CVE-2024-56758 (GCVE-0-2024-56758)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2026-05-23 15:56
VLAI
Title
btrfs: check folio mapping after unlock in relocate_one_folio()
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 08daa38ca212d87f77beae839bc9be71079c7abf , < 36679fab54fa7bcffafd469e2c474c1fc4beaee0 (git)
Affected: e7f1326cc24e22b38afc3acd328480a1183f9e79 , < c7b1bd52a031ad0144d42eef0ba8471ce75122dd (git)
Affected: e7f1326cc24e22b38afc3acd328480a1183f9e79 , < d508e56270389b3a16f5b3cf247f4eb1bbad1578 (git)
Affected: e7f1326cc24e22b38afc3acd328480a1183f9e79 , < 3e74859ee35edc33a022c3f3971df066ea0ca6b9 (git)
Affected: 9d1e020ed9649cf140fcfafd052cfdcce9e9d67d (git)
Affected: 6.1.54 , < 6.1.141 (semver)
Affected: 6.5.4 , < 6.6 (semver)
Create a notification for this product.
Linux Linux Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:25.624Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/relocation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "36679fab54fa7bcffafd469e2c474c1fc4beaee0",
              "status": "affected",
              "version": "08daa38ca212d87f77beae839bc9be71079c7abf",
              "versionType": "git"
            },
            {
              "lessThan": "c7b1bd52a031ad0144d42eef0ba8471ce75122dd",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "lessThan": "d508e56270389b3a16f5b3cf247f4eb1bbad1578",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "lessThan": "3e74859ee35edc33a022c3f3971df066ea0ca6b9",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9d1e020ed9649cf140fcfafd052cfdcce9e9d67d",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.141",
              "status": "affected",
              "version": "6.1.54",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6",
              "status": "affected",
              "version": "6.5.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/relocation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "6.1.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: check folio mapping after unlock in relocate_one_folio()\n\nWhen we call btrfs_read_folio() to bring a folio uptodate, we unlock the\nfolio. The result of that is that a different thread can modify the\nmapping (like remove it with invalidate) before we call folio_lock().\nThis results in an invalid page and we need to try again.\n\nIn particular, if we are relocating concurrently with aborting a\ntransaction, this can result in a crash like the following:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP\n  CPU: 76 PID: 1411631 Comm: kworker/u322:5\n  Workqueue: events_unbound btrfs_reclaim_bgs_work\n  RIP: 0010:set_page_extent_mapped+0x20/0xb0\n  RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246\n  RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880\n  RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0\n  R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000\n  R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff\n  FS:  0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  PKRU: 55555554\n  Call Trace:\n  \u003cTASK\u003e\n  ? __die+0x78/0xc0\n  ? page_fault_oops+0x2a8/0x3a0\n  ? __switch_to+0x133/0x530\n  ? wq_worker_running+0xa/0x40\n  ? exc_page_fault+0x63/0x130\n  ? asm_exc_page_fault+0x22/0x30\n  ? set_page_extent_mapped+0x20/0xb0\n  relocate_file_extent_cluster+0x1a7/0x940\n  relocate_data_extent+0xaf/0x120\n  relocate_block_group+0x20f/0x480\n  btrfs_relocate_block_group+0x152/0x320\n  btrfs_relocate_chunk+0x3d/0x120\n  btrfs_reclaim_bgs_work+0x2ae/0x4e0\n  process_scheduled_works+0x184/0x370\n  worker_thread+0xc6/0x3e0\n  ? blk_add_timer+0xb0/0xb0\n  kthread+0xae/0xe0\n  ? flush_tlb_kernel_range+0x90/0x90\n  ret_from_fork+0x2f/0x40\n  ? flush_tlb_kernel_range+0x90/0x90\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e\n\nThis occurs because cleanup_one_transaction() calls\ndestroy_delalloc_inodes() which calls invalidate_inode_pages2() which\ntakes the folio_lock before setting mapping to NULL. We fail to check\nthis, and subsequently call set_extent_mapping(), which assumes that\nmapping != NULL (in fact it asserts that in debug mode)\n\nNote that the \"fixes\" patch here is not the one that introduced the\nrace (the very first iteration of this code from 2009) but a more recent\nchange that made this particular crash happen in practice."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:56:00.758Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/36679fab54fa7bcffafd469e2c474c1fc4beaee0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7b1bd52a031ad0144d42eef0ba8471ce75122dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d508e56270389b3a16f5b3cf247f4eb1bbad1578"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e74859ee35edc33a022c3f3971df066ea0ca6b9"
        }
      ],
      "title": "btrfs: check folio mapping after unlock in relocate_one_folio()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56758",
    "datePublished": "2025-01-06T16:20:38.942Z",
    "dateReserved": "2024-12-29T11:26:39.761Z",
    "dateUpdated": "2026-05-23T15:56:00.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-56758",
      "date": "2026-06-07",
      "epss": "0.00041",
      "percentile": "0.12637"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56758\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-06T17:15:40.597\",\"lastModified\":\"2025-11-03T18:15:43.990\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: check folio mapping after unlock in relocate_one_folio()\\n\\nWhen we call btrfs_read_folio() to bring a folio uptodate, we unlock the\\nfolio. The result of that is that a different thread can modify the\\nmapping (like remove it with invalidate) before we call folio_lock().\\nThis results in an invalid page and we need to try again.\\n\\nIn particular, if we are relocating concurrently with aborting a\\ntransaction, this can result in a crash like the following:\\n\\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\\n  PGD 0 P4D 0\\n  Oops: 0000 [#1] SMP\\n  CPU: 76 PID: 1411631 Comm: kworker/u322:5\\n  Workqueue: events_unbound btrfs_reclaim_bgs_work\\n  RIP: 0010:set_page_extent_mapped+0x20/0xb0\\n  RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246\\n  RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000\\n  RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880\\n  RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0\\n  R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000\\n  R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff\\n  FS:  0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0\\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n  PKRU: 55555554\\n  Call Trace:\\n  \u003cTASK\u003e\\n  ? __die+0x78/0xc0\\n  ? page_fault_oops+0x2a8/0x3a0\\n  ? __switch_to+0x133/0x530\\n  ? wq_worker_running+0xa/0x40\\n  ? exc_page_fault+0x63/0x130\\n  ? asm_exc_page_fault+0x22/0x30\\n  ? set_page_extent_mapped+0x20/0xb0\\n  relocate_file_extent_cluster+0x1a7/0x940\\n  relocate_data_extent+0xaf/0x120\\n  relocate_block_group+0x20f/0x480\\n  btrfs_relocate_block_group+0x152/0x320\\n  btrfs_relocate_chunk+0x3d/0x120\\n  btrfs_reclaim_bgs_work+0x2ae/0x4e0\\n  process_scheduled_works+0x184/0x370\\n  worker_thread+0xc6/0x3e0\\n  ? blk_add_timer+0xb0/0xb0\\n  kthread+0xae/0xe0\\n  ? flush_tlb_kernel_range+0x90/0x90\\n  ret_from_fork+0x2f/0x40\\n  ? flush_tlb_kernel_range+0x90/0x90\\n  ret_from_fork_asm+0x11/0x20\\n  \u003c/TASK\u003e\\n\\nThis occurs because cleanup_one_transaction() calls\\ndestroy_delalloc_inodes() which calls invalidate_inode_pages2() which\\ntakes the folio_lock before setting mapping to NULL. We fail to check\\nthis, and subsequently call set_extent_mapping(), which assumes that\\nmapping != NULL (in fact it asserts that in debug mode)\\n\\nNote that the \\\"fixes\\\" patch here is not the one that introduced the\\nrace (the very first iteration of this code from 2009) but a more recent\\nchange that made this particular crash happen in practice.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: comprobar la asignaci\u00f3n de folios despu\u00e9s de desbloquear en relocate_one_folio() Cuando llamamos a btrfs_read_folio() para actualizar un folio, desbloqueamos el folio. El resultado de eso es que un hilo diferente puede modificar la asignaci\u00f3n (como eliminarla con invalidate) antes de que llamemos a folio_lock(). Esto da como resultado una p\u00e1gina no v\u00e1lida y debemos volver a intentarlo. En particular, si estamos reubicando simult\u00e1neamente y abortando una transacci\u00f3n, esto puede resultar en un bloqueo como el siguiente: ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Seguimiento de llamadas:  ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20  Esto ocurre porque cleanup_one_transaction() llama a destroy_delalloc_inodes() que llama a invalidate_inode_pages2() que toma el folio_lock antes de establecer mapping en NULL. No comprobamos esto y, posteriormente, llamamos a set_extent_mapping(), que supone que mapping != NULL (de hecho, lo afirma en modo de depuraci\u00f3n). Tenga en cuenta que el parche de \\\"correcciones\\\" aqu\u00ed no es el que introdujo la ejecuci\u00f3n(la primera iteraci\u00f3n de este c\u00f3digo de 2009), sino un cambio m\u00e1s reciente que hizo que este fallo en particular sucediera en la pr\u00e1ctica.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.54\",\"versionEndExcluding\":\"6.2\",\"matchCriteriaId\":\"AF92BAD7-36C7-4B11-8CAA-5B5EFABE096A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.5.4\",\"versionEndExcluding\":\"6.12.8\",\"matchCriteriaId\":\"74FB61B2-9981-44D8-A191-6219D9D9CBCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A073481-106D-4B15-B4C7-FB0213B8E1D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE491969-75AE-4A6B-9A58-8FC5AF98798F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"93C0660D-7FB8-4FBA-892A-B064BA71E49E\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/36679fab54fa7bcffafd469e2c474c1fc4beaee0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3e74859ee35edc33a022c3f3971df066ea0ca6b9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c7b1bd52a031ad0144d42eef0ba8471ce75122dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d508e56270389b3a16f5b3cf247f4eb1bbad1578\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.