Vulnerability-Lookup

SUSE-SU-2025:01956-1

Vulnerability from csaf_suse - Published: 2025-06-13 16:04 - Updated: 2025-06-13 16:04

Summary

Security update for the Linux Kernel (Live Patch 54 for SLE 15 SP3)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 54 for SLE 15 SP3)

Description of the patch: This update for the Linux Kernel 5.3.18-150300_59_195 fixes several issues. The following security issues were fixed: - CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238324). - CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239077). - CVE-2022-49563: crypto: qat - add param check for RSA (bsc#1238788). - CVE-2022-49564: crypto: qat - add param check for DH (bsc#1238790).

Patchnames: SUSE-2025-1956,SUSE-SLE-Module-Live-Patching-15-SP3-2025-1956

CVE-2022-49080

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2022-49563

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2022-49564

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2024-57996

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-updates/2025…	self
	https://bugzilla.suse.com/1238324	self
	https://bugzilla.suse.com/1238788	self
	https://bugzilla.suse.com/1238790	self
	https://bugzilla.suse.com/1239077	self
	https://www.suse.com/security/cve/CVE-2022-49080/	self
	https://www.suse.com/security/cve/CVE-2022-49563/	self
	https://www.suse.com/security/cve/CVE-2022-49564/	self
	https://www.suse.com/security/cve/CVE-2024-57996/	self
	https://www.suse.com/security/cve/CVE-2022-49080	external
	https://bugzilla.suse.com/1238033	external
	https://bugzilla.suse.com/1238324	external
	https://www.suse.com/security/cve/CVE-2022-49563	external
	https://bugzilla.suse.com/1238787	external
	https://bugzilla.suse.com/1238788	external
	https://www.suse.com/security/cve/CVE-2022-49564	external
	https://bugzilla.suse.com/1238789	external
	https://bugzilla.suse.com/1238790	external
	https://www.suse.com/security/cve/CVE-2024-57996	external
	https://bugzilla.suse.com/1239076	external
	https://bugzilla.suse.com/1239077	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 54 for SLE 15 SP3)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for the Linux Kernel 5.3.18-150300_59_195 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238324).\n- CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239077).\n- CVE-2022-49563: crypto: qat - add param check for RSA (bsc#1238788).\n- CVE-2022-49564: crypto: qat - add param check for DH (bsc#1238790).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-1956,SUSE-SLE-Module-Live-Patching-15-SP3-2025-1956",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_01956-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:01956-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202501956-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:01956-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-June/040295.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1238324",
        "url": "https://bugzilla.suse.com/1238324"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1238788",
        "url": "https://bugzilla.suse.com/1238788"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1238790",
        "url": "https://bugzilla.suse.com/1238790"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1239077",
        "url": "https://bugzilla.suse.com/1239077"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-49080 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-49080/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-49563 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-49563/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-49564 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-49564/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-57996 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-57996/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 54 for SLE 15 SP3)",
    "tracking": {
      "current_release_date": "2025-06-13T16:04:11Z",
      "generator": {
        "date": "2025-06-13T16:04:11Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:01956-1",
      "initial_release_date": "2025-06-13T16:04:11Z",
      "revision_history": [
        {
          "date": "2025-06-13T16:04:11Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_195-preempt-2-150300.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_195-preempt-2-150300.2.2.x86_64",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_195-preempt-2-150300.2.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP3",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP3",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le"
        },
        "product_reference": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x as component of SUSE Linux Enterprise Live Patching 15 SP3",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x"
        },
        "product_reference": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP3",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
        },
        "product_reference": "kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-49080",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-49080"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller.  But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new.  This would happen if mempolicy was updated on\nthe shared shmem file while the sp-\u003elock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n  shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n  shm = shmat(shmid, 0, 0);\n  loop many times {\n    mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n    mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n          maxnode, 0);\n  }",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-49080",
          "url": "https://www.suse.com/security/cve/CVE-2022-49080"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238033 for CVE-2022-49080",
          "url": "https://bugzilla.suse.com/1238033"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238324 for CVE-2022-49080",
          "url": "https://bugzilla.suse.com/1238324"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-13T16:04:11Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-49080"
    },
    {
      "cve": "CVE-2022-49563",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-49563"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for RSA\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-49563",
          "url": "https://www.suse.com/security/cve/CVE-2022-49563"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238787 for CVE-2022-49563",
          "url": "https://bugzilla.suse.com/1238787"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238788 for CVE-2022-49563",
          "url": "https://bugzilla.suse.com/1238788"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-13T16:04:11Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-49563"
    },
    {
      "cve": "CVE-2022-49564",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-49564"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for DH\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-49564",
          "url": "https://www.suse.com/security/cve/CVE-2022-49564"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238789 for CVE-2022-49564",
          "url": "https://bugzilla.suse.com/1238789"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238790 for CVE-2022-49564",
          "url": "https://bugzilla.suse.com/1238790"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-13T16:04:11Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-49564"
    },
    {
      "cve": "CVE-2024-57996",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-57996"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n  __dump_stack lib/dump_stack.c:79 [inline]\n  dump_stack+0x125/0x19f lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:148 [inline]\n  __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n  sfq_link net/sched/sch_sfq.c:210 [inline]\n  sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n  sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n  sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n  netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n  dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n  __dev_close_many+0x214/0x350 net/core/dev.c:1468\n  dev_close_many+0x207/0x510 net/core/dev.c:1506\n  unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n  unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n  unregister_netdevice include/linux/netdevice.h:2893 [inline]\n  __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n  tun_detach drivers/net/tun.c:705 [inline]\n  tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n  __fput+0x203/0x840 fs/file_table.c:280\n  task_work_run+0x129/0x1b0 kernel/task_work.c:185\n  exit_task_work include/linux/task_work.h:33 [inline]\n  do_exit+0x5ce/0x2200 kernel/exit.c:931\n  do_group_exit+0x144/0x310 kernel/exit.c:1046\n  __do_sys_exit_group kernel/exit.c:1057 [inline]\n  __se_sys_exit_group kernel/exit.c:1055 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n  gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n  it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n  qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n  by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n  however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-57996",
          "url": "https://www.suse.com/security/cve/CVE-2024-57996"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239076 for CVE-2024-57996",
          "url": "https://bugzilla.suse.com/1239076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239077 for CVE-2024-57996",
          "url": "https://bugzilla.suse.com/1239077"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_195-default-2-150300.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-13T16:04:11Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-57996"
    }
  ]
}

CVE-2022-49563 (GCVE-0-2022-49563)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2025-10-01 19:46

Title

crypto: qat - add param check for RSA

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - add param check for RSA Reject requests with a source buffer that is bigger than the size of the key. This is to prevent a possible integer underflow that might happen when copying the source scatterlist into a linear buffer.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4d6d2adce08788b76…
	https://git.kernel.org/stable/c/f993321e50ba7a8ba…
	https://git.kernel.org/stable/c/9714061423b8b24b8…

Impacted products

Vendor

Product

Version

Linux

Affected: a990532023b903b10cf14736241cdd138e4bc92c , < 4d6d2adce08788b7667a6e58002682ea1bbf6a79 (git)
Affected: a990532023b903b10cf14736241cdd138e4bc92c , < f993321e50ba7a8ba4f5b19939e1772a921a1c42 (git)
Affected: a990532023b903b10cf14736241cdd138e4bc92c , < 9714061423b8b24b8afb31b8eb4df977c63f19c4 (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 5.15.58 , ≤ 5.15.* (semver)
Unaffected: 5.18.15 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49563",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:37:10.210375Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-191",
                "description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:46:38.670Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/qat/qat_common/qat_asym_algs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4d6d2adce08788b7667a6e58002682ea1bbf6a79",
              "status": "affected",
              "version": "a990532023b903b10cf14736241cdd138e4bc92c",
              "versionType": "git"
            },
            {
              "lessThan": "f993321e50ba7a8ba4f5b19939e1772a921a1c42",
              "status": "affected",
              "version": "a990532023b903b10cf14736241cdd138e4bc92c",
              "versionType": "git"
            },
            {
              "lessThan": "9714061423b8b24b8afb31b8eb4df977c63f19c4",
              "status": "affected",
              "version": "a990532023b903b10cf14736241cdd138e4bc92c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/qat/qat_common/qat_asym_algs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.58",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.15",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for RSA\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T08:44:08.766Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4d6d2adce08788b7667a6e58002682ea1bbf6a79"
        },
        {
          "url": "https://git.kernel.org/stable/c/f993321e50ba7a8ba4f5b19939e1772a921a1c42"
        },
        {
          "url": "https://git.kernel.org/stable/c/9714061423b8b24b8afb31b8eb4df977c63f19c4"
        }
      ],
      "title": "crypto: qat - add param check for RSA",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49563",
    "datePublished": "2025-02-26T02:23:10.252Z",
    "dateReserved": "2025-02-26T02:08:31.591Z",
    "dateUpdated": "2025-10-01T19:46:38.670Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57996 (GCVE-0-2024-57996)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:33

Title

net_sched: sch_sfq: don't allow 1 packet limit

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e12f6013d0a69660e…
	https://git.kernel.org/stable/c/1e6d9d87626cf89ee…
	https://git.kernel.org/stable/c/1b562b7f9231432da…
	https://git.kernel.org/stable/c/35d0137305ae2f972…
	https://git.kernel.org/stable/c/833e9a1c27b82024d…
	https://git.kernel.org/stable/c/7d8947f2153ee9c5a…
	https://git.kernel.org/stable/c/7fefc294204f10a34…
	https://git.kernel.org/stable/c/10685681bafce6feb…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e12f6013d0a69660e8b99bfe381b9546ae667328 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e6d9d87626cf89eeffb4d943db12cb5b10bf961 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b562b7f9231432da40d12e19786c1bd7df653a7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 35d0137305ae2f97260a9047f445bd4434bd6cc7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 833e9a1c27b82024db7ff5038a51651f48f05e5e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7fefc294204f10a3405f175f4ac2be16d63f135e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 10685681bafce6febb39770f3387621bf5d67d0b (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:33:07.578Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e12f6013d0a69660e8b99bfe381b9546ae667328",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n  __dump_stack lib/dump_stack.c:79 [inline]\n  dump_stack+0x125/0x19f lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:148 [inline]\n  __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n  sfq_link net/sched/sch_sfq.c:210 [inline]\n  sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n  sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n  sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n  netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n  dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n  __dev_close_many+0x214/0x350 net/core/dev.c:1468\n  dev_close_many+0x207/0x510 net/core/dev.c:1506\n  unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n  unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n  unregister_netdevice include/linux/netdevice.h:2893 [inline]\n  __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n  tun_detach drivers/net/tun.c:705 [inline]\n  tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n  __fput+0x203/0x840 fs/file_table.c:280\n  task_work_run+0x129/0x1b0 kernel/task_work.c:185\n  exit_task_work include/linux/task_work.h:33 [inline]\n  do_exit+0x5ce/0x2200 kernel/exit.c:931\n  do_group_exit+0x144/0x310 kernel/exit.c:1046\n  __do_sys_exit_group kernel/exit.c:1057 [inline]\n  __se_sys_exit_group kernel/exit.c:1055 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n  gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n  it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n  qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n  by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n  however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:42:44.697Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e12f6013d0a69660e8b99bfe381b9546ae667328"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
        },
        {
          "url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
        }
      ],
      "title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57996",
    "datePublished": "2025-02-27T02:07:16.765Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-11-03T19:33:07.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49080 (GCVE-0-2022-49080)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:54 – Updated: 2025-05-04 08:29

Title

mm/mempolicy: fix mpol_new leak in shared_policy_replace

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix mpol_new leak in shared_policy_replace If mpol_new is allocated but not used in restart loop, mpol_new will be freed via mpol_put before returning to the caller. But refcnt is not initialized yet, so mpol_put could not do the right things and might leak the unused mpol_new. This would happen if mempolicy was updated on the shared shmem file while the sp->lock has been dropped during the memory allocation. This issue could be triggered easily with the below code snippet if there are many processes doing the below work at the same time: shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT); shm = shmat(shmid, 0, 0); loop many times { mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0); mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask, maxnode, 0); }

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8510c2346d9e47a72…
	https://git.kernel.org/stable/c/5e16dc5378abd749a…
	https://git.kernel.org/stable/c/39a32f3c06f6d68a5…
	https://git.kernel.org/stable/c/25f506273b6ae806f…
	https://git.kernel.org/stable/c/f7e183b0a7136b6dc…
	https://git.kernel.org/stable/c/198932a14aeb19a15…
	https://git.kernel.org/stable/c/6e00309ac716fa822…
	https://git.kernel.org/stable/c/fe39ac59dbbf893b7…
	https://git.kernel.org/stable/c/4ad099559b00ac01c…

Impacted products

Vendor

Product

Version

Linux

Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 8510c2346d9e47a72b7f018a36ef0c39483e53d6 (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 5e16dc5378abd749a836daa9ee4ab2c8d2668999 (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 39a32f3c06f6d68a530bf9612afa19f50f12e93d (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < f7e183b0a7136b6dc9c7b9b2a85a608a8feba894 (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 198932a14aeb19a15cf19e51e151d023bc4cd648 (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 6e00309ac716fa8225f0cbde2cd9c24f0e74ee21 (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < fe39ac59dbbf893b73b24e3184161d0bd06d6651 (git)
Affected: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 , < 4ad099559b00ac01c3726e5c95dc3108ef47d03e (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 4.9.311 , ≤ 4.9.* (semver)
Unaffected: 4.14.276 , ≤ 4.14.* (semver)
Unaffected: 4.19.238 , ≤ 4.19.* (semver)
Unaffected: 5.4.189 , ≤ 5.4.* (semver)
Unaffected: 5.10.111 , ≤ 5.10.* (semver)
Unaffected: 5.15.34 , ≤ 5.15.* (semver)
Unaffected: 5.16.20 , ≤ 5.16.* (semver)
Unaffected: 5.17.3 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/mempolicy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8510c2346d9e47a72b7f018a36ef0c39483e53d6",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "5e16dc5378abd749a836daa9ee4ab2c8d2668999",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "39a32f3c06f6d68a530bf9612afa19f50f12e93d",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "f7e183b0a7136b6dc9c7b9b2a85a608a8feba894",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "198932a14aeb19a15cf19e51e151d023bc4cd648",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "6e00309ac716fa8225f0cbde2cd9c24f0e74ee21",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "fe39ac59dbbf893b73b24e3184161d0bd06d6651",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "4ad099559b00ac01c3726e5c95dc3108ef47d03e",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/mempolicy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.311",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.311",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.276",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.238",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.189",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.111",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.34",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.20",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.3",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller.  But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new.  This would happen if mempolicy was updated on\nthe shared shmem file while the sp-\u003elock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n  shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n  shm = shmat(shmid, 0, 0);\n  loop many times {\n    mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n    mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n          maxnode, 0);\n  }"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:29:17.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8510c2346d9e47a72b7f018a36ef0c39483e53d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e16dc5378abd749a836daa9ee4ab2c8d2668999"
        },
        {
          "url": "https://git.kernel.org/stable/c/39a32f3c06f6d68a530bf9612afa19f50f12e93d"
        },
        {
          "url": "https://git.kernel.org/stable/c/25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7e183b0a7136b6dc9c7b9b2a85a608a8feba894"
        },
        {
          "url": "https://git.kernel.org/stable/c/198932a14aeb19a15cf19e51e151d023bc4cd648"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e00309ac716fa8225f0cbde2cd9c24f0e74ee21"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe39ac59dbbf893b73b24e3184161d0bd06d6651"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ad099559b00ac01c3726e5c95dc3108ef47d03e"
        }
      ],
      "title": "mm/mempolicy: fix mpol_new leak in shared_policy_replace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49080",
    "datePublished": "2025-02-26T01:54:41.176Z",
    "dateReserved": "2025-02-26T01:49:39.247Z",
    "dateUpdated": "2025-05-04T08:29:17.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49564 (GCVE-0-2022-49564)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2025-12-23 13:24

Title

crypto: qat - add param check for DH

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - add param check for DH Reject requests with a source buffer that is bigger than the size of the key. This is to prevent a possible integer underflow that might happen when copying the source scatterlist into a linear buffer.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e7f979ed51f964953…
	https://git.kernel.org/stable/c/76c9216833e7c20a6…
	https://git.kernel.org/stable/c/2acbb8771f6ac8242…

Impacted products

Vendor

Product

Version

Linux

Affected: c9839143ebbf5e821128da44f7e271d745aab19e , < e7f979ed51f96495328157df663c835b17db1e30 (git)
Affected: c9839143ebbf5e821128da44f7e271d745aab19e , < 76c9216833e7c20a67c987cf89719a3f01666aaa (git)
Affected: c9839143ebbf5e821128da44f7e271d745aab19e , < 2acbb8771f6ac82422886e63832ee7a0f4b1635b (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.15.58 , ≤ 5.15.* (semver)
Unaffected: 5.18.15 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49564",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:37:06.730762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-191",
                "description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:46:38.501Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/qat/qat_common/qat_asym_algs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e7f979ed51f96495328157df663c835b17db1e30",
              "status": "affected",
              "version": "c9839143ebbf5e821128da44f7e271d745aab19e",
              "versionType": "git"
            },
            {
              "lessThan": "76c9216833e7c20a67c987cf89719a3f01666aaa",
              "status": "affected",
              "version": "c9839143ebbf5e821128da44f7e271d745aab19e",
              "versionType": "git"
            },
            {
              "lessThan": "2acbb8771f6ac82422886e63832ee7a0f4b1635b",
              "status": "affected",
              "version": "c9839143ebbf5e821128da44f7e271d745aab19e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/qat/qat_common/qat_asym_algs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.58",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.15",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for DH\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:24:41.327Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e7f979ed51f96495328157df663c835b17db1e30"
        },
        {
          "url": "https://git.kernel.org/stable/c/76c9216833e7c20a67c987cf89719a3f01666aaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/2acbb8771f6ac82422886e63832ee7a0f4b1635b"
        }
      ],
      "title": "crypto: qat - add param check for DH",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49564",
    "datePublished": "2025-02-26T02:23:10.733Z",
    "dateReserved": "2025-02-26T02:21:30.410Z",
    "dateUpdated": "2025-12-23T13:24:41.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2025:01956-1

CVE-2022-49563 (GCVE-0-2022-49563)

CVE-2024-57996 (GCVE-0-2024-57996)

CVE-2022-49080 (GCVE-0-2022-49080)

CVE-2022-49564 (GCVE-0-2022-49564)

Tags

Sightings

Nomenclature