Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0522
Vulnerability from certfr_avis - Published: 2026-04-30 - Updated: 2026-04-30
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-71075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71075"
},
{
"name": "CVE-2025-71086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71086"
},
{
"name": "CVE-2025-71065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71065"
},
{
"name": "CVE-2025-68374",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68374"
},
{
"name": "CVE-2025-71094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71094"
},
{
"name": "CVE-2025-68788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68788"
},
{
"name": "CVE-2025-68778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68778"
},
{
"name": "CVE-2025-71064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71064"
},
{
"name": "CVE-2025-68741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68741"
},
{
"name": "CVE-2025-68795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68795"
},
{
"name": "CVE-2025-68349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68349"
},
{
"name": "CVE-2025-68380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68380"
},
{
"name": "CVE-2026-23269",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23269"
},
{
"name": "CVE-2021-47599",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47599"
},
{
"name": "CVE-2025-71071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71071"
},
{
"name": "CVE-2025-68728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68728"
},
{
"name": "CVE-2025-68364",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68364"
},
{
"name": "CVE-2025-71087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71087"
},
{
"name": "CVE-2025-40019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40019"
},
{
"name": "CVE-2025-71135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71135"
},
{
"name": "CVE-2025-68773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68773"
},
{
"name": "CVE-2025-71133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71133"
},
{
"name": "CVE-2025-68796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68796"
},
{
"name": "CVE-2025-68804",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68804"
},
{
"name": "CVE-2025-68769",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68769"
},
{
"name": "CVE-2025-68794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68794"
},
{
"name": "CVE-2025-71088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71088"
},
{
"name": "CVE-2025-68806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68806"
},
{
"name": "CVE-2025-71098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71098"
},
{
"name": "CVE-2025-71078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71078"
},
{
"name": "CVE-2025-71083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71083"
},
{
"name": "CVE-2025-68813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68813"
},
{
"name": "CVE-2025-68265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68265"
},
{
"name": "CVE-2025-71085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71085"
},
{
"name": "CVE-2026-23268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23268"
},
{
"name": "CVE-2025-68344",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68344"
},
{
"name": "CVE-2025-71154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71154"
},
{
"name": "CVE-2022-49046",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49046"
},
{
"name": "CVE-2025-68257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68257"
},
{
"name": "CVE-2024-46816",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46816"
},
{
"name": "CVE-2025-71084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71084"
},
{
"name": "CVE-2025-68347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68347"
},
{
"name": "CVE-2025-68770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68770"
},
{
"name": "CVE-2025-68814",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68814"
},
{
"name": "CVE-2025-68780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68780"
},
{
"name": "CVE-2025-71081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71081"
},
{
"name": "CVE-2026-23407",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23407"
},
{
"name": "CVE-2025-71121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71121"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2025-71136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71136"
},
{
"name": "CVE-2025-68354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68354"
},
{
"name": "CVE-2025-68801",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68801"
},
{
"name": "CVE-2025-68258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68258"
},
{
"name": "CVE-2025-71138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71138"
},
{
"name": "CVE-2025-68291",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68291"
},
{
"name": "CVE-2025-71122",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71122"
},
{
"name": "CVE-2025-68763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68763"
},
{
"name": "CVE-2025-71144",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71144"
},
{
"name": "CVE-2025-38234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38234"
},
{
"name": "CVE-2025-68255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68255"
},
{
"name": "CVE-2022-49698",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49698"
},
{
"name": "CVE-2026-23406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23406"
},
{
"name": "CVE-2025-71093",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71093"
},
{
"name": "CVE-2025-71102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71102"
},
{
"name": "CVE-2025-68759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68759"
},
{
"name": "CVE-2025-68733",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68733"
},
{
"name": "CVE-2025-68335",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68335"
},
{
"name": "CVE-2025-71079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71079"
},
{
"name": "CVE-2025-71153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71153"
},
{
"name": "CVE-2025-68772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68772"
},
{
"name": "CVE-2024-57795",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57795"
},
{
"name": "CVE-2025-21780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21780"
},
{
"name": "CVE-2025-71143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71143"
},
{
"name": "CVE-2025-68785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68785"
},
{
"name": "CVE-2025-71130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71130"
},
{
"name": "CVE-2025-68808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68808"
},
{
"name": "CVE-2025-68783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68783"
},
{
"name": "CVE-2025-71147",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71147"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2022-48875",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48875"
},
{
"name": "CVE-2026-23074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23074"
},
{
"name": "CVE-2025-71126",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71126"
},
{
"name": "CVE-2025-68786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68786"
},
{
"name": "CVE-2025-68797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68797"
},
{
"name": "CVE-2025-68259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68259"
},
{
"name": "CVE-2025-71125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71125"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2025-71069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71069"
},
{
"name": "CVE-2025-68774",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68774"
},
{
"name": "CVE-2025-71082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71082"
},
{
"name": "CVE-2025-68765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68765"
},
{
"name": "CVE-2025-71132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71132"
},
{
"name": "CVE-2025-71077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71077"
},
{
"name": "CVE-2025-71140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71140"
},
{
"name": "CVE-2025-22111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22111"
},
{
"name": "CVE-2025-71114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71114"
},
{
"name": "CVE-2025-71067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71067"
},
{
"name": "CVE-2025-68744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68744"
},
{
"name": "CVE-2025-71151",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71151"
},
{
"name": "CVE-2025-68821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68821"
},
{
"name": "CVE-2025-68325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68325"
},
{
"name": "CVE-2025-71089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71089"
},
{
"name": "CVE-2025-68332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68332"
},
{
"name": "CVE-2025-71104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71104"
},
{
"name": "CVE-2025-68378",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68378"
},
{
"name": "CVE-2025-71141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71141"
},
{
"name": "CVE-2026-23410",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23410"
},
{
"name": "CVE-2025-71101",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71101"
},
{
"name": "CVE-2025-68367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68367"
},
{
"name": "CVE-2025-68820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68820"
},
{
"name": "CVE-2025-68756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68756"
},
{
"name": "CVE-2025-68740",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68740"
},
{
"name": "CVE-2025-68742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68742"
},
{
"name": "CVE-2025-68816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68816"
},
{
"name": "CVE-2025-68379",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68379"
},
{
"name": "CVE-2025-68256",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68256"
},
{
"name": "CVE-2025-68777",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68777"
},
{
"name": "CVE-2025-68254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68254"
},
{
"name": "CVE-2025-71109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71109"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2025-71150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71150"
},
{
"name": "CVE-2025-68776",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68776"
},
{
"name": "CVE-2025-71066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71066"
},
{
"name": "CVE-2025-68799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68799"
},
{
"name": "CVE-2025-68345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68345"
},
{
"name": "CVE-2025-71097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71097"
},
{
"name": "CVE-2025-71107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71107"
},
{
"name": "CVE-2025-71111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71111"
},
{
"name": "CVE-2025-68811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68811"
},
{
"name": "CVE-2025-68337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68337"
},
{
"name": "CVE-2026-23405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23405"
},
{
"name": "CVE-2025-71131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71131"
},
{
"name": "CVE-2025-21726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21726"
},
{
"name": "CVE-2026-23403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23403"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2025-71116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71116"
},
{
"name": "CVE-2025-68362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68362"
},
{
"name": "CVE-2025-68753",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68753"
},
{
"name": "CVE-2025-68369",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68369"
},
{
"name": "CVE-2025-68775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68775"
},
{
"name": "CVE-2025-71112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71112"
},
{
"name": "CVE-2025-22022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22022"
},
{
"name": "CVE-2025-68818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68818"
},
{
"name": "CVE-2025-71148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71148"
},
{
"name": "CVE-2025-68366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68366"
},
{
"name": "CVE-2024-36347",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36347"
},
{
"name": "CVE-2025-68815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68815"
},
{
"name": "CVE-2025-40215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40215"
},
{
"name": "CVE-2025-68346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68346"
},
{
"name": "CVE-2025-71096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71096"
},
{
"name": "CVE-2025-71095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71095"
},
{
"name": "CVE-2025-71105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71105"
},
{
"name": "CVE-2025-68266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68266"
},
{
"name": "CVE-2025-68771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68771"
},
{
"name": "CVE-2025-68363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68363"
},
{
"name": "CVE-2026-23411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23411"
},
{
"name": "CVE-2024-49927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49927"
},
{
"name": "CVE-2025-68757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68757"
},
{
"name": "CVE-2025-71068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71068"
},
{
"name": "CVE-2026-23409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23409"
},
{
"name": "CVE-2025-68766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68766"
},
{
"name": "CVE-2025-71123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71123"
},
{
"name": "CVE-2025-68206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68206"
},
{
"name": "CVE-2025-68372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68372"
},
{
"name": "CVE-2026-23404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23404"
},
{
"name": "CVE-2025-71137",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71137"
},
{
"name": "CVE-2025-68809",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68809"
},
{
"name": "CVE-2025-71120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71120"
},
{
"name": "CVE-2026-23060",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23060"
},
{
"name": "CVE-2025-68817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68817"
},
{
"name": "CVE-2025-71119",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71119"
},
{
"name": "CVE-2025-68787",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68787"
},
{
"name": "CVE-2025-68782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68782"
},
{
"name": "CVE-2025-68758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68758"
},
{
"name": "CVE-2025-71113",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71113"
},
{
"name": "CVE-2025-71127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71127"
},
{
"name": "CVE-2025-40325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40325"
},
{
"name": "CVE-2025-68798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68798"
},
{
"name": "CVE-2025-68336",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68336"
},
{
"name": "CVE-2025-68810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68810"
},
{
"name": "CVE-2025-68819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68819"
},
{
"name": "CVE-2025-71072",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71072"
},
{
"name": "CVE-2025-68732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68732"
},
{
"name": "CVE-2025-37849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37849"
},
{
"name": "CVE-2024-56640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56640"
},
{
"name": "CVE-2025-68371",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68371"
},
{
"name": "CVE-2025-71091",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71091"
},
{
"name": "CVE-2025-68263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68263"
},
{
"name": "CVE-2025-68800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68800"
},
{
"name": "CVE-2025-68261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68261"
},
{
"name": "CVE-2025-68755",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68755"
},
{
"name": "CVE-2025-71149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71149"
},
{
"name": "CVE-2025-68767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68767"
},
{
"name": "CVE-2025-68727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68727"
},
{
"name": "CVE-2025-68264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68264"
},
{
"name": "CVE-2025-68764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68764"
}
],
"initial_release_date": "2026-04-30T00:00:00",
"last_revision_date": "2026-04-30T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0522",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8185-2",
"url": "https://ubuntu.com/security/notices/USN-8185-2"
},
{
"published_at": "2026-04-29",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8224-1",
"url": "https://ubuntu.com/security/notices/USN-8224-1"
}
]
}
CVE-2025-21780 (GCVE-0-2025-21780)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2026-05-11 21:06
VLAI
EPSS
Title
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
It malicious user provides a small pptable through sysfs and then
a bigger pptable, it may cause buffer overflow attack in function
smu_sys_set_pp_table().
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
137d63abbf6a0859e79b662e81d21170ecb75e59 , < 3484ea33157bc7334f57e64826ec5a4bf992151a
(git)
Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < e43a8b9c4d700ffec819c5043a48769b3e7d9cab (git) Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < 2498d2db1d35e88a2060ea191ae75dce853dd084 (git) Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < 231075c5a8ea54f34b7c4794687baa980814e6de (git) Affected: 137d63abbf6a0859e79b662e81d21170ecb75e59 , < 1abb2648698bf10783d2236a6b4a7ca5e8021699 (git) |
|
| Linux | Linux |
Affected:
5.2
Unaffected: 0 , < 5.2 (semver) Unaffected: 6.1.129 , ≤ 6.1.* (semver) Unaffected: 6.6.79 , ≤ 6.6.* (semver) Unaffected: 6.12.16 , ≤ 6.12.* (semver) Unaffected: 6.13.4 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:25.628048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:40.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:26.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3484ea33157bc7334f57e64826ec5a4bf992151a",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "e43a8b9c4d700ffec819c5043a48769b3e7d9cab",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "2498d2db1d35e88a2060ea191ae75dce853dd084",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "231075c5a8ea54f34b7c4794687baa980814e6de",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "1abb2648698bf10783d2236a6b4a7ca5e8021699",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:06:17.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3484ea33157bc7334f57e64826ec5a4bf992151a"
},
{
"url": "https://git.kernel.org/stable/c/e43a8b9c4d700ffec819c5043a48769b3e7d9cab"
},
{
"url": "https://git.kernel.org/stable/c/2498d2db1d35e88a2060ea191ae75dce853dd084"
},
{
"url": "https://git.kernel.org/stable/c/231075c5a8ea54f34b7c4794687baa980814e6de"
},
{
"url": "https://git.kernel.org/stable/c/1abb2648698bf10783d2236a6b4a7ca5e8021699"
}
],
"title": "drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21780",
"datePublished": "2025-02-27T02:18:23.543Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2026-05-11T21:06:17.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22022 (GCVE-0-2025-22022)
Vulnerability from cvelistv5 – Published: 2025-04-16 10:23 – Updated: 2026-05-23 15:57
VLAI
EPSS
Title
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No ne
---truncated---
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7e393a834b41001174a8fb3ae3bc23a749467760 , < abf2df229b6a9172cc1827749c1a446d28e00a2e
(git)
Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 8b586de6f03c850ff48d42e539b4708d1f3f8f1a (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 1143f790a6316201dc8f067eba4c94ea97ecb6ca (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < dbf427663ce272070d3004b5fca63a4a537d781c (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < a4931d9fb99eb5462f3eaa231999d279c40afb21 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 43a18225150ce874d23b37761c302a5dffee1595 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 061a1683bae6ef56ab8fa392725ba7495515cd1d (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < bb0ba4cb1065e87f9cc75db1fa454e56d0894d01 (git) Affected: 5c7a6982e976b381595c9d4ee8e8c94564a40aec (git) Affected: f12ea4a8ca7009fa2d54794c3fcb8e638453bcff (git) Affected: 3.0.9 , < 3.1 (semver) Affected: 3.1.1 , < 3.2 (semver) |
|
| Linux | Linux |
Affected:
3.2
Unaffected: 0 , < 3.2 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.22 , ≤ 6.12.* (semver) Unaffected: 6.13.10 , ≤ 6.13.* (semver) Unaffected: 6.14.1 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf2df229b6a9172cc1827749c1a446d28e00a2e",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "8b586de6f03c850ff48d42e539b4708d1f3f8f1a",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "1143f790a6316201dc8f067eba4c94ea97ecb6ca",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "dbf427663ce272070d3004b5fca63a4a537d781c",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "a4931d9fb99eb5462f3eaa231999d279c40afb21",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "43a18225150ce874d23b37761c302a5dffee1595",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "061a1683bae6ef56ab8fa392725ba7495515cd1d",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "bb0ba4cb1065e87f9cc75db1fa454e56d0894d01",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"status": "affected",
"version": "5c7a6982e976b381595c9d4ee8e8c94564a40aec",
"versionType": "git"
},
{
"status": "affected",
"version": "f12ea4a8ca7009fa2d54794c3fcb8e638453bcff",
"versionType": "git"
},
{
"lessThan": "3.1",
"status": "affected",
"version": "3.0.9",
"versionType": "semver"
},
{
"lessThan": "3.2",
"status": "affected",
"version": "3.1.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt\u0027s possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don\u0027t know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit\u0027s not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:36.993Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf2df229b6a9172cc1827749c1a446d28e00a2e"
},
{
"url": "https://git.kernel.org/stable/c/8b586de6f03c850ff48d42e539b4708d1f3f8f1a"
},
{
"url": "https://git.kernel.org/stable/c/1143f790a6316201dc8f067eba4c94ea97ecb6ca"
},
{
"url": "https://git.kernel.org/stable/c/dbf427663ce272070d3004b5fca63a4a537d781c"
},
{
"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21"
},
{
"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595"
},
{
"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d"
},
{
"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01"
}
],
"title": "usb: xhci: Apply the link chain quirk on NEC isoc endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22022",
"datePublished": "2025-04-16T10:23:27.423Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2026-05-23T15:57:36.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22111 (GCVE-0-2025-22111)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
893b195875340cb44b54c9db99e708145f1210e8 , < f51e471cb1577d510c3096e126678e1ea20d2efd
(git)
Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 338a0f3c66aef4ee13052880d02200aae8f2d8a8 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < d767ce15045df510f55cdd2af5df0eee71f928d0 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 4888e1dcc341e9a132ef7b8516234b3c3296de56 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 00fe0ac64efd1f5373b3dd9f1f84b19235371e39 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < ed3ba9b6e280e14cc3148c1b226ba453f02fa76c (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.65 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f51e471cb1577d510c3096e126678e1ea20d2efd",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "338a0f3c66aef4ee13052880d02200aae8f2d8a8",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "d767ce15045df510f55cdd2af5df0eee71f928d0",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "4888e1dcc341e9a132ef7b8516234b3c3296de56",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "00fe0ac64efd1f5373b3dd9f1f84b19235371e39",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "ed3ba9b6e280e14cc3148c1b226ba453f02fa76c",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet\u0027s say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device\u0027s refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device. Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)\n ---------------------- ----------------------\n sock_ioctl sock_ioctl\n `- sock_do_ioctl `- br_ioctl_call\n `- dev_ioctl `- br_ioctl_stub\n |- rtnl_lock |\n |- dev_ifsioc \u0027\n \u0027 |- dev = __dev_get_by_name(...)\n |- netdev_hold(dev, ...) .\n / |- rtnl_unlock ------. |\n | |- br_ioctl_call `---\u003e |- rtnl_lock\n Race | | `- br_ioctl_stub |- br_del_bridge\n Window | | | |- dev = __dev_get_by_name(...)\n | | | May take long | `- br_dev_delete(dev, ...)\n | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)\n | | | | `- rtnl_unlock\n \\ | |- rtnl_lock \u003c-\u0027 `- netdev_run_todo\n | |- ... `- netdev_run_todo\n | `- rtnl_unlock |- __rtnl_unlock\n | |- netdev_wait_allrefs_any\n |- netdev_put(dev, ...) \u003c----------------\u0027\n Wait refcnt decrement\n and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let\u0027s not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n 2. Check CAP_NET_ADMIN in dev_ioctl()\n 3. Call dev_load() in dev_ioctl()\n 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it\u0027s better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n netdev_hold include/linux/netdevice.h:4311 [inline]\n dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:10.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f51e471cb1577d510c3096e126678e1ea20d2efd"
},
{
"url": "https://git.kernel.org/stable/c/338a0f3c66aef4ee13052880d02200aae8f2d8a8"
},
{
"url": "https://git.kernel.org/stable/c/d767ce15045df510f55cdd2af5df0eee71f928d0"
},
{
"url": "https://git.kernel.org/stable/c/4888e1dcc341e9a132ef7b8516234b3c3296de56"
},
{
"url": "https://git.kernel.org/stable/c/00fe0ac64efd1f5373b3dd9f1f84b19235371e39"
},
{
"url": "https://git.kernel.org/stable/c/ed3ba9b6e280e14cc3148c1b226ba453f02fa76c"
}
],
"title": "net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22111",
"datePublished": "2025-04-16T14:12:57.719Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-05-11T21:13:10.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37849 (GCVE-0-2025-37849)
Vulnerability from cvelistv5 – Published: 2025-05-09 06:41 – Updated: 2026-05-11 21:16
VLAI
EPSS
Title
KVM: arm64: Tear down vGIC on failed vCPU creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Tear down vGIC on failed vCPU creation
If kvm_arch_vcpu_create() fails to share the vCPU page with the
hypervisor, we propagate the error back to the ioctl but leave the
vGIC vCPU data initialised. Note only does this leak the corresponding
memory when the vCPU is destroyed but it can also lead to use-after-free
if the redistributor device handling tries to walk into the vCPU.
Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
vGIC vCPU structures are destroyed on error.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6211753fdfd05af9e08f54c8d0ba3ee516034878 , < 07476e0d932afc53c05468076393ac35d0b4999e
(git)
Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < 5085e02362b9948f82fceca979b8f8e12acb1cc5 (git) Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < c322789613407647a05ff5c451a7bf545fb34e73 (git) Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < 2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52 (git) Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < f1e9087abaeedec9bf2894a282ee4f0d8383f299 (git) Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < 250f25367b58d8c65a1b060a2dda037eea09a672 (git) |
|
| Linux | Linux |
Affected:
3.11
Unaffected: 0 , < 3.11 (semver) Unaffected: 6.1.135 , ≤ 6.1.* (semver) Unaffected: 6.6.88 , ≤ 6.6.* (semver) Unaffected: 6.12.24 , ≤ 6.12.* (semver) Unaffected: 6.13.12 , ≤ 6.13.* (semver) Unaffected: 6.14.3 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:56:22.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07476e0d932afc53c05468076393ac35d0b4999e",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "5085e02362b9948f82fceca979b8f8e12acb1cc5",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "c322789613407647a05ff5c451a7bf545fb34e73",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "f1e9087abaeedec9bf2894a282ee4f0d8383f299",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "250f25367b58d8c65a1b060a2dda037eea09a672",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Tear down vGIC on failed vCPU creation\n\nIf kvm_arch_vcpu_create() fails to share the vCPU page with the\nhypervisor, we propagate the error back to the ioctl but leave the\nvGIC vCPU data initialised. Note only does this leak the corresponding\nmemory when the vCPU is destroyed but it can also lead to use-after-free\nif the redistributor device handling tries to walk into the vCPU.\n\nAdd the missing cleanup to kvm_arch_vcpu_create(), ensuring that the\nvGIC vCPU structures are destroyed on error."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:16:17.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e"
},
{
"url": "https://git.kernel.org/stable/c/5085e02362b9948f82fceca979b8f8e12acb1cc5"
},
{
"url": "https://git.kernel.org/stable/c/c322789613407647a05ff5c451a7bf545fb34e73"
},
{
"url": "https://git.kernel.org/stable/c/2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52"
},
{
"url": "https://git.kernel.org/stable/c/f1e9087abaeedec9bf2894a282ee4f0d8383f299"
},
{
"url": "https://git.kernel.org/stable/c/250f25367b58d8c65a1b060a2dda037eea09a672"
}
],
"title": "KVM: arm64: Tear down vGIC on failed vCPU creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37849",
"datePublished": "2025-05-09T06:41:56.874Z",
"dateReserved": "2025-04-16T04:51:23.954Z",
"dateUpdated": "2026-05-11T21:16:17.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38022 (GCVE-0-2025-38022)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:28 – Updated: 2026-06-11 17:53
VLAI
EPSS
Title
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
53e9a5a692f839780084ad81dbd461ec917f74f7 , < ba467b6870ea2a73590478d9612d6ea1dcdd68b7
(git)
Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 5629064f92f0de6d6b3572055cd35361c3ad953c (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 312dae3499106ec8cb7442ada12be080aa9fbc3b (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 17d3103325e891e10994e7aa28d12bea04dc2c60 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 10c7f1c647da3b77ef8827d974a97b6530b64df0 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 03df57ad4b0ff9c5a93ff981aba0b42578ad1571 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < d0706bfd3ee40923c001c6827b786a309e2a8713 (git) Affected: 9b54e31fd08f8d8db507d021c88e760d5f8e4640 (git) Affected: 5.10.4 , < 5.10.248 (semver) Affected: 5.4.86 , < 5.5 (semver) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.30 , ≤ 6.12.* (semver) Unaffected: 6.14.8 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:23.842559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:38.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba467b6870ea2a73590478d9612d6ea1dcdd68b7",
"status": "affected",
"version": "53e9a5a692f839780084ad81dbd461ec917f74f7",
"versionType": "git"
},
{
"lessThan": "5629064f92f0de6d6b3572055cd35361c3ad953c",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "312dae3499106ec8cb7442ada12be080aa9fbc3b",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "17d3103325e891e10994e7aa28d12bea04dc2c60",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "10c7f1c647da3b77ef8827d974a97b6530b64df0",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "03df57ad4b0ff9c5a93ff981aba0b42578ad1571",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "d0706bfd3ee40923c001c6827b786a309e2a8713",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"status": "affected",
"version": "9b54e31fd08f8d8db507d021c88e760d5f8e4640",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.4",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.86",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:50.665Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba467b6870ea2a73590478d9612d6ea1dcdd68b7"
},
{
"url": "https://git.kernel.org/stable/c/5629064f92f0de6d6b3572055cd35361c3ad953c"
},
{
"url": "https://git.kernel.org/stable/c/312dae3499106ec8cb7442ada12be080aa9fbc3b"
},
{
"url": "https://git.kernel.org/stable/c/17d3103325e891e10994e7aa28d12bea04dc2c60"
},
{
"url": "https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0"
},
{
"url": "https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571"
},
{
"url": "https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713"
}
],
"title": "RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38022",
"datePublished": "2025-06-18T09:28:29.218Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2026-06-11T17:53:38.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38234 (GCVE-0-2025-38234)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23
VLAI
EPSS
Title
sched/rt: Fix race in push_rt_task
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/rt: Fix race in push_rt_task
Overview
========
When a CPU chooses to call push_rt_task and picks a task to push to
another CPU's runqueue then it will call find_lock_lowest_rq method
which would take a double lock on both CPUs' runqueues. If one of the
locks aren't readily available, it may lead to dropping the current
runqueue lock and reacquiring both the locks at once. During this window
it is possible that the task is already migrated and is running on some
other CPU. These cases are already handled. However, if the task is
migrated and has already been executed and another CPU is now trying to
wake it up (ttwu) such that it is queued again on the runqeue
(on_rq is 1) and also if the task was run by the same CPU, then the
current checks will pass even though the task was migrated out and is no
longer in the pushable tasks list.
Crashes
=======
This bug resulted in quite a few flavors of crashes triggering kernel
panics with various crash signatures such as assert failures, page
faults, null pointer dereferences, and queue corruption errors all
coming from scheduler itself.
Some of the crashes:
-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? pick_next_task_rt+0x6e/0x1d0
? do_error_trap+0x64/0xa0
? pick_next_task_rt+0x6e/0x1d0
? exc_invalid_op+0x4c/0x60
? pick_next_task_rt+0x6e/0x1d0
? asm_exc_invalid_op+0x12/0x20
? pick_next_task_rt+0x6e/0x1d0
__schedule+0x5cb/0x790
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: kernel NULL pointer dereference, address: 00000000000000c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? __warn+0x8a/0xe0
? exc_page_fault+0x3d6/0x520
? asm_exc_page_fault+0x1e/0x30
? pick_next_task_rt+0xb5/0x1d0
? pick_next_task_rt+0x8c/0x1d0
__schedule+0x583/0x7e0
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: unable to handle page fault for address: ffff9464daea5900
kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))
-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? dequeue_top_rt_rq+0xa2/0xb0
? do_error_trap+0x64/0xa0
? dequeue_top_rt_rq+0xa2/0xb0
? exc_invalid_op+0x4c/0x60
? dequeue_top_rt_rq+0xa2/0xb0
? asm_exc_invalid_op+0x12/0x20
? dequeue_top_rt_rq+0xa2/0xb0
dequeue_rt_entity+0x1f/0x70
dequeue_task_rt+0x2d/0x70
__schedule+0x1a8/0x7e0
? blk_finish_plug+0x25/0x40
schedule+0x3c/0xb0
futex_wait_queue_me+0xb6/0x120
futex_wait+0xd9/0x240
do_futex+0x344/0xa90
? get_mm_exe_file+0x30/0x60
? audit_exe_compare+0x58/0x70
? audit_filter_rules.constprop.26+0x65e/0x1220
__x64_sys_futex+0x148/0x1f0
do_syscall_64+0x30/0x80
entry_SYSCALL_64_after_hwframe+0x62/0xc7
-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? spurious_kernel_fault+0x171/0x1c0
? exc_page_fault+0x3b6/0x520
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? asm_exc_page_fault+0x1e/0x30
? _cond_resched+0x15/0x30
? futex_wait_queue_me+0xc8/0x120
? futex_wait+0xd9/0x240
? try_to_wake_up+0x1b8/0x490
? futex_wake+0x78/0x160
? do_futex+0xcd/0xa90
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? plist_del+0x6a/0xd0
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? dequeue_pushable_task+0x20/0x70
? __schedule+0x382/0x7e0
? asm_sysvec_reschedule_i
---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e8fa136262e1121288bb93befe2295928ffd240d , < 9f6022b2573ae068793810db719e131df3ded405
(git)
Affected: e8fa136262e1121288bb93befe2295928ffd240d , < debfbc047196df1f6bfd52f2d028c21dce67f0de (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 07ecabfbca64f4f0b6071cf96e49d162fa9d138d (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 690e47d1403e90b7f2366f03b52ed3304194c793 (git) |
|
| Linux | Linux |
Affected:
2.6.25
Unaffected: 0 , < 2.6.25 (semver) Unaffected: 6.6.124 , ≤ 6.6.* (semver) Unaffected: 6.12.64 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f6022b2573ae068793810db719e131df3ded405",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "debfbc047196df1f6bfd52f2d028c21dce67f0de",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "07ecabfbca64f4f0b6071cf96e49d162fa9d138d",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "690e47d1403e90b7f2366f03b52ed3304194c793",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU\u0027s runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs\u0027 runqueues. If one of the\nlocks aren\u0027t readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-\u003e kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx \u003e= MAX_RT_PRIO)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? pick_next_task_rt+0x6e/0x1d0\n ? do_error_trap+0x64/0xa0\n ? pick_next_task_rt+0x6e/0x1d0\n ? exc_invalid_op+0x4c/0x60\n ? pick_next_task_rt+0x6e/0x1d0\n ? asm_exc_invalid_op+0x12/0x20\n ? pick_next_task_rt+0x6e/0x1d0\n __schedule+0x5cb/0x790\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: kernel NULL pointer dereference, address: 00000000000000c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? __warn+0x8a/0xe0\n ? exc_page_fault+0x3d6/0x520\n ? asm_exc_page_fault+0x1e/0x30\n ? pick_next_task_rt+0xb5/0x1d0\n ? pick_next_task_rt+0x8c/0x1d0\n __schedule+0x583/0x7e0\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: unable to handle page fault for address: ffff9464daea5900\n kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-\u003ecpu != task_cpu(p))\n\n-\u003e kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-\u003enr_running)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? do_error_trap+0x64/0xa0\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? exc_invalid_op+0x4c/0x60\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? asm_exc_invalid_op+0x12/0x20\n ? dequeue_top_rt_rq+0xa2/0xb0\n dequeue_rt_entity+0x1f/0x70\n dequeue_task_rt+0x2d/0x70\n __schedule+0x1a8/0x7e0\n ? blk_finish_plug+0x25/0x40\n schedule+0x3c/0xb0\n futex_wait_queue_me+0xb6/0x120\n futex_wait+0xd9/0x240\n do_futex+0x344/0xa90\n ? get_mm_exe_file+0x30/0x60\n ? audit_exe_compare+0x58/0x70\n ? audit_filter_rules.constprop.26+0x65e/0x1220\n __x64_sys_futex+0x148/0x1f0\n do_syscall_64+0x30/0x80\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-\u003e BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? spurious_kernel_fault+0x171/0x1c0\n ? exc_page_fault+0x3b6/0x520\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? asm_exc_page_fault+0x1e/0x30\n ? _cond_resched+0x15/0x30\n ? futex_wait_queue_me+0xc8/0x120\n ? futex_wait+0xd9/0x240\n ? try_to_wake_up+0x1b8/0x490\n ? futex_wake+0x78/0x160\n ? do_futex+0xcd/0xa90\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? plist_del+0x6a/0xd0\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? dequeue_pushable_task+0x20/0x70\n ? __schedule+0x382/0x7e0\n ? asm_sysvec_reschedule_i\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:23:49.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f6022b2573ae068793810db719e131df3ded405"
},
{
"url": "https://git.kernel.org/stable/c/debfbc047196df1f6bfd52f2d028c21dce67f0de"
},
{
"url": "https://git.kernel.org/stable/c/07ecabfbca64f4f0b6071cf96e49d162fa9d138d"
},
{
"url": "https://git.kernel.org/stable/c/690e47d1403e90b7f2366f03b52ed3304194c793"
}
],
"title": "sched/rt: Fix race in push_rt_task",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38234",
"datePublished": "2025-07-04T13:37:46.960Z",
"dateReserved": "2025-04-16T04:51:23.996Z",
"dateUpdated": "2026-05-11T21:23:49.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40019 (GCVE-0-2025-40019)
Vulnerability from cvelistv5 – Published: 2025-10-24 11:44 – Updated: 2026-05-11 21:40
VLAI
EPSS
Title
crypto: essiv - Check ssize for decryption and in-place encryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: essiv - Check ssize for decryption and in-place encryption
Move the ssize check to the start in essiv_aead_crypt so that
it's also checked for decryption and in-place encryption.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 29294dd6f1e7acf527255fb136ffde6602c3a129
(git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 71f03f8f72d9c70ffba76980e78b38c180e61589 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < df58651968f82344a0ed2afdafd20ecfc55ff548 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 248ff2797ff52a8cbf86507f9583437443bf7685 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < f37e7860dc5e94c70b4a3e38a5809181310ea9ac (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < dc4c854a5e7453c465fa73b153eba4ef2a240abe (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < da7afb01ba05577ba3629f7f4824205550644986 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 6bb73db6948c2de23e407fe1b7ef94bf02b7529f (git) |
|
| Linux | Linux |
Affected:
5.4
Unaffected: 0 , < 5.4 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29294dd6f1e7acf527255fb136ffde6602c3a129",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "71f03f8f72d9c70ffba76980e78b38c180e61589",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "df58651968f82344a0ed2afdafd20ecfc55ff548",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "248ff2797ff52a8cbf86507f9583437443bf7685",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "f37e7860dc5e94c70b4a3e38a5809181310ea9ac",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "dc4c854a5e7453c465fa73b153eba4ef2a240abe",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "da7afb01ba05577ba3629f7f4824205550644986",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "6bb73db6948c2de23e407fe1b7ef94bf02b7529f",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Check ssize for decryption and in-place encryption\n\nMove the ssize check to the start in essiv_aead_crypt so that\nit\u0027s also checked for decryption and in-place encryption."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:40:54.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29294dd6f1e7acf527255fb136ffde6602c3a129"
},
{
"url": "https://git.kernel.org/stable/c/71f03f8f72d9c70ffba76980e78b38c180e61589"
},
{
"url": "https://git.kernel.org/stable/c/df58651968f82344a0ed2afdafd20ecfc55ff548"
},
{
"url": "https://git.kernel.org/stable/c/248ff2797ff52a8cbf86507f9583437443bf7685"
},
{
"url": "https://git.kernel.org/stable/c/f37e7860dc5e94c70b4a3e38a5809181310ea9ac"
},
{
"url": "https://git.kernel.org/stable/c/dc4c854a5e7453c465fa73b153eba4ef2a240abe"
},
{
"url": "https://git.kernel.org/stable/c/da7afb01ba05577ba3629f7f4824205550644986"
},
{
"url": "https://git.kernel.org/stable/c/6bb73db6948c2de23e407fe1b7ef94bf02b7529f"
}
],
"title": "crypto: essiv - Check ssize for decryption and in-place encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40019",
"datePublished": "2025-10-24T11:44:29.864Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2026-05-11T21:40:54.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40164 (GCVE-0-2025-40164)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2026-06-19 11:57
VLAI
EPSS
Title
usbnet: Fix using smp_processor_id() in preemptible code warnings
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix using smp_processor_id() in preemptible code warnings
Syzbot reported the following warning:
BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
__dev_set_mtu net/core/dev.c:9443 [inline]
netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
sock_do_ioctl+0x19d/0x280 net/socket.c:1204
sock_ioctl+0x42f/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
For historical and portability reasons, the netif_rx() is usually
run in the softirq or interrupt context, this commit therefore add
local_bh_disable/enable() protection in the usbnet_resume_rx().
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 6635e52bc4165793aefd686962d912d73d323afe
(git)
Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 65d04291adf7c59338f87aab9c6fe0bfa9993e64 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < f45fffae5e2549bd0a4670cc52a15ad54c9f121e (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 17fbad93879e87a334062882b45fa727ba1b3dd7 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < d1944bab8e0c1511f0cbf364aa06547735bb0ddb (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 0134c7bff14bd50314a4f92b182850ddfc38e255 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 (git) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.64 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:05.458823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:19.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6635e52bc4165793aefd686962d912d73d323afe",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "65d04291adf7c59338f87aab9c6fe0bfa9993e64",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "f45fffae5e2549bd0a4670cc52a15ad54c9f121e",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "17fbad93879e87a334062882b45fa727ba1b3dd7",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "d1944bab8e0c1511f0cbf364aa06547735bb0ddb",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "0134c7bff14bd50314a4f92b182850ddfc38e255",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "327cd4b68b4398b6c24f10eb2b2533ffbfc10185",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:22.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6635e52bc4165793aefd686962d912d73d323afe"
},
{
"url": "https://git.kernel.org/stable/c/65d04291adf7c59338f87aab9c6fe0bfa9993e64"
},
{
"url": "https://git.kernel.org/stable/c/f45fffae5e2549bd0a4670cc52a15ad54c9f121e"
},
{
"url": "https://git.kernel.org/stable/c/17fbad93879e87a334062882b45fa727ba1b3dd7"
},
{
"url": "https://git.kernel.org/stable/c/d1944bab8e0c1511f0cbf364aa06547735bb0ddb"
},
{
"url": "https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255"
},
{
"url": "https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185"
}
],
"title": "usbnet: Fix using smp_processor_id() in preemptible code warnings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40164",
"datePublished": "2025-11-12T10:26:23.482Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-06-19T11:57:22.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40215 (GCVE-0-2025-40215)
Vulnerability from cvelistv5 – Published: 2025-12-04 12:38 – Updated: 2026-06-16 19:56
VLAI
EPSS
Title
xfrm: delete x->tunnel as we delete x
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: delete x->tunnel as we delete x
The ipcomp fallback tunnels currently get deleted (from the various
lists and hashtables) as the last user state that needed that fallback
is destroyed (not deleted). If a reference to that user state still
exists, the fallback state will remain on the hashtables/lists,
triggering the WARN in xfrm_state_fini. Because of those remaining
references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path") is not complete.
We recently fixed one such situation in TCP due to defered freeing of
skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we
currently drop dst")). This can also happen due to IP reassembly: skbs
with a secpath remain on the reassembly queue until netns
destruction. If we can't guarantee that the queues are flushed by the
time xfrm_state_fini runs, there may still be references to a (user)
xfrm_state, preventing the timely deletion of the corresponding
fallback state.
Instead of chasing each instance of skbs holding a secpath one by one,
this patch fixes the issue directly within xfrm, by deleting the
fallback state as soon as the last user state depending on it has been
deleted. Destruction will still happen when the final reference is
dropped.
A separate lockdep class for the fallback state is required since
we're going to lock x->tunnel while x is locked.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 1b28a7fae0128fa140a7dccd995182ff6cd1c67b
(git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 0da961fa46da1b37ef868d9b603bd202136f8f8e (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < d0e0d1097118461463b76562c7ebaabaa5b90b13 (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < dc3636912d41770466543623cb76e7b88fdb42c7 (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < b441cf3f8c4b8576639d20c8eb4aa32917602ecd (git) |
|
| Linux | Linux |
Affected:
2.6.29
Unaffected: 0 , < 2.6.29 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.62 , ≤ 6.12.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:56:10.578142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:56:19.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "dc3636912d41770466543623cb76e7b88fdb42c7",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete x-\u003etunnel as we delete x\n\nThe ipcomp fallback tunnels currently get deleted (from the various\nlists and hashtables) as the last user state that needed that fallback\nis destroyed (not deleted). If a reference to that user state still\nexists, the fallback state will remain on the hashtables/lists,\ntriggering the WARN in xfrm_state_fini. Because of those remaining\nreferences, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state\nsynchronously on net exit path\") is not complete.\n\nWe recently fixed one such situation in TCP due to defered freeing of\nskbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we\ncurrently drop dst\")). This can also happen due to IP reassembly: skbs\nwith a secpath remain on the reassembly queue until netns\ndestruction. If we can\u0027t guarantee that the queues are flushed by the\ntime xfrm_state_fini runs, there may still be references to a (user)\nxfrm_state, preventing the timely deletion of the corresponding\nfallback state.\n\nInstead of chasing each instance of skbs holding a secpath one by one,\nthis patch fixes the issue directly within xfrm, by deleting the\nfallback state as soon as the last user state depending on it has been\ndeleted. Destruction will still happen when the final reference is\ndropped.\n\nA separate lockdep class for the fallback state is required since\nwe\u0027re going to lock x-\u003etunnel while x is locked."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:44:59.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b28a7fae0128fa140a7dccd995182ff6cd1c67b"
},
{
"url": "https://git.kernel.org/stable/c/4b2c17d0f9be8b58bb30468bc81a4b61c985b04e"
},
{
"url": "https://git.kernel.org/stable/c/0da961fa46da1b37ef868d9b603bd202136f8f8e"
},
{
"url": "https://git.kernel.org/stable/c/d0e0d1097118461463b76562c7ebaabaa5b90b13"
},
{
"url": "https://git.kernel.org/stable/c/dc3636912d41770466543623cb76e7b88fdb42c7"
},
{
"url": "https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd"
}
],
"title": "xfrm: delete x-\u003etunnel as we delete x",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40215",
"datePublished": "2025-12-04T12:38:32.517Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-06-16T19:56:19.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40325 (GCVE-0-2025-40325)
Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-23 16:02
VLAI
EPSS
Title
md/raid10: wait barrier before returning discard request with REQ_NOWAIT
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: wait barrier before returning discard request with REQ_NOWAIT
raid10_handle_discard should wait barrier before returning a discard bio
which has REQ_NOWAIT. And there is no need to print warning calltrace
if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks
dmesg and reports error if dmesg has warning/error calltrace.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c9aa889b035fca4598ae985a0f0c76ebbb547ad2 , < 31ff67982c5fa39c0093b9d9f429fef91c2494b7
(git)
Affected: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 , < 31d3156efe909b53ba174861a3da880c688f5edc (git) Affected: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 , < 3db4404435397a345431b45f57876a3df133f3b4 (git) Affected: 39db562b3fedb93978a7e42dd216b306740959f8 (git) Affected: 5.15.111 , < 5.16 (semver) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.12.64 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ff67982c5fa39c0093b9d9f429fef91c2494b7",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "31d3156efe909b53ba174861a3da880c688f5edc",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "3db4404435397a345431b45f57876a3df133f3b4",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"status": "affected",
"version": "39db562b3fedb93978a7e42dd216b306740959f8",
"versionType": "git"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.111",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.111",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: wait barrier before returning discard request with REQ_NOWAIT\n\nraid10_handle_discard should wait barrier before returning a discard bio\nwhich has REQ_NOWAIT. And there is no need to print warning calltrace\nif a discard bio has REQ_NOWAIT flag. Quality engineer usually checks\ndmesg and reports error if dmesg has warning/error calltrace."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:09.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ff67982c5fa39c0093b9d9f429fef91c2494b7"
},
{
"url": "https://git.kernel.org/stable/c/31d3156efe909b53ba174861a3da880c688f5edc"
},
{
"url": "https://git.kernel.org/stable/c/3db4404435397a345431b45f57876a3df133f3b4"
}
],
"title": "md/raid10: wait barrier before returning discard request with REQ_NOWAIT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40325",
"datePublished": "2025-04-18T07:01:41.619Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-23T16:02:09.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…