a68cd8adb5f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "d0fd1f732ea8063cecd07a3879b7d815c7ee71ed",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "b08a33d5f80efe6979a6e8f905c1a898910c21dd",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "96f1b074c98c20f55a3b23d2ab44d9fb0f619869",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "e24aedae71652d4119049f1fbef6532ccbe3966d",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "7acc0390e0dd7474c4451d05465a677d55ad4268",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "039bef30e320827bac8990c9f29d2a68cd8adb5f",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix kernel BUG in ocfs2_find_victim_chain\n\nsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the\n`cl_next_free_rec` field of the allocation chain list (next free slot in\nthe chain list) is 0, triggring the BUG_ON(!cl-\u003ecl_next_free_rec)\ncondition in ocfs2_find_victim_chain() and panicking the kernel.\n\nTo fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),\njust before calling ocfs2_find_victim_chain(), the code block in it being\nexecuted when either of the following conditions is true:\n\n1. `cl_next_free_rec` is equal to 0, indicating that there are no free\nchains in the allocation chain list\n2. `cl_next_free_rec` is greater than `cl_count` (the total number of\nchains in the allocation chain list)\n\nEither of them being true is indicative of the fact that there are no\nchains left for usage.\n\nThis is addressed using ocfs2_error(), which prints\nthe error log for debugging purposes, rather than panicking the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:16.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7"
},
{
"url": "https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed"
},
{
"url": "https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd"
},
{
"url": "https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869"
},
{
"url": "https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d"
},
{
"url": "https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268"
},
{
"url": "https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f"
}
],
"title": "ocfs2: fix kernel BUG in ocfs2_find_victim_chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68771",
"datePublished": "2026-01-13T15:28:49.272Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:16.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40058 (GCVE-0-2025-40058)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
iommu/vt-d: Disallow dirty tracking if incoherent page walk
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Disallow dirty tracking if incoherent page walk
Dirty page tracking relies on the IOMMU atomically updating the dirty bit
in the paging-structure entry. For this operation to succeed, the paging-
structure memory must be coherent between the IOMMU and the CPU. In
another word, if the iommu page walk is incoherent, dirty page tracking
doesn't work.
The Intel VT-d specification, Section 3.10 "Snoop Behavior" states:
"Remapping hardware encountering the need to atomically update A/EA/D bits
in a paging-structure entry that is not snooped will result in a non-
recoverable fault."
To prevent an IOMMU from being incorrectly configured for dirty page
tracking when it is operating in an incoherent mode, mark SSADS as
supported only when both ecap_slads and ecap_smpwc are supported.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f35f22cc760eb2c7034bf53251399685d611e03f , < ebe16d245a00626bb87163862a1b07daf5475a3e
(git)
Affected: f35f22cc760eb2c7034bf53251399685d611e03f , < 8d096ce0e87bdc361f0b25d7943543bc53aa0b9e (git) Affected: f35f22cc760eb2c7034bf53251399685d611e03f , < 57f55048e564dedd8a4546d018e29d6bbfff0a7e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebe16d245a00626bb87163862a1b07daf5475a3e",
"status": "affected",
"version": "f35f22cc760eb2c7034bf53251399685d611e03f",
"versionType": "git"
},
{
"lessThan": "8d096ce0e87bdc361f0b25d7943543bc53aa0b9e",
"status": "affected",
"version": "f35f22cc760eb2c7034bf53251399685d611e03f",
"versionType": "git"
},
{
"lessThan": "57f55048e564dedd8a4546d018e29d6bbfff0a7e",
"status": "affected",
"version": "f35f22cc760eb2c7034bf53251399685d611e03f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Disallow dirty tracking if incoherent page walk\n\nDirty page tracking relies on the IOMMU atomically updating the dirty bit\nin the paging-structure entry. For this operation to succeed, the paging-\nstructure memory must be coherent between the IOMMU and the CPU. In\nanother word, if the iommu page walk is incoherent, dirty page tracking\ndoesn\u0027t work.\n\nThe Intel VT-d specification, Section 3.10 \"Snoop Behavior\" states:\n\n\"Remapping hardware encountering the need to atomically update A/EA/D bits\n in a paging-structure entry that is not snooped will result in a non-\n recoverable fault.\"\n\nTo prevent an IOMMU from being incorrectly configured for dirty page\ntracking when it is operating in an incoherent mode, mark SSADS as\nsupported only when both ecap_slads and ecap_smpwc are supported."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:07.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebe16d245a00626bb87163862a1b07daf5475a3e"
},
{
"url": "https://git.kernel.org/stable/c/8d096ce0e87bdc361f0b25d7943543bc53aa0b9e"
},
{
"url": "https://git.kernel.org/stable/c/57f55048e564dedd8a4546d018e29d6bbfff0a7e"
}
],
"title": "iommu/vt-d: Disallow dirty tracking if incoherent page walk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40058",
"datePublished": "2025-10-28T11:48:31.567Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:07.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68201 (GCVE-0-2025-68201)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/amdgpu: remove two invalid BUG_ON()s
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: remove two invalid BUG_ON()s
Those can be triggered trivially by userspace.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd
(git)
Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < a41bdba05899c7f455cd960ef0713acc335370dc (git) Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < 5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd",
"status": "affected",
"version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
"versionType": "git"
},
{
"lessThan": "a41bdba05899c7f455cd960ef0713acc335370dc",
"status": "affected",
"version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
"versionType": "git"
},
{
"lessThan": "5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5",
"status": "affected",
"version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: remove two invalid BUG_ON()s\n\nThose can be triggered trivially by userspace."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:24.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd"
},
{
"url": "https://git.kernel.org/stable/c/a41bdba05899c7f455cd960ef0713acc335370dc"
},
{
"url": "https://git.kernel.org/stable/c/5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5"
}
],
"title": "drm/amdgpu: remove two invalid BUG_ON()s",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68201",
"datePublished": "2025-12-16T13:48:29.708Z",
"dateReserved": "2025-12-16T13:41:40.254Z",
"dateUpdated": "2026-01-02T15:34:24.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40084 (GCVE-0-2025-40084)
Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ksmbd: transport_ipc: validate payload size before reading handle
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: transport_ipc: validate payload size before reading handle
handle_response() dereferences the payload as a 4-byte handle without
verifying that the declared payload size is at least 4 bytes. A malformed
or truncated message from ksmbd.mountd can lead to a 4-byte read past the
declared payload size. Validate the size before dereferencing.
This is a minimal fix to guard the initial handle read.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < a02e432d5130da4c723aabe1205bac805889fdb2
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 2dc125f5da134c0915a840b62565c60a595673dd (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 898d527ed94c19980a4d848f10057f1fed578ffb (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 867ffd9d67285612da3f0498ca618297f8e41f01 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a02e432d5130da4c723aabe1205bac805889fdb2",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "2dc125f5da134c0915a840b62565c60a595673dd",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "898d527ed94c19980a4d848f10057f1fed578ffb",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "867ffd9d67285612da3f0498ca618297f8e41f01",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: transport_ipc: validate payload size before reading handle\n\nhandle_response() dereferences the payload as a 4-byte handle without\nverifying that the declared payload size is at least 4 bytes. A malformed\nor truncated message from ksmbd.mountd can lead to a 4-byte read past the\ndeclared payload size. Validate the size before dereferencing.\n\nThis is a minimal fix to guard the initial handle read."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:41.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a02e432d5130da4c723aabe1205bac805889fdb2"
},
{
"url": "https://git.kernel.org/stable/c/2dc125f5da134c0915a840b62565c60a595673dd"
},
{
"url": "https://git.kernel.org/stable/c/898d527ed94c19980a4d848f10057f1fed578ffb"
},
{
"url": "https://git.kernel.org/stable/c/867ffd9d67285612da3f0498ca618297f8e41f01"
},
{
"url": "https://git.kernel.org/stable/c/6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0"
}
],
"title": "ksmbd: transport_ipc: validate payload size before reading handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40084",
"datePublished": "2025-10-29T13:37:03.185Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:41.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68295 (GCVE-0-2025-68295)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
smb: client: fix memory leak in cifs_construct_tcon()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix memory leak in cifs_construct_tcon()
When having a multiuser mount with domain= specified and using
cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,
so it needs to be freed before leaving cifs_construct_tcon().
This fixes the following memory leak reported by kmemleak:
mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...
su - testuser
cifscreds add -d ZELDA -u testuser
...
ls /mnt/1
...
umount /mnt
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff8881203c3f08 (size 8):
comm "ls", pid 5060, jiffies 4307222943
hex dump (first 8 bytes):
5a 45 4c 44 41 00 cc cc ZELDA...
backtrace (crc d109a8cf):
__kmalloc_node_track_caller_noprof+0x572/0x710
kstrdup+0x3a/0x70
cifs_sb_tlink+0x1209/0x1770 [cifs]
cifs_get_fattr+0xe1/0xf50 [cifs]
cifs_get_inode_info+0xb5/0x240 [cifs]
cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]
cifs_getattr+0x28e/0x450 [cifs]
vfs_getattr_nosec+0x126/0x180
vfs_statx+0xf6/0x220
do_statx+0xab/0x110
__x64_sys_statx+0xd5/0x130
do_syscall_64+0xbb/0x380
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < ff8f9bd1c46ee02d5558293915d42e82646d5ee9
(git)
Affected: f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < d146e96fef876492979658dce644305de35878d4 (git) Affected: f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < 3dd546e867e94c2f954bca45a961b6104ba708b6 (git) Affected: f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < f62ffdfb431bdfa4b6d24233b7fd830eca0b801e (git) Affected: f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < f15288c137d960836277d0e3ecc62de68e52f00f (git) Affected: f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < a67e91d5f446e455dd9201cdd6e865f7078d251d (git) Affected: f2aee329a68f5a907bcff11a109dfe17c0b41aeb , < 3184b6a5a24ec9ee74087b2a550476f386df7dc2 (git) Affected: 1456d3cea31114137fabf1110d20a2e2c6d6060f (git) Affected: 16764d7486d02b1699ae16e91d7a577602398b17 (git) Affected: 904847402bd74a28164bd4d8da082d1eace7c190 (git) Affected: 325fa2a6729b74b2806b31725940cb54658515e5 (git) Affected: 8db988a982908b7bff76e095000adabf9c29698b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff8f9bd1c46ee02d5558293915d42e82646d5ee9",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "d146e96fef876492979658dce644305de35878d4",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "3dd546e867e94c2f954bca45a961b6104ba708b6",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "f62ffdfb431bdfa4b6d24233b7fd830eca0b801e",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "f15288c137d960836277d0e3ecc62de68e52f00f",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "a67e91d5f446e455dd9201cdd6e865f7078d251d",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "3184b6a5a24ec9ee74087b2a550476f386df7dc2",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"status": "affected",
"version": "1456d3cea31114137fabf1110d20a2e2c6d6060f",
"versionType": "git"
},
{
"status": "affected",
"version": "16764d7486d02b1699ae16e91d7a577602398b17",
"versionType": "git"
},
{
"status": "affected",
"version": "904847402bd74a28164bd4d8da082d1eace7c190",
"versionType": "git"
},
{
"status": "affected",
"version": "325fa2a6729b74b2806b31725940cb54658515e5",
"versionType": "git"
},
{
"status": "affected",
"version": "8db988a982908b7bff76e095000adabf9c29698b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix memory leak in cifs_construct_tcon()\n\nWhen having a multiuser mount with domain= specified and using\ncifscreds, cifs_set_cifscreds() will end up setting @ctx-\u003edomainname,\nso it needs to be freed before leaving cifs_construct_tcon().\n\nThis fixes the following memory leak reported by kmemleak:\n\n mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...\n su - testuser\n cifscreds add -d ZELDA -u testuser\n ...\n ls /mnt/1\n ...\n umount /mnt\n echo scan \u003e /sys/kernel/debug/kmemleak\n cat /sys/kernel/debug/kmemleak\n unreferenced object 0xffff8881203c3f08 (size 8):\n comm \"ls\", pid 5060, jiffies 4307222943\n hex dump (first 8 bytes):\n 5a 45 4c 44 41 00 cc cc ZELDA...\n backtrace (crc d109a8cf):\n __kmalloc_node_track_caller_noprof+0x572/0x710\n kstrdup+0x3a/0x70\n cifs_sb_tlink+0x1209/0x1770 [cifs]\n cifs_get_fattr+0xe1/0xf50 [cifs]\n cifs_get_inode_info+0xb5/0x240 [cifs]\n cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]\n cifs_getattr+0x28e/0x450 [cifs]\n vfs_getattr_nosec+0x126/0x180\n vfs_statx+0xf6/0x220\n do_statx+0xab/0x110\n __x64_sys_statx+0xd5/0x130\n do_syscall_64+0xbb/0x380\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:14.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff8f9bd1c46ee02d5558293915d42e82646d5ee9"
},
{
"url": "https://git.kernel.org/stable/c/d146e96fef876492979658dce644305de35878d4"
},
{
"url": "https://git.kernel.org/stable/c/3dd546e867e94c2f954bca45a961b6104ba708b6"
},
{
"url": "https://git.kernel.org/stable/c/f62ffdfb431bdfa4b6d24233b7fd830eca0b801e"
},
{
"url": "https://git.kernel.org/stable/c/f15288c137d960836277d0e3ecc62de68e52f00f"
},
{
"url": "https://git.kernel.org/stable/c/a67e91d5f446e455dd9201cdd6e865f7078d251d"
},
{
"url": "https://git.kernel.org/stable/c/3184b6a5a24ec9ee74087b2a550476f386df7dc2"
}
],
"title": "smb: client: fix memory leak in cifs_construct_tcon()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68295",
"datePublished": "2025-12-16T15:06:14.977Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:14.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68380 (GCVE-0-2025-68380)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
wifi: ath11k: fix peer HE MCS assignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to
firmware as receive MCS while peer's receive MCS sent as transmit MCS,
which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not
supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff
is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it
needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping
done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61fe43e7216df6e9a912d831aafc7142fa20f280 , < 92791290e4f6a1de25d35af792ab8918a70737f6
(git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4304bd7a334e981f189b9973056a58f84cc2b482 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 097c870b91817779e5a312c6539099a884b1fe2b (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 381096a417b7019896e93e86f4c585c592bf98e2 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 6b1a0da75932353f66e710976ca85a7131f647ff (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4a013ca2d490c73c40588d62712ffaa432046a04 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92791290e4f6a1de25d35af792ab8918a70737f6",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4304bd7a334e981f189b9973056a58f84cc2b482",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "097c870b91817779e5a312c6539099a884b1fe2b",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "381096a417b7019896e93e86f4c585c592bf98e2",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "6b1a0da75932353f66e710976ca85a7131f647ff",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4a013ca2d490c73c40588d62712ffaa432046a04",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer\u0027s transmit MCS is sent to\nfirmware as receive MCS while peer\u0027s receive MCS sent as transmit MCS,\nwhich goes against firmwire\u0027s definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs-\u003erx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t [...]\n\t Supported HE-MCS and NSS Set\n\t\t[...]\n\t Rx and Tx MCS Maps 160 MHz\n\t\t [...]\n\t Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs-\u003erx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer\u0027s receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:18.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6"
},
{
"url": "https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482"
},
{
"url": "https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b"
},
{
"url": "https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2"
},
{
"url": "https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff"
},
{
"url": "https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04"
}
],
"title": "wifi: ath11k: fix peer HE MCS assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68380",
"datePublished": "2025-12-24T10:33:08.266Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-02-09T08:32:18.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39849 (GCVE-0-2025-39849)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
lead to memory corruption so add some bounds checking.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd43f8f90206054e7da7593de0a334fb2cd0ea88 , < 8e751d46336205abc259ed3990e850a9843fb649
(git)
Affected: c38c701851011c94ce3be1ccb3593678d2933fd8 , < e472f59d02c82b511bc43a3f96d62ed08bf4537f (git) Affected: c38c701851011c94ce3be1ccb3593678d2933fd8 , < 31229145e6ba5ace3e9391113376fa05b7831ede (git) Affected: c38c701851011c94ce3be1ccb3593678d2933fd8 , < 5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523 (git) Affected: c38c701851011c94ce3be1ccb3593678d2933fd8 , < 62b635dcd69c4fde7ce1de4992d71420a37e51e3 (git) Affected: bf3c348c5fdcf00a7eeed04a1b83e454d2dca2e5 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:07.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/sme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e751d46336205abc259ed3990e850a9843fb649",
"status": "affected",
"version": "dd43f8f90206054e7da7593de0a334fb2cd0ea88",
"versionType": "git"
},
{
"lessThan": "e472f59d02c82b511bc43a3f96d62ed08bf4537f",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"lessThan": "31229145e6ba5ace3e9391113376fa05b7831ede",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"lessThan": "5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"lessThan": "62b635dcd69c4fde7ce1de4992d71420a37e51e3",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"status": "affected",
"version": "bf3c348c5fdcf00a7eeed04a1b83e454d2dca2e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/sme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()\n\nIf the ssid-\u003edatalen is more than IEEE80211_MAX_SSID_LEN (32) it would\nlead to memory corruption so add some bounds checking."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:59.902Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e751d46336205abc259ed3990e850a9843fb649"
},
{
"url": "https://git.kernel.org/stable/c/e472f59d02c82b511bc43a3f96d62ed08bf4537f"
},
{
"url": "https://git.kernel.org/stable/c/31229145e6ba5ace3e9391113376fa05b7831ede"
},
{
"url": "https://git.kernel.org/stable/c/5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523"
},
{
"url": "https://git.kernel.org/stable/c/62b635dcd69c4fde7ce1de4992d71420a37e51e3"
}
],
"title": "wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39849",
"datePublished": "2025-09-19T15:26:22.073Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:07.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68334 (GCVE-0-2025-68334)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-01-02 15:35
VLAI?
EPSS
Title
platform/x86/amd/pmc: Add support for Van Gogh SoC
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd/pmc: Add support for Van Gogh SoC
The ROG Xbox Ally (non-X) SoC features a similar architecture to the
Steam Deck. While the Steam Deck supports S3 (s2idle causes a crash),
this support was dropped by the Xbox Ally which only S0ix suspend.
Since the handler is missing here, this causes the device to not suspend
and the AMD GPU driver to crash while trying to resume afterwards due to
a power hang.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc/pmc.c",
"drivers/platform/x86/amd/pmc/pmc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9654c56b111cd1415aca7e77f0c63c109453c409",
"status": "affected",
"version": "83cbaf14275a30f14cf558b09389a1664b173858",
"versionType": "git"
},
{
"lessThan": "db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb",
"status": "affected",
"version": "83cbaf14275a30f14cf558b09389a1664b173858",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc/pmc.c",
"drivers/platform/x86/amd/pmc/pmc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Add support for Van Gogh SoC\n\nThe ROG Xbox Ally (non-X) SoC features a similar architecture to the\nSteam Deck. While the Steam Deck supports S3 (s2idle causes a crash),\nthis support was dropped by the Xbox Ally which only S0ix suspend.\n\nSince the handler is missing here, this causes the device to not suspend\nand the AMD GPU driver to crash while trying to resume afterwards due to\na power hang."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:12.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9654c56b111cd1415aca7e77f0c63c109453c409"
},
{
"url": "https://git.kernel.org/stable/c/db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb"
}
],
"title": "platform/x86/amd/pmc: Add support for Van Gogh SoC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68334",
"datePublished": "2025-12-22T16:14:11.815Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-01-02T15:35:12.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40269 (GCVE-0-2025-40269)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
The PCM stream data in USB-audio driver is transferred over USB URB
packet buffers, and each packet size is determined dynamically. The
packet sizes are limited by some factors such as wMaxPacketSize USB
descriptor. OTOH, in the current code, the actually used packet sizes
are determined only by the rate and the PPS, which may be bigger than
the size limit above. This results in a buffer overflow, as reported
by syzbot.
Basically when the limit is smaller than the calculated packet size,
it implies that something is wrong, most likely a weird USB
descriptor. So the best option would be just to return an error at
the parameter setup time before doing any further operations.
This patch introduces such a sanity check, and returns -EINVAL when
the packet size is greater than maxpacksize. The comparison with
ep->packsize[1] alone should suffice since it's always equal or
greater than ep->packsize[0].
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
02c56650f3c118d3752122996d96173d26bb13aa , < 480a1490c595a242f27493a4544b3efb21b29f6a
(git)
Affected: 5ef30e443e6d3654cccecec99cf481a69a0a6d3b , < ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41 (git) Affected: 99703c921864a318e3e8aae74fde071b1ff35bea , < 282aba56713bbc58155716b55ca7222b2d9cf3c8 (git) Affected: 2d50acd7dbd0682a56968ad9551341d7fc5b6eaf , < c4dc012b027c9eb101583011089dea14d744e314 (git) Affected: aba41867dd66939d336fdf604e4d73b805d8039f , < e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360 (git) Affected: d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 , < d67dde02049e632ba58d3c44a164a74b6a737154 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 6a5da3fa80affc948923f20a4e086177f505e86e (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 217d47255a2ec8b246f2725f5db9ac3f1d4109d7 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ef592bf2232a2daa9fffa8881881fc9957ea56e9 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ece3b981bb6620e47fac826a2156c090b1a936a0 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 98e9d5e33bda8db875cc1a4fe99c192658e45ab6 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < d2c04f20ccc6c0d219e6d3038bab45bc66a178ad (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a",
"status": "affected",
"version": "02c56650f3c118d3752122996d96173d26bb13aa",
"versionType": "git"
},
{
"lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41",
"status": "affected",
"version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b",
"versionType": "git"
},
{
"lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8",
"status": "affected",
"version": "99703c921864a318e3e8aae74fde071b1ff35bea",
"versionType": "git"
},
{
"lessThan": "c4dc012b027c9eb101583011089dea14d744e314",
"status": "affected",
"version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf",
"versionType": "git"
},
{
"lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360",
"status": "affected",
"version": "aba41867dd66939d336fdf604e4d73b805d8039f",
"versionType": "git"
},
{
"lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154",
"status": "affected",
"version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3",
"versionType": "git"
},
{
"lessThan": "6a5da3fa80affc948923f20a4e086177f505e86e",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "217d47255a2ec8b246f2725f5db9ac3f1d4109d7",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ef592bf2232a2daa9fffa8881881fc9957ea56e9",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ece3b981bb6620e47fac826a2156c090b1a936a0",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "98e9d5e33bda8db875cc1a4fe99c192658e45ab6",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "d2c04f20ccc6c0d219e6d3038bab45bc66a178ad",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.7.*",
"status": "unaffected",
"version": "5.7.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.230",
"versionStartIncluding": "4.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.230",
"versionStartIncluding": "4.9.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.188",
"versionStartIncluding": "4.14.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.132",
"versionStartIncluding": "4.19.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.51",
"versionStartIncluding": "5.4.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.8",
"versionStartIncluding": "5.7.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\n\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically. The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor. OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above. This results in a buffer overflow, as reported\nby syzbot.\n\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor. So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\n\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize. The comparison with\nep-\u003epacksize[1] alone should suffice since it\u0027s always equal or\ngreater than ep-\u003epacksize[0]."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:20.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"
},
{
"url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"
},
{
"url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"
},
{
"url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"
},
{
"url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"
},
{
"url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"
},
{
"url": "https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e"
},
{
"url": "https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7"
},
{
"url": "https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9"
},
{
"url": "https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0"
},
{
"url": "https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6"
},
{
"url": "https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad"
},
{
"url": "https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf"
}
],
"title": "ALSA: usb-audio: Fix potential overflow of PCM transfer buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40269",
"datePublished": "2025-12-06T21:50:50.229Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:20.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40030 (GCVE-0-2025-40030)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
pinctrl: check the return value of pinmux_ops::get_function_name()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: check the return value of pinmux_ops::get_function_name()
While the API contract in docs doesn't specify it explicitly, the
generic implementation of the get_function_name() callback from struct
pinmux_ops - pinmux_generic_get_function_name() - can fail and return
NULL. This is already checked in pinmux_check_ops() so add a similar
check in pinmux_func_name_to_selector() instead of passing the returned
pointer right down to strcmp() where the NULL can get dereferenced. This
is normal operation when adding new pinfunctions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f913cfce4ee49a3382a9ff95696f49a46e56e974 , < 1a7fc8fed2bb2e113604fde7a45432ace2056b97
(git)
Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < e7265dc4c670b89611bcf5fe33acf99bc0aa294f (git) Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < d77ef2f621cd1d605372c4c6ce667c496f6990c3 (git) Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < ba7f7c2b2b3261e7def67018c38c69b626e0e66e (git) Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < 1a2ea887a5cd7d47bab599f733d89444df018b1a (git) Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < 688c688e0bf55824f4a38f8c2180046f089a3e3b (git) Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < b7e0535060a60cc99eafc19cc665d979714cd73a (git) Affected: f913cfce4ee49a3382a9ff95696f49a46e56e974 , < 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a7fc8fed2bb2e113604fde7a45432ace2056b97",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "e7265dc4c670b89611bcf5fe33acf99bc0aa294f",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "d77ef2f621cd1d605372c4c6ce667c496f6990c3",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "ba7f7c2b2b3261e7def67018c38c69b626e0e66e",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "1a2ea887a5cd7d47bab599f733d89444df018b1a",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "688c688e0bf55824f4a38f8c2180046f089a3e3b",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "b7e0535060a60cc99eafc19cc665d979714cd73a",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "4002ee98c022d671ecc1e4a84029e9ae7d8a5603",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: check the return value of pinmux_ops::get_function_name()\n\nWhile the API contract in docs doesn\u0027t specify it explicitly, the\ngeneric implementation of the get_function_name() callback from struct\npinmux_ops - pinmux_generic_get_function_name() - can fail and return\nNULL. This is already checked in pinmux_check_ops() so add a similar\ncheck in pinmux_func_name_to_selector() instead of passing the returned\npointer right down to strcmp() where the NULL can get dereferenced. This\nis normal operation when adding new pinfunctions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:56.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97"
},
{
"url": "https://git.kernel.org/stable/c/e7265dc4c670b89611bcf5fe33acf99bc0aa294f"
},
{
"url": "https://git.kernel.org/stable/c/d77ef2f621cd1d605372c4c6ce667c496f6990c3"
},
{
"url": "https://git.kernel.org/stable/c/ba7f7c2b2b3261e7def67018c38c69b626e0e66e"
},
{
"url": "https://git.kernel.org/stable/c/1a2ea887a5cd7d47bab599f733d89444df018b1a"
},
{
"url": "https://git.kernel.org/stable/c/688c688e0bf55824f4a38f8c2180046f089a3e3b"
},
{
"url": "https://git.kernel.org/stable/c/b7e0535060a60cc99eafc19cc665d979714cd73a"
},
{
"url": "https://git.kernel.org/stable/c/4002ee98c022d671ecc1e4a84029e9ae7d8a5603"
}
],
"title": "pinctrl: check the return value of pinmux_ops::get_function_name()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40030",
"datePublished": "2025-10-28T11:48:01.608Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2026-01-02T15:32:56.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39886 (GCVE-0-2025-39886)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()
Currently, calling bpf_map_kmalloc_node() from __bpf_async_init() can
cause various locking issues; see the following stack trace (edited for
style) as one example:
...
[10.011566] do_raw_spin_lock.cold
[10.011570] try_to_wake_up (5) double-acquiring the same
[10.011575] kick_pool rq_lock, causing a hardlockup
[10.011579] __queue_work
[10.011582] queue_work_on
[10.011585] kernfs_notify
[10.011589] cgroup_file_notify
[10.011593] try_charge_memcg (4) memcg accounting raises an
[10.011597] obj_cgroup_charge_pages MEMCG_MAX event
[10.011599] obj_cgroup_charge_account
[10.011600] __memcg_slab_post_alloc_hook
[10.011603] __kmalloc_node_noprof
...
[10.011611] bpf_map_kmalloc_node
[10.011612] __bpf_async_init
[10.011615] bpf_timer_init (3) BPF calls bpf_timer_init()
[10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable
[10.011619] bpf__sched_ext_ops_runnable
[10.011620] enqueue_task_scx (2) BPF runs with rq_lock held
[10.011622] enqueue_task
[10.011626] ttwu_do_activate
[10.011629] sched_ttwu_pending (1) grabs rq_lock
...
The above was reproduced on bpf-next (b338cf849ec8) by modifying
./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during
ops.runnable(), and hacking the memcg accounting code a bit to make
a bpf_timer_init() call more likely to raise an MEMCG_MAX event.
We have also run into other similar variants (both internally and on
bpf-next), including double-acquiring cgroup_file_kn_lock, the same
worker_pool::lock, etc.
As suggested by Shakeel, fix this by using __GFP_HIGH instead of
GFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg()
raises an MEMCG_MAX event, we call __memcg_memory_event() with
@allow_spinning=false and avoid calling cgroup_file_notify() there.
Depends on mm patch
"memcg: skip cgroup_file_notify if spinning is not allowed":
https://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/
v0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/
https://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/
v1 approach:
https://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b00628b1c7d595ae5b544e059c27b1f5828314b4 , < 449682e76f32601f211816d3e2100bed87e67a4c
(git)
Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < cd1fd26bb13473c1734e3026b2b97025a0a4087b (git) Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < ac70cd446f83ccb25532b343919ab86eacdcd06a (git) Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < 6d78b4473cdb08b74662355a9e8510bde09c511e (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:26:19.815693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:12.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "449682e76f32601f211816d3e2100bed87e67a4c",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "cd1fd26bb13473c1734e3026b2b97025a0a4087b",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "ac70cd446f83ccb25532b343919ab86eacdcd06a",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "6d78b4473cdb08b74662355a9e8510bde09c511e",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()\n\nCurrently, calling bpf_map_kmalloc_node() from __bpf_async_init() can\ncause various locking issues; see the following stack trace (edited for\nstyle) as one example:\n\n...\n [10.011566] do_raw_spin_lock.cold\n [10.011570] try_to_wake_up (5) double-acquiring the same\n [10.011575] kick_pool rq_lock, causing a hardlockup\n [10.011579] __queue_work\n [10.011582] queue_work_on\n [10.011585] kernfs_notify\n [10.011589] cgroup_file_notify\n [10.011593] try_charge_memcg (4) memcg accounting raises an\n [10.011597] obj_cgroup_charge_pages MEMCG_MAX event\n [10.011599] obj_cgroup_charge_account\n [10.011600] __memcg_slab_post_alloc_hook\n [10.011603] __kmalloc_node_noprof\n...\n [10.011611] bpf_map_kmalloc_node\n [10.011612] __bpf_async_init\n [10.011615] bpf_timer_init (3) BPF calls bpf_timer_init()\n [10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable\n [10.011619] bpf__sched_ext_ops_runnable\n [10.011620] enqueue_task_scx (2) BPF runs with rq_lock held\n [10.011622] enqueue_task\n [10.011626] ttwu_do_activate\n [10.011629] sched_ttwu_pending (1) grabs rq_lock\n...\n\nThe above was reproduced on bpf-next (b338cf849ec8) by modifying\n./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during\nops.runnable(), and hacking the memcg accounting code a bit to make\na bpf_timer_init() call more likely to raise an MEMCG_MAX event.\n\nWe have also run into other similar variants (both internally and on\nbpf-next), including double-acquiring cgroup_file_kn_lock, the same\nworker_pool::lock, etc.\n\nAs suggested by Shakeel, fix this by using __GFP_HIGH instead of\nGFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg()\nraises an MEMCG_MAX event, we call __memcg_memory_event() with\n@allow_spinning=false and avoid calling cgroup_file_notify() there.\n\nDepends on mm patch\n\"memcg: skip cgroup_file_notify if spinning is not allowed\":\nhttps://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/\n\nv0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/\nhttps://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/\nv1 approach:\nhttps://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:47.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/449682e76f32601f211816d3e2100bed87e67a4c"
},
{
"url": "https://git.kernel.org/stable/c/cd1fd26bb13473c1734e3026b2b97025a0a4087b"
},
{
"url": "https://git.kernel.org/stable/c/ac70cd446f83ccb25532b343919ab86eacdcd06a"
},
{
"url": "https://git.kernel.org/stable/c/6d78b4473cdb08b74662355a9e8510bde09c511e"
}
],
"title": "bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39886",
"datePublished": "2025-09-23T06:00:53.120Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2026-01-14T19:33:12.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40260 (GCVE-0-2025-40260)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
sched_ext: Fix scx_enable() crash on helper kthread creation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix scx_enable() crash on helper kthread creation failure
A crash was observed when the sched_ext selftests runner was
terminated with Ctrl+\ while test 15 was running:
NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0
LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0
Call Trace:
scx_enable.constprop.0+0x32c/0x12b0 (unreliable)
bpf_struct_ops_link_create+0x18c/0x22c
__sys_bpf+0x23f8/0x3044
sys_bpf+0x2c/0x6c
system_call_exception+0x124/0x320
system_call_vectored_common+0x15c/0x2ec
kthread_run_worker() returns an ERR_PTR() on failure rather than NULL,
but the current code in scx_alloc_and_add_sched() only checks for a NULL
helper. Incase of failure on SIGQUIT, the error is not handled in
scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an
error pointer.
Error handling is fixed in scx_alloc_and_add_sched() to propagate
PTR_ERR() into ret, so that scx_enable() jumps to the existing error
path, avoiding random dereference on failure.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "625e173e2a59b6cf6cbfb51c0a6bea47f3861eab",
"status": "affected",
"version": "bff3b5aec1b727b620adc7c47085592802390125",
"versionType": "git"
},
{
"lessThan": "7b6216baae751369195fa3c83d434d23bcda406a",
"status": "affected",
"version": "bff3b5aec1b727b620adc7c47085592802390125",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix scx_enable() crash on helper kthread creation failure\n\nA crash was observed when the sched_ext selftests runner was\nterminated with Ctrl+\\ while test 15 was running:\n\nNIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0\nLR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0\nCall Trace:\nscx_enable.constprop.0+0x32c/0x12b0 (unreliable)\nbpf_struct_ops_link_create+0x18c/0x22c\n__sys_bpf+0x23f8/0x3044\nsys_bpf+0x2c/0x6c\nsystem_call_exception+0x124/0x320\nsystem_call_vectored_common+0x15c/0x2ec\n\nkthread_run_worker() returns an ERR_PTR() on failure rather than NULL,\nbut the current code in scx_alloc_and_add_sched() only checks for a NULL\nhelper. Incase of failure on SIGQUIT, the error is not handled in\nscx_alloc_and_add_sched() and scx_enable() ends up dereferencing an\nerror pointer.\n\nError handling is fixed in scx_alloc_and_add_sched() to propagate\nPTR_ERR() into ret, so that scx_enable() jumps to the existing error\npath, avoiding random dereference on failure."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:20.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/625e173e2a59b6cf6cbfb51c0a6bea47f3861eab"
},
{
"url": "https://git.kernel.org/stable/c/7b6216baae751369195fa3c83d434d23bcda406a"
}
],
"title": "sched_ext: Fix scx_enable() crash on helper kthread creation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40260",
"datePublished": "2025-12-04T16:08:20.590Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-04T16:08:20.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68331 (GCVE-0-2025-68331)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
EPSS
Title
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
When a UAS device is unplugged during data transfer, there is
a probability of a system panic occurring. The root cause is
an access to an invalid memory address during URB callback handling.
Specifically, this happens when the dma_direct_unmap_sg() function
is called within the usb_hcd_unmap_urb_for_dma() interface, but the
sg->dma_address field is 0 and the sg data structure has already been
freed.
The SCSI driver sends transfer commands by invoking uas_queuecommand_lck()
in uas.c, using the uas_submit_urbs() function to submit requests to USB.
Within the uas_submit_urbs() implementation, three URBs (sense_urb,
data_urb, and cmd_urb) are sequentially submitted. Device removal may
occur at any point during uas_submit_urbs execution, which may result
in URB submission failure. However, some URBs might have been successfully
submitted before the failure, and uas_submit_urbs will return the -ENODEV
error code in this case. The current error handling directly calls
scsi_done(). In the SCSI driver, this eventually triggers scsi_complete()
to invoke scsi_end_request() for releasing the sgtable. The successfully
submitted URBs, when being unlinked to giveback, call
usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg
unmapping operations since the sg data structure has already been freed.
This patch modifies the error condition check in the uas_submit_urbs()
function. When a UAS device is removed but one or more URBs have already
been successfully submitted to USB, it avoids immediately invoking
scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully
submitted URBs is completed before devinfo->resetting being set, then
the scsi_done() function will be called within uas_try_complete() after
all pending URB operations are finalized. Otherwise, the scsi_done()
function will be called within uas_zap_pending(), which is executed after
usb_kill_anchored_urbs().
The error handling only takes effect when uas_queuecommand_lck() calls
uas_submit_urbs() and returns the error value -ENODEV . In this case,
the device is disconnected, and the flow proceeds to uas_disconnect(),
where uas_zap_pending() is invoked to call uas_try_complete().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 6289fc489e94c9beb6be2b502ccc263663733d72
(git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 75f8e2643085db4f7e136fc6b368eb114dd80a64 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < e3a55221f4de080cb7a91ba10f01c4f708603f8d (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 2b90a8131c83f6f2be69397d2b7d14d217d95d2f (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 426edbfc88b22601ea34a441a469092e7b301c52 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 26d56a9fcb2014b99e654127960aa0a48a391e3c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6289fc489e94c9beb6be2b502ccc263663733d72",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "75f8e2643085db4f7e136fc6b368eb114dd80a64",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "e3a55221f4de080cb7a91ba10f01c4f708603f8d",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "2b90a8131c83f6f2be69397d2b7d14d217d95d2f",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "426edbfc88b22601ea34a441a469092e7b301c52",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "26d56a9fcb2014b99e654127960aa0a48a391e3c",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer\n\nWhen a UAS device is unplugged during data transfer, there is\na probability of a system panic occurring. The root cause is\nan access to an invalid memory address during URB callback handling.\nSpecifically, this happens when the dma_direct_unmap_sg() function\nis called within the usb_hcd_unmap_urb_for_dma() interface, but the\nsg-\u003edma_address field is 0 and the sg data structure has already been\nfreed.\n\nThe SCSI driver sends transfer commands by invoking uas_queuecommand_lck()\nin uas.c, using the uas_submit_urbs() function to submit requests to USB.\nWithin the uas_submit_urbs() implementation, three URBs (sense_urb,\ndata_urb, and cmd_urb) are sequentially submitted. Device removal may\noccur at any point during uas_submit_urbs execution, which may result\nin URB submission failure. However, some URBs might have been successfully\nsubmitted before the failure, and uas_submit_urbs will return the -ENODEV\nerror code in this case. The current error handling directly calls\nscsi_done(). In the SCSI driver, this eventually triggers scsi_complete()\nto invoke scsi_end_request() for releasing the sgtable. The successfully\nsubmitted URBs, when being unlinked to giveback, call\nusb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg\nunmapping operations since the sg data structure has already been freed.\n\nThis patch modifies the error condition check in the uas_submit_urbs()\nfunction. When a UAS device is removed but one or more URBs have already\nbeen successfully submitted to USB, it avoids immediately invoking\nscsi_done() and save the cmnd to devinfo-\u003ecmnd array. If the successfully\nsubmitted URBs is completed before devinfo-\u003eresetting being set, then\nthe scsi_done() function will be called within uas_try_complete() after\nall pending URB operations are finalized. Otherwise, the scsi_done()\nfunction will be called within uas_zap_pending(), which is executed after\nusb_kill_anchored_urbs().\n\nThe error handling only takes effect when uas_queuecommand_lck() calls\nuas_submit_urbs() and returns the error value -ENODEV . In this case,\nthe device is disconnected, and the flow proceeds to uas_disconnect(),\nwhere uas_zap_pending() is invoked to call uas_try_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:09.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72"
},
{
"url": "https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17"
},
{
"url": "https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64"
},
{
"url": "https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d"
},
{
"url": "https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f"
},
{
"url": "https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52"
},
{
"url": "https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c"
}
],
"title": "usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68331",
"datePublished": "2025-12-22T16:12:24.607Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40035 (GCVE-0-2025-40035)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 1b317796013f666ae5040edbf0f230ec61496d42
(git)
Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 877172b97786ed1678640dff0b2d35abb328844c (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < e63aade22a33e77b93c98c9f02db504d897a76b4 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 933b87c4590b42500299f00ff55f555903056803 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < fd8a23ecbc602d00e47b27f20b07350867d0ebe5 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 48c96b7e9e03516936d6deba54b5553097eae817 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < f5e1f3b85aadce74268c46676772c3e9fa79897e (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < d3366a04770eea807f2826cbdb96934dd8c9bf79 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b317796013f666ae5040edbf0f230ec61496d42",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "877172b97786ed1678640dff0b2d35abb328844c",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "e63aade22a33e77b93c98c9f02db504d897a76b4",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "933b87c4590b42500299f00ff55f555903056803",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "fd8a23ecbc602d00e47b27f20b07350867d0ebe5",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "48c96b7e9e03516936d6deba54b5553097eae817",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "f5e1f3b85aadce74268c46676772c3e9fa79897e",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "d3366a04770eea807f2826cbdb96934dd8c9bf79",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak\n\nStruct ff_effect_compat is embedded twice inside\nuinput_ff_upload_compat, contains internal padding. In particular, there\nis a hole after struct ff_replay to satisfy alignment requirements for\nthe following union member. Without clearing the structure,\ncopy_to_user() may leak stack data to userspace.\n\nInitialize ff_up_compat to zero before filling valid fields."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:38.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b317796013f666ae5040edbf0f230ec61496d42"
},
{
"url": "https://git.kernel.org/stable/c/877172b97786ed1678640dff0b2d35abb328844c"
},
{
"url": "https://git.kernel.org/stable/c/e63aade22a33e77b93c98c9f02db504d897a76b4"
},
{
"url": "https://git.kernel.org/stable/c/933b87c4590b42500299f00ff55f555903056803"
},
{
"url": "https://git.kernel.org/stable/c/fd8a23ecbc602d00e47b27f20b07350867d0ebe5"
},
{
"url": "https://git.kernel.org/stable/c/48c96b7e9e03516936d6deba54b5553097eae817"
},
{
"url": "https://git.kernel.org/stable/c/f5e1f3b85aadce74268c46676772c3e9fa79897e"
},
{
"url": "https://git.kernel.org/stable/c/d3366a04770eea807f2826cbdb96934dd8c9bf79"
}
],
"title": "Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40035",
"datePublished": "2025-10-28T11:48:17.030Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:38.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40245 (GCVE-0-2025-40245)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
nios2: ensure that memblock.current_limit is set when setting pfn limits
Summary
In the Linux kernel, the following vulnerability has been resolved:
nios2: ensure that memblock.current_limit is set when setting pfn limits
On nios2, with CONFIG_FLATMEM set, the kernel relies on
memblock_get_current_limit() to determine the limits of mem_map, in
particular for max_low_pfn.
Unfortunately, memblock.current_limit is only default initialized to
MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
to situations where max_low_pfn can erroneously exceed the value of
max_pfn and, thus, the valid range of available DRAM.
This can in turn cause kernel-level paging failures, e.g.:
[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
[ 76.900000] Kernel panic - not syncing: Oops
[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
This patch fixes this by pre-calculating memblock.current_limit
based on the upper limits of the available memory ranges via
adjust_lowmem_bounds, a simplified version of the equivalent
implementation within the arm architecture.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae , < 25f09699edd360b534ccae16bc276c3b52c471f3
(git)
Affected: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae , < 5c3e38a367822f036227dd52bac82dc4a05157e2 (git) Affected: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae , < b1ec9faef7e36269ca3ec890972a78effbaeb975 (git) Affected: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae , < 90f5f715550e07cd6a51f80fc3f062d832c8c997 (git) Affected: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae , < 8912814f14e298b83df072fecc1f7ed1b63b1b2c (git) Affected: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae , < a20b83cf45be2057f3d073506779e52c7fa17f94 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/nios2/kernel/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25f09699edd360b534ccae16bc276c3b52c471f3",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "5c3e38a367822f036227dd52bac82dc4a05157e2",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "b1ec9faef7e36269ca3ec890972a78effbaeb975",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "90f5f715550e07cd6a51f80fc3f062d832c8c997",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "8912814f14e298b83df072fecc1f7ed1b63b1b2c",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "a20b83cf45be2057f3d073506779e52c7fa17f94",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/nios2/kernel/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnios2: ensure that memblock.current_limit is set when setting pfn limits\n\nOn nios2, with CONFIG_FLATMEM set, the kernel relies on\nmemblock_get_current_limit() to determine the limits of mem_map, in\nparticular for max_low_pfn.\nUnfortunately, memblock.current_limit is only default initialized to\nMEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading\nto situations where max_low_pfn can erroneously exceed the value of\nmax_pfn and, thus, the valid range of available DRAM.\n\nThis can in turn cause kernel-level paging failures, e.g.:\n\n[ 76.900000] Unable to handle kernel paging request at virtual address 20303000\n[ 76.900000] ea = c0080890, ra = c000462c, cause = 14\n[ 76.900000] Kernel panic - not syncing: Oops\n[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---\n\nThis patch fixes this by pre-calculating memblock.current_limit\nbased on the upper limits of the available memory ranges via\nadjust_lowmem_bounds, a simplified version of the equivalent\nimplementation within the arm architecture."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:15.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25f09699edd360b534ccae16bc276c3b52c471f3"
},
{
"url": "https://git.kernel.org/stable/c/5c3e38a367822f036227dd52bac82dc4a05157e2"
},
{
"url": "https://git.kernel.org/stable/c/b1ec9faef7e36269ca3ec890972a78effbaeb975"
},
{
"url": "https://git.kernel.org/stable/c/90f5f715550e07cd6a51f80fc3f062d832c8c997"
},
{
"url": "https://git.kernel.org/stable/c/8912814f14e298b83df072fecc1f7ed1b63b1b2c"
},
{
"url": "https://git.kernel.org/stable/c/a20b83cf45be2057f3d073506779e52c7fa17f94"
}
],
"title": "nios2: ensure that memblock.current_limit is set when setting pfn limits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40245",
"datePublished": "2025-12-04T15:31:34.142Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:15.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68337 (GCVE-0-2025-68337)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-02-09 08:31
VLAI?
EPSS
Title
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
470decc613ab2048b619a01028072d932d9086ee , < 71bbe06c40fc59b5b15661eca8ff307f4176d7f9
(git)
Affected: 470decc613ab2048b619a01028072d932d9086ee , < ed62fd8c15d41c4127ad16b8219b63124f5962bc (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < 3faac6531d4818cd6be45e5bbf32937bbbc795c0 (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4 (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < a2a7f854d154a3e9232fec80782dad951655f52f (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < bf34c72337e40c4670cceeb79b353356933a254b (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < aa1703f3f706ea0867fb1991dcac709c9ec94cfb (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < 986835bf4d11032bba4ab8414d18fce038c61bb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71bbe06c40fc59b5b15661eca8ff307f4176d7f9",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "ed62fd8c15d41c4127ad16b8219b63124f5962bc",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "3faac6531d4818cd6be45e5bbf32937bbbc795c0",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "a2a7f854d154a3e9232fec80782dad951655f52f",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "bf34c72337e40c4670cceeb79b353356933a254b",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "aa1703f3f706ea0867fb1991dcac709c9ec94cfb",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "986835bf4d11032bba4ab8414d18fce038c61bb4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted\n\nThere\u0027s issue when file system corrupted:\n------------[ cut here ]------------\nkernel BUG at fs/jbd2/transaction.c:1289!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next\nRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0\nRSP: 0018:ffff888117aafa30 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534\nRDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010\nRBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028\nR10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __ext4_journal_get_create_access+0x42/0x170\n ext4_getblk+0x319/0x6f0\n ext4_bread+0x11/0x100\n ext4_append+0x1e6/0x4a0\n ext4_init_new_dir+0x145/0x1d0\n ext4_mkdir+0x326/0x920\n vfs_mkdir+0x45c/0x740\n do_mkdirat+0x234/0x2f0\n __x64_sys_mkdir+0xd6/0x120\n do_syscall_64+0x5f/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue occurs with us in errors=continue mode when accompanied by\nstorage failures. There have been many inconsistencies in the file system\ndata.\nIn the case of file system data inconsistency, for example, if the block\nbitmap of a referenced block is not set, it can lead to the situation where\na block being committed is allocated and used again. As a result, the\nfollowing condition will not be satisfied then trigger BUG_ON. Of course,\nit is entirely possible to construct a problematic image that can trigger\nthis BUG_ON through specific operations. In fact, I have constructed such\nan image and easily reproduced this issue.\nTherefore, J_ASSERT() holds true only under ideal conditions, but it may\nnot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()\ndirectly in abnormal situations would cause the system to crash, which is\nclearly not what we want. So here we directly trigger a JBD abort instead\nof immediately invoking BUG_ON."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:31.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71bbe06c40fc59b5b15661eca8ff307f4176d7f9"
},
{
"url": "https://git.kernel.org/stable/c/ed62fd8c15d41c4127ad16b8219b63124f5962bc"
},
{
"url": "https://git.kernel.org/stable/c/3faac6531d4818cd6be45e5bbf32937bbbc795c0"
},
{
"url": "https://git.kernel.org/stable/c/b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4"
},
{
"url": "https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f"
},
{
"url": "https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b"
},
{
"url": "https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb"
},
{
"url": "https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4"
}
],
"title": "jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68337",
"datePublished": "2025-12-22T16:14:14.145Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:31.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40321 (GCVE-0-2025-40321)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Currently, whenever there is a need to transmit an Action frame,
the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to
firmware. The P2P interfaces were available when wpa_supplicant is managing
the wlan interface.
However, the P2P interfaces are not created/initialized when only hostapd
is managing the wlan interface. And if hostapd receives an ANQP Query REQ
Action frame even from an un-associated STA, the brcmfmac driver tries
to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.
This NULL pointer dereferencing triggers a driver crash.
[ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[...]
[ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
[...]
[ 1417.075653] Call trace:
[ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
[ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
[ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]
[ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]
[ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158
[ 1417.076302] genl_rcv_msg+0x220/0x2a0
[ 1417.076317] netlink_rcv_skb+0x68/0x140
[ 1417.076330] genl_rcv+0x40/0x60
[ 1417.076343] netlink_unicast+0x330/0x3b8
[ 1417.076357] netlink_sendmsg+0x19c/0x3f8
[ 1417.076370] __sock_sendmsg+0x64/0xc0
[ 1417.076391] ____sys_sendmsg+0x268/0x2a0
[ 1417.076408] ___sys_sendmsg+0xb8/0x118
[ 1417.076427] __sys_sendmsg+0x90/0xf8
[ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40
[ 1417.076465] invoke_syscall+0x50/0x120
[ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0
[ 1417.076506] do_el0_svc+0x24/0x38
[ 1417.076525] el0_svc+0x30/0x100
[ 1417.076548] el0t_64_sync_handler+0x100/0x130
[ 1417.076569] el0t_64_sync+0x190/0x198
[ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Fix this, by always using the vif corresponding to the wdev on which the
Action frame Transmission request was initiated by the userspace. This way,
even if P2P vif is not available, the IOVAR is sent to firmware on AP vif
and the ANQP Query RESP Action frame is transmitted without crashing the
driver.
Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()
to brcmf_p2p_attach(). Because the former function would not get executed
when only hostapd is managing wlan interface, and it is not safe to do
reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior
init_completion().
And in the brcmf_p2p_tx_action_frame() function, the condition check for
P2P Presence response frame is not needed, since the wpa_supplicant is
properly sending the P2P Presense Response frame on the P2P-GO vif instead
of the P2P-Device vif.
[Cc stable]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c863b9c7b4e9af0b7931cb791ec91971a50f1a25
(git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < e1fc9afcce9139791260f962541282d47fbb508d (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 55f60a72a178909ece4e32987e4c642ba57e1cf4 (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c2b0f8d3e7358c33d90f0e62765d474f25f26a45 (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 64e3175d1c8a3bea02032e7c9d1befd5f43786fa (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < a6eed58249e7d60f856900e682992300f770f64b (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 3776c685ebe5f43e9060af06872661de55e80b9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c863b9c7b4e9af0b7931cb791ec91971a50f1a25",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "e1fc9afcce9139791260f962541282d47fbb508d",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "55f60a72a178909ece4e32987e4c642ba57e1cf4",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "c2b0f8d3e7358c33d90f0e62765d474f25f26a45",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "64e3175d1c8a3bea02032e7c9d1befd5f43786fa",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "a6eed58249e7d60f856900e682992300f770f64b",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "3776c685ebe5f43e9060af06872661de55e80b9a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode\n\nCurrently, whenever there is a need to transmit an Action frame,\nthe brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to\nfirmware. The P2P interfaces were available when wpa_supplicant is managing\nthe wlan interface.\n\nHowever, the P2P interfaces are not created/initialized when only hostapd\nis managing the wlan interface. And if hostapd receives an ANQP Query REQ\nAction frame even from an un-associated STA, the brcmfmac driver tries\nto use an uninitialized P2P vif pointer for sending the IOVAR to firmware.\nThis NULL pointer dereferencing triggers a driver crash.\n\n [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000000\n [...]\n [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n [...]\n [ 1417.075653] Call trace:\n [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]\n [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]\n [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]\n [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]\n [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158\n [ 1417.076302] genl_rcv_msg+0x220/0x2a0\n [ 1417.076317] netlink_rcv_skb+0x68/0x140\n [ 1417.076330] genl_rcv+0x40/0x60\n [ 1417.076343] netlink_unicast+0x330/0x3b8\n [ 1417.076357] netlink_sendmsg+0x19c/0x3f8\n [ 1417.076370] __sock_sendmsg+0x64/0xc0\n [ 1417.076391] ____sys_sendmsg+0x268/0x2a0\n [ 1417.076408] ___sys_sendmsg+0xb8/0x118\n [ 1417.076427] __sys_sendmsg+0x90/0xf8\n [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40\n [ 1417.076465] invoke_syscall+0x50/0x120\n [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0\n [ 1417.076506] do_el0_svc+0x24/0x38\n [ 1417.076525] el0_svc+0x30/0x100\n [ 1417.076548] el0t_64_sync_handler+0x100/0x130\n [ 1417.076569] el0t_64_sync+0x190/0x198\n [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)\n\nFix this, by always using the vif corresponding to the wdev on which the\nAction frame Transmission request was initiated by the userspace. This way,\neven if P2P vif is not available, the IOVAR is sent to firmware on AP vif\nand the ANQP Query RESP Action frame is transmitted without crashing the\ndriver.\n\nMove init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev()\nto brcmf_p2p_attach(). Because the former function would not get executed\nwhen only hostapd is managing wlan interface, and it is not safe to do\nreinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior\ninit_completion().\n\nAnd in the brcmf_p2p_tx_action_frame() function, the condition check for\nP2P Presence response frame is not needed, since the wpa_supplicant is\nproperly sending the P2P Presense Response frame on the P2P-GO vif instead\nof the P2P-Device vif.\n\n[Cc stable]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:48.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25"
},
{
"url": "https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d"
},
{
"url": "https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4"
},
{
"url": "https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45"
},
{
"url": "https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa"
},
{
"url": "https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b"
},
{
"url": "https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a"
},
{
"url": "https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a"
}
],
"title": "wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40321",
"datePublished": "2025-12-08T00:46:48.724Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:48.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68369 (GCVE-0-2025-68369)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-02-09 08:32
VLAI?
EPSS
Title
ntfs3: init run lock for extend inode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: init run lock for extend inode
After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.
Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.
Add the run_lock initialization when loading $Extend.
syzbot reported:
INFO: trying to register non-static key.
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
__lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
63eb6730ce0604d3eacf036c2f68ea70b068317c , < 79c8a77b1782e2ace96d063be3c41ba540d1e20a
(git)
Affected: 78d46f5276ed3589aaaa435580068c5b62efc921 , < 433d1f7c628c3cbdd7efce064d6c7acd072cf6c4 (git) Affected: 17249b2a65274f73ed68bcd1604e08a60fd8a278 , < 907bf69c6b6ce5d038eec7a599d67b45b62624bc (git) Affected: 37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 , < 6e17555728bc469d484c59db4a0abc65c19bc315 (git) Affected: 57534db1bbc4ca772393bb7d92e69d5e7b9051cf , < 19164d8228317f3f1fe2662a9ba587cfe3b2d29e (git) Affected: 4e8011ffec79717e5fdac43a7e79faf811a384b7 , < ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076 (git) Affected: 4e8011ffec79717e5fdac43a7e79faf811a384b7 , < be99c62ac7e7af514e4b13f83c891a3cccefaa48 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79c8a77b1782e2ace96d063be3c41ba540d1e20a",
"status": "affected",
"version": "63eb6730ce0604d3eacf036c2f68ea70b068317c",
"versionType": "git"
},
{
"lessThan": "433d1f7c628c3cbdd7efce064d6c7acd072cf6c4",
"status": "affected",
"version": "78d46f5276ed3589aaaa435580068c5b62efc921",
"versionType": "git"
},
{
"lessThan": "907bf69c6b6ce5d038eec7a599d67b45b62624bc",
"status": "affected",
"version": "17249b2a65274f73ed68bcd1604e08a60fd8a278",
"versionType": "git"
},
{
"lessThan": "6e17555728bc469d484c59db4a0abc65c19bc315",
"status": "affected",
"version": "37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7",
"versionType": "git"
},
{
"lessThan": "19164d8228317f3f1fe2662a9ba587cfe3b2d29e",
"status": "affected",
"version": "57534db1bbc4ca772393bb7d92e69d5e7b9051cf",
"versionType": "git"
},
{
"lessThan": "ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
},
{
"lessThan": "be99c62ac7e7af514e4b13f83c891a3cccefaa48",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: init run lock for extend inode\n\nAfter setting the inode mode of $Extend to a regular file, executing the\ntruncate system call will enter the do_truncate() routine, causing the\nrun_lock uninitialized error reported by syzbot.\n\nPrior to patch 4e8011ffec79, if the inode mode of $Extend was not set to\na regular file, the do_truncate() routine would not be entered.\n\nAdd the run_lock initialization when loading $Extend.\n\nsyzbot reported:\nINFO: trying to register non-static key.\nCall Trace:\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984\n register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299\n __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590\n ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860\n ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387\n ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:06.264Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79c8a77b1782e2ace96d063be3c41ba540d1e20a"
},
{
"url": "https://git.kernel.org/stable/c/433d1f7c628c3cbdd7efce064d6c7acd072cf6c4"
},
{
"url": "https://git.kernel.org/stable/c/907bf69c6b6ce5d038eec7a599d67b45b62624bc"
},
{
"url": "https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315"
},
{
"url": "https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e"
},
{
"url": "https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076"
},
{
"url": "https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48"
}
],
"title": "ntfs3: init run lock for extend inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68369",
"datePublished": "2025-12-24T10:32:55.440Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:06.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40341 (GCVE-0-2025-40341)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
futex: Don't leak robust_list pointer on exec race
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Don't leak robust_list pointer on exec race
sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()
to check if the calling task is allowed to access another task's
robust_list pointer. This check is racy against a concurrent exec() in the
target process.
During exec(), a task may transition from a non-privileged binary to a
privileged one (e.g., setuid binary) and its credentials/memory mappings
may change. If get_robust_list() performs ptrace_may_access() before
this transition, it may erroneously allow access to sensitive information
after the target becomes privileged.
A racy access allows an attacker to exploit a window during which
ptrace_may_access() passes before a target process transitions to a
privileged state via exec().
For example, consider a non-privileged task T that is about to execute a
setuid-root binary. An attacker task A calls get_robust_list(T) while T
is still unprivileged. Since ptrace_may_access() checks permissions
based on current credentials, it succeeds. However, if T begins exec
immediately afterwards, it becomes privileged and may change its memory
mappings. Because get_robust_list() proceeds to access T->robust_list
without synchronizing with exec() it may read user-space pointers from a
now-privileged process.
This violates the intended post-exec access restrictions and could
expose sensitive memory addresses or be used as a primitive in a larger
exploit chain. Consequently, the race can lead to unauthorized
disclosure of information across privilege boundaries and poses a
potential security risk.
Take a read lock on signal->exec_update_lock prior to invoking
ptrace_may_access() and accessing the robust_list/compat_robust_list.
This ensures that the target task's exec state remains stable during the
check, allowing for consistent and synchronized validation of
credentials.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6511984d1aa1360181bcafb1ca75df7f291ef237
(git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 3b4222494489f6d4b8705a496dab03384b7ca998 (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < b524455a51feb6013df3a5dba3160487b2e8e22a (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/futex/syscalls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6511984d1aa1360181bcafb1ca75df7f291ef237",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "4aced32596ead1820b7dbd8e40d30b30dc1f3ad4",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "3b4222494489f6d4b8705a496dab03384b7ca998",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "b524455a51feb6013df3a5dba3160487b2e8e22a",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "6b54082c3ed4dc9821cdf0edb17302355cc5bb45",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/futex/syscalls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Don\u0027t leak robust_list pointer on exec race\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task\u0027s\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T-\u003erobust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal-\u003eexec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task\u0027s exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:41.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237"
},
{
"url": "https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4"
},
{
"url": "https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998"
},
{
"url": "https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a"
},
{
"url": "https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45"
}
],
"title": "futex: Don\u0027t leak robust_list pointer on exec race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40341",
"datePublished": "2025-12-09T04:09:58.392Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:41.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22980 (GCVE-0-2026-22980)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
nfsd: provide locking for v4_end_grace
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: provide locking for v4_end_grace
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < ca97360860eb02e3ae4ba42c19b439a0fcecbf06
(git)
Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < e8bfa2401d4c51eca6e48e9b33c798828ca9df61 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 34eb22836e0cdba093baac66599d68c4cd245a9d (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 06600719d0f7a723811c45e4d51f5b742f345309 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < ba4811c8b433bfa681729ca42cc62b6034f223b0 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 53f07d095e7e680c5e4569a55a019f2c0348cdc6 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 2857bd59feb63fcf40fe4baf55401baea6b4feb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca97360860eb02e3ae4ba42c19b439a0fcecbf06",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "e8bfa2401d4c51eca6e48e9b33c798828ca9df61",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "34eb22836e0cdba093baac66599d68c4cd245a9d",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "06600719d0f7a723811c45e4d51f5b742f345309",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "ba4811c8b433bfa681729ca42cc62b6034f223b0",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "53f07d095e7e680c5e4569a55a019f2c0348cdc6",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "2857bd59feb63fcf40fe4baf55401baea6b4feb4",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op-\u003einit() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn\u0027t require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn\u0027t restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn-\u003eclient_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:30.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06"
},
{
"url": "https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61"
},
{
"url": "https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d"
},
{
"url": "https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309"
},
{
"url": "https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0"
},
{
"url": "https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6"
},
{
"url": "https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4"
}
],
"title": "nfsd: provide locking for v4_end_grace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22980",
"datePublished": "2026-01-23T15:24:02.924Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:30.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68285 (GCVE-0-2025-68285)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
libceph: fix potential use-after-free in have_mon_and_osd_map()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix potential use-after-free in have_mon_and_osd_map()
The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received. Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one
kfree(monc->monmap);
monc->monmap = monmap;
ceph_osdmap_destroy(osdc->osdmap);
osdc->osdmap = newmap;
under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in
client->monc.monmap && client->monc.monmap->epoch &&
client->osdc.osdmap && client->osdc.osdmap->epoch;
condition to dereference an already freed map. This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:
BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
...
Call Trace:
<TASK>
have_mon_and_osd_map+0x56/0x70
ceph_open_session+0x182/0x290
ceph_get_tree+0x333/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Allocated by task 13305:
ceph_osdmap_alloc+0x16/0x130
ceph_osdc_init+0x27a/0x4c0
ceph_create_client+0x153/0x190
create_fs_client+0x50/0x2a0
ceph_get_tree+0xff/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 9475:
kfree+0x212/0x290
handle_one_map+0x23c/0x3b0
ceph_osdc_handle_map+0x3c9/0x590
mon_dispatch+0x655/0x6f0
ceph_con_process_message+0xc3/0xe0
ceph_con_v1_try_read+0x614/0x760
ceph_con_workfn+0x2de/0x650
process_one_work+0x486/0x7c0
process_scheduled_works+0x73/0x90
worker_thread+0x1c8/0x2a0
kthread+0x2ec/0x300
ret_from_fork+0x24/0x40
ret_from_fork_asm+0x1a/0x30
Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate. While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().
monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < bb4910c5fd436701faf367e1b5476a5a6d2aff1c
(git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 05ec43e9a9de67132dc8cd3b22afef001574947f (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 7c8ccdc1714d9fabecd26e1be7db1771061acc6e (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < e08021b3b56b2407f37b5fe47b654be80cc665fb (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 076381c261374c587700b3accf410bdd2dba334e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb4910c5fd436701faf367e1b5476a5a6d2aff1c",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "05ec43e9a9de67132dc8cd3b22afef001574947f",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "7c8ccdc1714d9fabecd26e1be7db1771061acc6e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "183ad6e3b651e8fb0b66d6a2678f4b80bfbba092",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "e08021b3b56b2407f37b5fe47b654be80cc665fb",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "3fc43120b22a3d4f1fbeff56a35ce2105b6a5683",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "076381c261374c587700b3accf410bdd2dba334e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived. Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n kfree(monc-\u003emonmap);\n monc-\u003emonmap = monmap;\n\n ceph_osdmap_destroy(osdc-\u003eosdmap);\n osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map. This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n ...\n Call Trace:\n \u003cTASK\u003e\n have_mon_and_osd_map+0x56/0x70\n ceph_open_session+0x182/0x290\n ceph_get_tree+0x333/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\n Allocated by task 13305:\n ceph_osdmap_alloc+0x16/0x130\n ceph_osdc_init+0x27a/0x4c0\n ceph_create_client+0x153/0x190\n create_fs_client+0x50/0x2a0\n ceph_get_tree+0xff/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 9475:\n kfree+0x212/0x290\n handle_one_map+0x23c/0x3b0\n ceph_osdc_handle_map+0x3c9/0x590\n mon_dispatch+0x655/0x6f0\n ceph_con_process_message+0xc3/0xe0\n ceph_con_v1_try_read+0x614/0x760\n ceph_con_workfn+0x2de/0x650\n process_one_work+0x486/0x7c0\n process_scheduled_works+0x73/0x90\n worker_thread+0x1c8/0x2a0\n kthread+0x2ec/0x300\n ret_from_fork+0x24/0x40\n ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate. While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:50.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"
},
{
"url": "https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"
},
{
"url": "https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"
},
{
"url": "https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"
},
{
"url": "https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"
},
{
"url": "https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"
},
{
"url": "https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"
}
],
"title": "libceph: fix potential use-after-free in have_mon_and_osd_map()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68285",
"datePublished": "2025-12-16T15:06:07.078Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:50.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39950 (GCVE-0-2025-39950)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR
A NULL pointer dereference can occur in tcp_ao_finish_connect() during a
connect() system call on a socket with a TCP-AO key added and TCP_REPAIR
enabled.
The function is called with skb being NULL and attempts to dereference it
on tcp_hdr(skb)->seq without a prior skb validation.
Fix this by checking if skb is NULL before dereferencing it.
The commentary is taken from bpf_skops_established(), which is also called
in the same flow. Unlike the function being patched,
bpf_skops_established() validates the skb before dereferencing it.
int main(void){
struct sockaddr_in sockaddr;
struct tcp_ao_add tcp_ao;
int sk;
int one = 1;
memset(&sockaddr,'\0',sizeof(sockaddr));
memset(&tcp_ao,'\0',sizeof(tcp_ao));
sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
sockaddr.sin_family = AF_INET;
memcpy(tcp_ao.alg_name,"cmac(aes128)",12);
memcpy(tcp_ao.key,"ABCDEFGHABCDEFGH",16);
tcp_ao.keylen = 16;
memcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr));
setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao,
sizeof(tcp_ao));
setsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one));
sockaddr.sin_family = AF_INET;
sockaddr.sin_port = htobe16(123);
inet_aton("127.0.0.1", &sockaddr.sin_addr);
connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr));
return 0;
}
$ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall
$ unshare -Urn
BUG: kernel NULL pointer dereference, address: 00000000000000b6
PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0
Oops: Oops: 0000 [#1] SMP NOPTI
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 11/12/2020
RIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f , < 5f445eb259906b61a518487a790e11d07d31738c
(git)
Affected: 7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f , < 993b734d31ab804747ac961b1ee664b023c3b5fa (git) Affected: 7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f , < 2e7bba08923ebc675b1f0e0e0959e68e53047838 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_ao.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f445eb259906b61a518487a790e11d07d31738c",
"status": "affected",
"version": "7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f",
"versionType": "git"
},
{
"lessThan": "993b734d31ab804747ac961b1ee664b023c3b5fa",
"status": "affected",
"version": "7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f",
"versionType": "git"
},
{
"lessThan": "2e7bba08923ebc675b1f0e0e0959e68e53047838",
"status": "affected",
"version": "7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_ao.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR\n\nA NULL pointer dereference can occur in tcp_ao_finish_connect() during a\nconnect() system call on a socket with a TCP-AO key added and TCP_REPAIR\nenabled.\n\nThe function is called with skb being NULL and attempts to dereference it\non tcp_hdr(skb)-\u003eseq without a prior skb validation.\n\nFix this by checking if skb is NULL before dereferencing it.\n\nThe commentary is taken from bpf_skops_established(), which is also called\nin the same flow. Unlike the function being patched,\nbpf_skops_established() validates the skb before dereferencing it.\n\nint main(void){\n\tstruct sockaddr_in sockaddr;\n\tstruct tcp_ao_add tcp_ao;\n\tint sk;\n\tint one = 1;\n\n\tmemset(\u0026sockaddr,\u0027\\0\u0027,sizeof(sockaddr));\n\tmemset(\u0026tcp_ao,\u0027\\0\u0027,sizeof(tcp_ao));\n\n\tsk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n\n\tsockaddr.sin_family = AF_INET;\n\n\tmemcpy(tcp_ao.alg_name,\"cmac(aes128)\",12);\n\tmemcpy(tcp_ao.key,\"ABCDEFGHABCDEFGH\",16);\n\ttcp_ao.keylen = 16;\n\n\tmemcpy(\u0026tcp_ao.addr,\u0026sockaddr,sizeof(sockaddr));\n\n\tsetsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, \u0026tcp_ao,\n\tsizeof(tcp_ao));\n\tsetsockopt(sk, IPPROTO_TCP, TCP_REPAIR, \u0026one, sizeof(one));\n\n\tsockaddr.sin_family = AF_INET;\n\tsockaddr.sin_port = htobe16(123);\n\n\tinet_aton(\"127.0.0.1\", \u0026sockaddr.sin_addr);\n\n\tconnect(sk,(struct sockaddr *)\u0026sockaddr,sizeof(sockaddr));\n\nreturn 0;\n}\n\n$ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall\n$ unshare -Urn\n\nBUG: kernel NULL pointer dereference, address: 00000000000000b6\nPGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop\nReference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:10.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f445eb259906b61a518487a790e11d07d31738c"
},
{
"url": "https://git.kernel.org/stable/c/993b734d31ab804747ac961b1ee664b023c3b5fa"
},
{
"url": "https://git.kernel.org/stable/c/2e7bba08923ebc675b1f0e0e0959e68e53047838"
}
],
"title": "net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39950",
"datePublished": "2025-10-04T07:31:10.926Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:10.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39931 (GCVE-0-2025-39931)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:30 – Updated: 2025-10-04 07:30
VLAI?
EPSS
Title
crypto: af_alg - Set merge to zero early in af_alg_sendmsg
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Set merge to zero early in af_alg_sendmsg
If an error causes af_alg_sendmsg to abort, ctx->merge may contain
a garbage value from the previous loop. This may then trigger a
crash on the next entry into af_alg_sendmsg when it attempts to do
a merge that can't be done.
Fix this by setting ctx->merge to zero near the start of the loop.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 6241b9e2809b12da9130894cf5beddf088dc1b8a
(git)
Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 2374c11189ef704a3e4863646369f1b8e6a27d71 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 24c1106504c625fabd3b7229611af617b4c27ac7 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 045ee26aa3920a47ec46d7fcb302420bf01fd753 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 9574b2330dbd2b5459b74d3b5e9619d39299fc6f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6241b9e2809b12da9130894cf5beddf088dc1b8a",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "2374c11189ef704a3e4863646369f1b8e6a27d71",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "24c1106504c625fabd3b7229611af617b4c27ac7",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "045ee26aa3920a47ec46d7fcb302420bf01fd753",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "9574b2330dbd2b5459b74d3b5e9619d39299fc6f",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Set merge to zero early in af_alg_sendmsg\n\nIf an error causes af_alg_sendmsg to abort, ctx-\u003emerge may contain\na garbage value from the previous loop. This may then trigger a\ncrash on the next entry into af_alg_sendmsg when it attempts to do\na merge that can\u0027t be done.\n\nFix this by setting ctx-\u003emerge to zero near the start of the loop."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:30:55.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6241b9e2809b12da9130894cf5beddf088dc1b8a"
},
{
"url": "https://git.kernel.org/stable/c/2374c11189ef704a3e4863646369f1b8e6a27d71"
},
{
"url": "https://git.kernel.org/stable/c/24c1106504c625fabd3b7229611af617b4c27ac7"
},
{
"url": "https://git.kernel.org/stable/c/045ee26aa3920a47ec46d7fcb302420bf01fd753"
},
{
"url": "https://git.kernel.org/stable/c/9574b2330dbd2b5459b74d3b5e9619d39299fc6f"
}
],
"title": "crypto: af_alg - Set merge to zero early in af_alg_sendmsg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39931",
"datePublished": "2025-10-04T07:30:55.964Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-04T07:30:55.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68171 (GCVE-0-2025-68171)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
x86/fpu: Ensure XFD state on signal delivery
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Ensure XFD state on signal delivery
Sean reported [1] the following splat when running KVM tests:
WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70
Call Trace:
<TASK>
fpu__clear_user_states+0x9c/0x100
arch_do_signal_or_restart+0x142/0x210
exit_to_user_mode_loop+0x55/0x100
do_syscall_64+0x205/0x2c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Chao further identified [2] a reproducible scenario involving signal
delivery: a non-AMX task is preempted by an AMX-enabled task which
modifies the XFD MSR.
When the non-AMX task resumes and reloads XSTATE with init values,
a warning is triggered due to a mismatch between fpstate::xfd and the
CPU's current XFD state. fpu__clear_user_states() does not currently
re-synchronize the XFD state after such preemption.
Invoke xfd_update_state() which detects and corrects the mismatch if
there is a dynamic feature.
This also benefits the sigreturn path, as fpu__restore_sig() may call
fpu__clear_user_states() when the sigframe is inaccessible.
[ dhansen: minor changelog munging ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
672365477ae8afca5a1cca98c1deb733235e4525 , < eefbfb722042fc9210d2e0ac2b063fd1abf51895
(git)
Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 1811c610653c0cd21cc9add14595b7cffaeca511 (git) Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 5b2619b488f1d08b960c43c6468dd0759e8b3035 (git) Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 3f735419c4b43cde42e6d408db39137b82474e31 (git) Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eefbfb722042fc9210d2e0ac2b063fd1abf51895",
"status": "affected",
"version": "672365477ae8afca5a1cca98c1deb733235e4525",
"versionType": "git"
},
{
"lessThan": "1811c610653c0cd21cc9add14595b7cffaeca511",
"status": "affected",
"version": "672365477ae8afca5a1cca98c1deb733235e4525",
"versionType": "git"
},
{
"lessThan": "5b2619b488f1d08b960c43c6468dd0759e8b3035",
"status": "affected",
"version": "672365477ae8afca5a1cca98c1deb733235e4525",
"versionType": "git"
},
{
"lessThan": "3f735419c4b43cde42e6d408db39137b82474e31",
"status": "affected",
"version": "672365477ae8afca5a1cca98c1deb733235e4525",
"versionType": "git"
},
{
"lessThan": "388eff894d6bc5f921e9bfff0e4b0ab2684a96e9",
"status": "affected",
"version": "672365477ae8afca5a1cca98c1deb733235e4525",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Ensure XFD state on signal delivery\n\nSean reported [1] the following splat when running KVM tests:\n\n WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70\n Call Trace:\n \u003cTASK\u003e\n fpu__clear_user_states+0x9c/0x100\n arch_do_signal_or_restart+0x142/0x210\n exit_to_user_mode_loop+0x55/0x100\n do_syscall_64+0x205/0x2c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nChao further identified [2] a reproducible scenario involving signal\ndelivery: a non-AMX task is preempted by an AMX-enabled task which\nmodifies the XFD MSR.\n\nWhen the non-AMX task resumes and reloads XSTATE with init values,\na warning is triggered due to a mismatch between fpstate::xfd and the\nCPU\u0027s current XFD state. fpu__clear_user_states() does not currently\nre-synchronize the XFD state after such preemption.\n\nInvoke xfd_update_state() which detects and corrects the mismatch if\nthere is a dynamic feature.\n\nThis also benefits the sigreturn path, as fpu__restore_sig() may call\nfpu__clear_user_states() when the sigframe is inaccessible.\n\n[ dhansen: minor changelog munging ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:51.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eefbfb722042fc9210d2e0ac2b063fd1abf51895"
},
{
"url": "https://git.kernel.org/stable/c/1811c610653c0cd21cc9add14595b7cffaeca511"
},
{
"url": "https://git.kernel.org/stable/c/5b2619b488f1d08b960c43c6468dd0759e8b3035"
},
{
"url": "https://git.kernel.org/stable/c/3f735419c4b43cde42e6d408db39137b82474e31"
},
{
"url": "https://git.kernel.org/stable/c/388eff894d6bc5f921e9bfff0e4b0ab2684a96e9"
}
],
"title": "x86/fpu: Ensure XFD state on signal delivery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68171",
"datePublished": "2025-12-16T13:42:51.121Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2025-12-16T13:42:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39897 (GCVE-0-2025-39897)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
net: xilinx: axienet: Add error handling for RX metadata pointer retrieval
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: xilinx: axienet: Add error handling for RX metadata pointer retrieval
Add proper error checking for dmaengine_desc_get_metadata_ptr() which
can return an error pointer and lead to potential crashes or undefined
behaviour if the pointer retrieval fails.
Properly handle the error by unmapping DMA buffer, freeing the skb and
returning early to prevent further processing with invalid data.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6a91b846af85a24241decd686269e8e038eb13d1 , < d0ecda6fdd840b406df6617b003b036f65dd8926
(git)
Affected: 6a91b846af85a24241decd686269e8e038eb13d1 , < 92e2fc92bc4eb2bc0e84404316fbc02ddd0a3196 (git) Affected: 6a91b846af85a24241decd686269e8e038eb13d1 , < 8bbceba7dc5090c00105e006ce28d1292cfda8dd (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:28:46.346333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:13.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/xilinx/xilinx_axienet_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ecda6fdd840b406df6617b003b036f65dd8926",
"status": "affected",
"version": "6a91b846af85a24241decd686269e8e038eb13d1",
"versionType": "git"
},
{
"lessThan": "92e2fc92bc4eb2bc0e84404316fbc02ddd0a3196",
"status": "affected",
"version": "6a91b846af85a24241decd686269e8e038eb13d1",
"versionType": "git"
},
{
"lessThan": "8bbceba7dc5090c00105e006ce28d1292cfda8dd",
"status": "affected",
"version": "6a91b846af85a24241decd686269e8e038eb13d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/xilinx/xilinx_axienet_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Add error handling for RX metadata pointer retrieval\n\nAdd proper error checking for dmaengine_desc_get_metadata_ptr() which\ncan return an error pointer and lead to potential crashes or undefined\nbehaviour if the pointer retrieval fails.\n\nProperly handle the error by unmapping DMA buffer, freeing the skb and\nreturning early to prevent further processing with invalid data."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:45.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ecda6fdd840b406df6617b003b036f65dd8926"
},
{
"url": "https://git.kernel.org/stable/c/92e2fc92bc4eb2bc0e84404316fbc02ddd0a3196"
},
{
"url": "https://git.kernel.org/stable/c/8bbceba7dc5090c00105e006ce28d1292cfda8dd"
}
],
"title": "net: xilinx: axienet: Add error handling for RX metadata pointer retrieval",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39897",
"datePublished": "2025-10-01T07:42:45.593Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2026-01-14T19:33:13.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39850 (GCVE-0-2025-39850)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
When the "proxy" option is enabled on a VXLAN device, the device will
suppress ARP requests and IPv6 Neighbor Solicitation messages if it is
able to reply on behalf of the remote host. That is, if a matching and
valid neighbor entry is configured on the VXLAN device whose MAC address
is not behind the "any" remote (0.0.0.0 / ::).
The code currently assumes that the FDB entry for the neighbor's MAC
address points to a valid remote destination, but this is incorrect if
the entry is associated with an FDB nexthop group. This can result in a
NPD [1][3] which can be reproduced using [2][4].
Fix by checking that the remote destination exists before dereferencing
it.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:vxlan_xmit+0xb58/0x15f0
[...]
Call Trace:
<TASK>
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
packet_sendmsg+0x113a/0x1850
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
#!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip nexthop add id 1 via 192.0.2.2 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
[3]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014
RIP: 0010:vxlan_xmit+0x803/0x1600
[...]
Call Trace:
<TASK>
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
ip6_finish_output2+0x210/0x6c0
ip6_finish_output+0x1af/0x2b0
ip6_mr_output+0x92/0x3e0
ip6_send_skb+0x30/0x90
rawv6_sendmsg+0xe6e/0x12e0
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f383422ec77
[4]
#!/bin/bash
ip address add 2001:db8:1::1/128 dev lo
ip nexthop add id 1 via 2001:db8:1::1 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1274e1cc42264d4e629841e4f182795cb0becfd2 , < e211e3f4199ac829bd493632efcd131d337cba9d
(git)
Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa (git) Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:20:51.126279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:12.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e211e3f4199ac829bd493632efcd131d337cba9d",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects\n\nWhen the \"proxy\" option is enabled on a VXLAN device, the device will\nsuppress ARP requests and IPv6 Neighbor Solicitation messages if it is\nable to reply on behalf of the remote host. That is, if a matching and\nvalid neighbor entry is configured on the VXLAN device whose MAC address\nis not behind the \"any\" remote (0.0.0.0 / ::).\n\nThe code currently assumes that the FDB entry for the neighbor\u0027s MAC\naddress points to a valid remote destination, but this is incorrect if\nthe entry is associated with an FDB nexthop group. This can result in a\nNPD [1][3] which can be reproduced using [2][4].\n\nFix by checking that the remote destination exists before dereferencing\nit.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_xmit+0xb58/0x15f0\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.2 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy\n\n ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3\n\n[3]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014\nRIP: 0010:vxlan_xmit+0x803/0x1600\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n ip6_finish_output2+0x210/0x6c0\n ip6_finish_output+0x1af/0x2b0\n ip6_mr_output+0x92/0x3e0\n ip6_send_skb+0x30/0x90\n rawv6_sendmsg+0xe6e/0x12e0\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f383422ec77\n\n[4]\n #!/bin/bash\n\n ip address add 2001:db8:1::1/128 dev lo\n\n ip nexthop add id 1 via 2001:db8:1::1 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy\n\n ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:01.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e211e3f4199ac829bd493632efcd131d337cba9d"
},
{
"url": "https://git.kernel.org/stable/c/8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa"
},
{
"url": "https://git.kernel.org/stable/c/1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce"
}
],
"title": "vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39850",
"datePublished": "2025-09-19T15:26:22.803Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2026-01-14T19:23:12.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-46830 (GCVE-0-2024-46830)
Vulnerability from cvelistv5 – Published: 2024-09-27 12:39 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
reads guest memory.
Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
via sync_regs(), which already holds SRCU. I.e. trying to precisely use
kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
problems. Acquiring SRCU isn't all that expensive, so for simplicity,
grab it unconditionally for KVM_SET_VCPU_EVENTS.
=============================
WARNING: suspicious RCU usage
6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
-----------------------------
include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by repro/1071:
#0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]
stack backtrace:
CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x7f/0x90
lockdep_rcu_suspicious+0x13f/0x1a0
kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
kvm_vcpu_read_guest+0x3e/0x90 [kvm]
nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
vmx_leave_nested+0x30/0x40 [kvm_intel]
kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
? mark_held_locks+0x49/0x70
? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
? kvm_vcpu_ioctl+0x497/0x970 [kvm]
kvm_vcpu_ioctl+0x497/0x970 [kvm]
? lock_acquire+0xba/0x2d0
? find_held_lock+0x2b/0x80
? do_user_addr_fault+0x40c/0x6f0
? lock_release+0xb7/0x270
__x64_sys_ioctl+0x82/0xb0
do_syscall_64+0x6c/0x170
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7ff11eb1b539
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e302786233e6bc512986d007c96458ccf5ca21c7 , < 5f35099fa3d59caf10bda88b033538e90086684e
(git)
Affected: f7e570780efc5cec9b2ed1e0472a7da14e864fdb , < fa297c33faefe51e10244e8a378837fca4963228 (git) Affected: f7e570780efc5cec9b2ed1e0472a7da14e864fdb , < 939375737b5a0b1bf9b1e75129054e11bc9ca65e (git) Affected: f7e570780efc5cec9b2ed1e0472a7da14e864fdb , < ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9 (git) Affected: f7e570780efc5cec9b2ed1e0472a7da14e864fdb , < 4bcdd831d9d01e0fb64faea50732b59b2ee88da1 (git) Affected: 080dbe7e9b86a0392d8dffc00d9971792afc121f (git) Affected: b4c0d89c92e957ecccce12e66b63875d0cc7af7e (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:12:09.375859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:12:18.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:19:21.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f35099fa3d59caf10bda88b033538e90086684e",
"status": "affected",
"version": "e302786233e6bc512986d007c96458ccf5ca21c7",
"versionType": "git"
},
{
"lessThan": "fa297c33faefe51e10244e8a378837fca4963228",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"lessThan": "939375737b5a0b1bf9b1e75129054e11bc9ca65e",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"lessThan": "ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"lessThan": "4bcdd831d9d01e0fb64faea50732b59b2ee88da1",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"status": "affected",
"version": "080dbe7e9b86a0392d8dffc00d9971792afc121f",
"versionType": "git"
},
{
"status": "affected",
"version": "b4c0d89c92e957ecccce12e66b63875d0cc7af7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.110",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS\n\nGrab kvm-\u003esrcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly\nleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX\nreads guest memory.\n\nNote, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN\nvia sync_regs(), which already holds SRCU. I.e. trying to precisely use\nkvm_vcpu_srcu_read_lock() around the problematic SMM code would cause\nproblems. Acquiring SRCU isn\u0027t all that expensive, so for simplicity,\ngrab it unconditionally for KVM_SET_VCPU_EVENTS.\n\n =============================\n WARNING: suspicious RCU usage\n 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by repro/1071:\n #0: ffff88811e424430 (\u0026vcpu-\u003emutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n\n stack backtrace:\n CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x13f/0x1a0\n kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]\n load_vmcs12_host_state+0x432/0xb40 [kvm_intel]\n vmx_leave_nested+0x30/0x40 [kvm_intel]\n kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]\n kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]\n ? mark_held_locks+0x49/0x70\n ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n ? kvm_vcpu_ioctl+0x497/0x970 [kvm]\n kvm_vcpu_ioctl+0x497/0x970 [kvm]\n ? lock_acquire+0xba/0x2d0\n ? find_held_lock+0x2b/0x80\n ? do_user_addr_fault+0x40c/0x6f0\n ? lock_release+0xb7/0x270\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7ff11eb1b539\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:50.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f35099fa3d59caf10bda88b033538e90086684e"
},
{
"url": "https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228"
},
{
"url": "https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e"
},
{
"url": "https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9"
},
{
"url": "https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1"
}
],
"title": "KVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46830",
"datePublished": "2024-09-27T12:39:28.396Z",
"dateReserved": "2024-09-11T15:12:18.286Z",
"dateUpdated": "2026-01-19T12:17:50.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68795 (GCVE-0-2025-68795)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
ethtool: Avoid overflowing userspace buffer on stats query
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: Avoid overflowing userspace buffer on stats query
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3df375a1e75483b7d973c3cc2e46aa374db8428b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4afcb985355210e1688560dc47e64b94dad35d71 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ca9983bc3a1189bd72f9ae449d925a66b2616326 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4066b5b546293f44cd6d0e84ece6e3ee7ff27093 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7b07be1ff1cb6c49869910518650e8d0abc7d25f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df375a1e75483b7d973c3cc2e46aa374db8428b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4afcb985355210e1688560dc47e64b94dad35d71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca9983bc3a1189bd72f9ae449d925a66b2616326",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bea09f60f2ad5d232e2db8f1c14e850fd3fd416",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4066b5b546293f44cd6d0e84ece6e3ee7ff27093",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7b07be1ff1cb6c49869910518650e8d0abc7d25f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Avoid overflowing userspace buffer on stats query\n\nThe ethtool -S command operates across three ioctl calls:\nETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and\nETHTOOL_GSTATS for the values.\n\nIf the number of stats changes between these calls (e.g., due to device\nreconfiguration), userspace\u0027s buffer allocation will be incorrect,\npotentially leading to buffer overflow.\n\nDrivers are generally expected to maintain stable stat counts, but some\ndrivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making\nthis scenario possible.\n\nSome drivers try to handle this internally:\n- bnad_get_ethtool_stats() returns early in case stats.n_stats is not\n equal to the driver\u0027s stats count.\n- micrel/ksz884x also makes sure not to write anything beyond\n stats.n_stats and overflow the buffer.\n\nHowever, both use stats.n_stats which is already assigned with the value\nreturned from get_sset_count(), hence won\u0027t solve the issue described\nhere.\n\nChange ethtool_get_strings(), ethtool_get_stats(),\nethtool_get_phy_stats() to not return anything in case of a mismatch\nbetween userspace\u0027s size and get_sset_size(), to prevent buffer\noverflow.\nThe returned n_stats value will be equal to zero, to reflect that\nnothing has been returned.\n\nThis could result in one of two cases when using upstream ethtool,\ndepending on when the size change is detected:\n1. When detected in ethtool_get_strings():\n # ethtool -S eth2\n no stats available\n\n2. When detected in get stats, all stats will be reported as zero.\n\nBoth cases are presumably transient, and a subsequent ethtool call\nshould succeed.\n\nOther than the overflow avoidance, these two cases are very evident (no\noutput/cleared stats), which is arguably better than presenting\nincorrect/shifted stats.\nI also considered returning an error instead of a \"silent\" response, but\nthat seems more destructive towards userspace apps.\n\nNotes:\n- This patch does not claim to fix the inherent race, it only makes sure\n that we do not overflow the userspace buffer, and makes for a more\n predictable behavior.\n\n- RTNL lock is held during each ioctl, the race window exists between\n the separate ioctl calls when the lock is released.\n\n- Userspace ethtool always fills stats.n_stats, but it is likely that\n these stats ioctls are implemented in other userspace applications\n which might not fill it. The added code checks that it\u0027s not zero,\n to prevent any regressions."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:42.945Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b"
},
{
"url": "https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5"
},
{
"url": "https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71"
},
{
"url": "https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326"
},
{
"url": "https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416"
},
{
"url": "https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093"
},
{
"url": "https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f"
}
],
"title": "ethtool: Avoid overflowing userspace buffer on stats query",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68795",
"datePublished": "2026-01-13T15:29:06.217Z",
"dateReserved": "2025-12-24T10:30:51.041Z",
"dateUpdated": "2026-02-09T08:33:42.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68315 (GCVE-0-2025-68315)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
f2fs: fix to detect potential corrupted nid in free_nid_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to detect potential corrupted nid in free_nid_list
As reported, on-disk footer.ino and footer.nid is the same and
out-of-range, let's add sanity check on f2fs_alloc_nid() to detect
any potential corruption in free_nid_list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa
(git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < adbcb34f03abb89e681a5907c4c3ce4bf224991d (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 8fc6056dcf79937c46c97fa4996cda65956437a9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "adbcb34f03abb89e681a5907c4c3ce4bf224991d",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "8fc6056dcf79937c46c97fa4996cda65956437a9",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to detect potential corrupted nid in free_nid_list\n\nAs reported, on-disk footer.ino and footer.nid is the same and\nout-of-range, let\u0027s add sanity check on f2fs_alloc_nid() to detect\nany potential corruption in free_nid_list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:21.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa"
},
{
"url": "https://git.kernel.org/stable/c/adbcb34f03abb89e681a5907c4c3ce4bf224991d"
},
{
"url": "https://git.kernel.org/stable/c/8fc6056dcf79937c46c97fa4996cda65956437a9"
}
],
"title": "f2fs: fix to detect potential corrupted nid in free_nid_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68315",
"datePublished": "2025-12-16T15:39:45.716Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-20T08:52:21.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68342 (GCVE-0-2025-68342)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
The URB received in gs_usb_receive_bulk_callback() contains a struct
gs_host_frame. The length of the data after the header depends on the
gs_host_frame hf::flags and the active device features (e.g. time
stamping).
Introduce a new function gs_usb_get_minimum_length() and check that we have
at least received the required amount of data before accessing it. Only
copy the data to that skb that has actually been received.
[mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < 4ffac725154cf6a253f5e6aa0c8946232b6a0af5
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 395d988f93861101ec89d0dd9e3b876ae9392a5b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ffac725154cf6a253f5e6aa0c8946232b6a0af5",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "fb0c7c77a7ae3a2c3404b7d0173b8739a754b513",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "395d988f93861101ec89d0dd9e3b876ae9392a5b",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data\n\nThe URB received in gs_usb_receive_bulk_callback() contains a struct\ngs_host_frame. The length of the data after the header depends on the\ngs_host_frame hf::flags and the active device features (e.g. time\nstamping).\n\nIntroduce a new function gs_usb_get_minimum_length() and check that we have\nat least received the required amount of data before accessing it. Only\ncopy the data to that skb that has actually been received.\n\n[mkl: rename gs_usb_get_minimum_length() -\u003e +gs_usb_get_minimum_rx_length()]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:27.579Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5"
},
{
"url": "https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b"
},
{
"url": "https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513"
},
{
"url": "https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68342",
"datePublished": "2025-12-23T13:58:27.579Z",
"dateReserved": "2025-12-16T14:48:05.298Z",
"dateUpdated": "2025-12-23T13:58:27.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39808 (GCVE-0-2025-39808)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()
in ntrig_report_version(), hdev parameter passed from hid_probe().
sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null
if hdev->dev.parent->parent is null, usb_dev has
invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned
when usb_rcvctrlpipe() use usb_dev,it trigger
page fault error for address(0xffffffffffffff58)
add null check logic to ntrig_report_version()
before calling hid_to_usb_dev()
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0277873c05158c5efc97c23d52e6aec6250bde0f , < 22ddb5eca4af5e69dffe2b54551d2487424448f1
(git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 019c34ca11372de891c06644846eb41fca7c890c (git) Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 4338b0f6544c3ff042bfbaf40bc9afe531fb08c7 (git) Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 6070123d5344d0950f10ef6a5fdc3f076abb7ad2 (git) Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < e422370e6ab28478872b914cee5d49a9bdfae0c6 (git) Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 98520a9a3d69a530dd1ee280cbe0abc232a35bff (git) Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 183def8e4d786e50165e5d992df6a3083e45e16c (git) Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 185c926283da67a72df20a63a5046b3b4631b7d9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:34.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ntrig.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22ddb5eca4af5e69dffe2b54551d2487424448f1",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "019c34ca11372de891c06644846eb41fca7c890c",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "4338b0f6544c3ff042bfbaf40bc9afe531fb08c7",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "6070123d5344d0950f10ef6a5fdc3f076abb7ad2",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "e422370e6ab28478872b914cee5d49a9bdfae0c6",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "98520a9a3d69a530dd1ee280cbe0abc232a35bff",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "183def8e4d786e50165e5d992df6a3083e45e16c",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "185c926283da67a72df20a63a5046b3b4631b7d9",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ntrig.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n\nin ntrig_report_version(), hdev parameter passed from hid_probe().\nsending descriptor to /dev/uhid can make hdev-\u003edev.parent-\u003eparent to null\nif hdev-\u003edev.parent-\u003eparent is null, usb_dev has\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\npage fault error for address(0xffffffffffffff58)\n\nadd null check logic to ntrig_report_version()\nbefore calling hid_to_usb_dev()"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:46.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22ddb5eca4af5e69dffe2b54551d2487424448f1"
},
{
"url": "https://git.kernel.org/stable/c/019c34ca11372de891c06644846eb41fca7c890c"
},
{
"url": "https://git.kernel.org/stable/c/4338b0f6544c3ff042bfbaf40bc9afe531fb08c7"
},
{
"url": "https://git.kernel.org/stable/c/6070123d5344d0950f10ef6a5fdc3f076abb7ad2"
},
{
"url": "https://git.kernel.org/stable/c/e422370e6ab28478872b914cee5d49a9bdfae0c6"
},
{
"url": "https://git.kernel.org/stable/c/98520a9a3d69a530dd1ee280cbe0abc232a35bff"
},
{
"url": "https://git.kernel.org/stable/c/183def8e4d786e50165e5d992df6a3083e45e16c"
},
{
"url": "https://git.kernel.org/stable/c/185c926283da67a72df20a63a5046b3b4631b7d9"
}
],
"title": "HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39808",
"datePublished": "2025-09-16T13:00:11.242Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-11-03T17:43:34.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68184 (GCVE-0-2025-68184)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43
VLAI?
EPSS
Title
drm/mediatek: Disable AFBC support on Mediatek DRM driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Disable AFBC support on Mediatek DRM driver
Commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM
driver") added AFBC support to Mediatek DRM and enabled the
32x8/split/sparse modifier.
However, this is currently broken on Mediatek MT8188 (Genio 700 EVK
platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by
default since Mesa v25.0.
Kernel trace reports vblank timeouts constantly, and the render is garbled:
```
[CRTC:62:crtc-0] vblank wait timed out
WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c
[...]
Hardware name: MediaTek Genio-700 EVK (DT)
Workqueue: events_unbound commit_work
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c
lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c
sp : ffff80008337bca0
x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000
x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000
x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80
x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a
x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000
x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b
x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70
x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70
x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480
Call trace:
drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P)
drm_atomic_helper_commit_tail_rpm+0x64/0x80
commit_tail+0xa4/0x1a4
commit_work+0x14/0x20
process_one_work+0x150/0x290
worker_thread+0x2d0/0x3ec
kthread+0x12c/0x210
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
```
Until this gets fixed upstream, disable AFBC support on this platform, as
it's currently broken with upstream Mesa.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c410fa9b07c32cc69968ec83a148366d16c76dc4 , < df1ad5de2197ea1b527d13ae7b699e9ee7d724d4
(git)
Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17 (git) Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 72223700b620885d556a4c52a63f5294316176c6 (git) Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 9882a40640036d5bbc590426a78981526d4f2345 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df1ad5de2197ea1b527d13ae7b699e9ee7d724d4",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
},
{
"lessThan": "0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
},
{
"lessThan": "72223700b620885d556a4c52a63f5294316176c6",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
},
{
"lessThan": "9882a40640036d5bbc590426a78981526d4f2345",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Disable AFBC support on Mediatek DRM driver\n\nCommit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM\ndriver\") added AFBC support to Mediatek DRM and enabled the\n32x8/split/sparse modifier.\n\nHowever, this is currently broken on Mediatek MT8188 (Genio 700 EVK\nplatform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by\ndefault since Mesa v25.0.\n\nKernel trace reports vblank timeouts constantly, and the render is garbled:\n\n```\n[CRTC:62:crtc-0] vblank wait timed out\nWARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\n[...]\nHardware name: MediaTek Genio-700 EVK (DT)\nWorkqueue: events_unbound commit_work\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nlr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nsp : ffff80008337bca0\nx29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000\nx26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000\nx23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80\nx20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a\nx17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000\nx14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b\nx11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70\nx8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70\nx5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480\nCall trace:\n drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P)\n drm_atomic_helper_commit_tail_rpm+0x64/0x80\n commit_tail+0xa4/0x1a4\n commit_work+0x14/0x20\n process_one_work+0x150/0x290\n worker_thread+0x2d0/0x3ec\n kthread+0x12c/0x210\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\n```\n\nUntil this gets fixed upstream, disable AFBC support on this platform, as\nit\u0027s currently broken with upstream Mesa."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:02.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df1ad5de2197ea1b527d13ae7b699e9ee7d724d4"
},
{
"url": "https://git.kernel.org/stable/c/0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17"
},
{
"url": "https://git.kernel.org/stable/c/72223700b620885d556a4c52a63f5294316176c6"
},
{
"url": "https://git.kernel.org/stable/c/9882a40640036d5bbc590426a78981526d4f2345"
}
],
"title": "drm/mediatek: Disable AFBC support on Mediatek DRM driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68184",
"datePublished": "2025-12-16T13:43:02.010Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2025-12-16T13:43:02.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…