Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-2765
Vulnerability from csaf_certbund - Published: 2025-12-08 23:00 - Updated: 2026-01-05 23:00Summary
Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2765 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2765.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2765 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2765"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50631",
"url": "https://lore.kernel.org/linux-cve-announce/2025120931-CVE-2022-50631-ee18@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50632",
"url": "https://lore.kernel.org/linux-cve-announce/2025120934-CVE-2022-50632-97fb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50633",
"url": "https://lore.kernel.org/linux-cve-announce/2025120934-CVE-2022-50633-8c49@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50634",
"url": "https://lore.kernel.org/linux-cve-announce/2025120934-CVE-2022-50634-2887@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50635",
"url": "https://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50635-b2b8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50636",
"url": "https://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50636-6d4d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50637",
"url": "https://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50637-f1b4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50638",
"url": "https://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50638-fb89@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50639",
"url": "https://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50639-789f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50640",
"url": "https://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50640-324c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50641",
"url": "https://lore.kernel.org/linux-cve-announce/2025120936-CVE-2022-50641-edfb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50642",
"url": "https://lore.kernel.org/linux-cve-announce/2025120936-CVE-2022-50642-6975@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50643",
"url": "https://lore.kernel.org/linux-cve-announce/2025120936-CVE-2022-50643-74ca@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50644",
"url": "https://lore.kernel.org/linux-cve-announce/2025120936-CVE-2022-50644-5149@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50645",
"url": "https://lore.kernel.org/linux-cve-announce/2025120936-CVE-2022-50645-2014@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50646",
"url": "https://lore.kernel.org/linux-cve-announce/2025120936-CVE-2022-50646-37e0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50647",
"url": "https://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50647-cb33@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50648",
"url": "https://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50648-ac1e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50649",
"url": "https://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50649-6a84@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50650",
"url": "https://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50650-fbae@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50651",
"url": "https://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50651-d950@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50652",
"url": "https://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50652-b7be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50653",
"url": "https://lore.kernel.org/linux-cve-announce/2025120938-CVE-2022-50653-6da2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50654",
"url": "https://lore.kernel.org/linux-cve-announce/2025120938-CVE-2022-50654-a5d9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50655",
"url": "https://lore.kernel.org/linux-cve-announce/2025120938-CVE-2022-50655-746b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50656",
"url": "https://lore.kernel.org/linux-cve-announce/2025120938-CVE-2022-50656-4655@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50657",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2022-50657-6582@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50658",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2022-50658-77b4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50659",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2022-50659-8205@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50660",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2022-50660-562d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50661",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2022-50661-ff17@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50662",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2022-50662-6595@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50663",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2022-50663-5606@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50664",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2022-50664-043a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50665",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2022-50665-2ac9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50666",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2022-50666-0d75@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50667",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2022-50667-01f6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50668",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2022-50668-153a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50669",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2022-50669-f124@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50670",
"url": "https://lore.kernel.org/linux-cve-announce/2025120946-CVE-2022-50670-feb4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50671",
"url": "https://lore.kernel.org/linux-cve-announce/2025120946-CVE-2022-50671-e025@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50672",
"url": "https://lore.kernel.org/linux-cve-announce/2025120947-CVE-2022-50672-d9b1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50673",
"url": "https://lore.kernel.org/linux-cve-announce/2025120947-CVE-2022-50673-f920@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50674",
"url": "https://lore.kernel.org/linux-cve-announce/2025120947-CVE-2022-50674-023e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50675",
"url": "https://lore.kernel.org/linux-cve-announce/2025120948-CVE-2022-50675-9032@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50676",
"url": "https://lore.kernel.org/linux-cve-announce/2025120948-CVE-2022-50676-1387@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50677",
"url": "https://lore.kernel.org/linux-cve-announce/2025120948-CVE-2022-50677-d2c8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50678",
"url": "https://lore.kernel.org/linux-cve-announce/2025120949-CVE-2022-50678-53a4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50679",
"url": "https://lore.kernel.org/linux-cve-announce/2025120949-CVE-2022-50679-b2b8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53777",
"url": "https://lore.kernel.org/linux-cve-announce/2025120938-CVE-2023-53777-f842@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53778",
"url": "https://lore.kernel.org/linux-cve-announce/2025120938-CVE-2023-53778-ee4d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53779",
"url": "https://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53779-dd3d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53780",
"url": "https://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53780-914d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53781",
"url": "https://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53781-cb1d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53782",
"url": "https://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53782-6428@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53783",
"url": "https://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53783-4c33@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53784",
"url": "https://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53784-a381@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53785",
"url": "https://lore.kernel.org/linux-cve-announce/2025120940-CVE-2023-53785-2a61@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53786",
"url": "https://lore.kernel.org/linux-cve-announce/2025120940-CVE-2023-53786-3c1a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53787",
"url": "https://lore.kernel.org/linux-cve-announce/2025120940-CVE-2023-53787-2074@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53788",
"url": "https://lore.kernel.org/linux-cve-announce/2025120940-CVE-2023-53788-e6a0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53789",
"url": "https://lore.kernel.org/linux-cve-announce/2025120940-CVE-2023-53789-c5cb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53790",
"url": "https://lore.kernel.org/linux-cve-announce/2025120940-CVE-2023-53790-6f22@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53791",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53791-a2ea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53792",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53792-3de7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53793",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53793-0dc1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53794",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53794-8912@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53795",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53795-f912@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53796",
"url": "https://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53796-4092@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53797",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2023-53797-4a88@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53798",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2023-53798-7845@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53799",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2023-53799-8397@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53800",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2023-53800-eb42@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53801",
"url": "https://lore.kernel.org/linux-cve-announce/2025120942-CVE-2023-53801-6d74@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53802",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2023-53802-4ffb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53803",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2023-53803-0ff9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53804",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2023-53804-3c10@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53805",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2023-53805-f08b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53806",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2023-53806-03cb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53807",
"url": "https://lore.kernel.org/linux-cve-announce/2025120943-CVE-2023-53807-63bb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53808",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53808-e169@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53809",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53809-ca78@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53810",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53810-e48e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53811",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53811-dc26@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53812",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53812-a186@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53813",
"url": "https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53813-cd16@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53814",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2023-53814-eccb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53815",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2023-53815-5695@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53816",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2023-53816-e869@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53817",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2023-53817-49a5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53818",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2023-53818-4c46@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53819",
"url": "https://lore.kernel.org/linux-cve-announce/2025120945-CVE-2023-53819-15be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53820",
"url": "https://lore.kernel.org/linux-cve-announce/2025120933-CVE-2023-53820-fb6c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53821",
"url": "https://lore.kernel.org/linux-cve-announce/2025120950-CVE-2023-53821-9542@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53822",
"url": "https://lore.kernel.org/linux-cve-announce/2025120950-CVE-2023-53822-c4da@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53823",
"url": "https://lore.kernel.org/linux-cve-announce/2025120950-CVE-2023-53823-c6fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53824",
"url": "https://lore.kernel.org/linux-cve-announce/2025120951-CVE-2023-53824-229c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53825",
"url": "https://lore.kernel.org/linux-cve-announce/2025120951-CVE-2023-53825-1018@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53826",
"url": "https://lore.kernel.org/linux-cve-announce/2025120951-CVE-2023-53826-26a2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53827",
"url": "https://lore.kernel.org/linux-cve-announce/2025120952-CVE-2023-53827-b045@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53828",
"url": "https://lore.kernel.org/linux-cve-announce/2025120952-CVE-2023-53828-57cf@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53829",
"url": "https://lore.kernel.org/linux-cve-announce/2025120953-CVE-2023-53829-2fe9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53830",
"url": "https://lore.kernel.org/linux-cve-announce/2025120953-CVE-2023-53830-7785@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53831",
"url": "https://lore.kernel.org/linux-cve-announce/2025120953-CVE-2023-53831-4dc6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53832",
"url": "https://lore.kernel.org/linux-cve-announce/2025120954-CVE-2023-53832-6d46@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53833",
"url": "https://lore.kernel.org/linux-cve-announce/2025120954-CVE-2023-53833-09d9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53834",
"url": "https://lore.kernel.org/linux-cve-announce/2025120954-CVE-2023-53834-61cb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53835",
"url": "https://lore.kernel.org/linux-cve-announce/2025120955-CVE-2023-53835-0142@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53836",
"url": "https://lore.kernel.org/linux-cve-announce/2025120955-CVE-2023-53836-6cb5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53837",
"url": "https://lore.kernel.org/linux-cve-announce/2025120956-CVE-2023-53837-2bf8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53838",
"url": "https://lore.kernel.org/linux-cve-announce/2025120956-CVE-2023-53838-4c32@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53839",
"url": "https://lore.kernel.org/linux-cve-announce/2025120956-CVE-2023-53839-5f7e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53840",
"url": "https://lore.kernel.org/linux-cve-announce/2025120957-CVE-2023-53840-797d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53841",
"url": "https://lore.kernel.org/linux-cve-announce/2025120957-CVE-2023-53841-cd5b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53842",
"url": "https://lore.kernel.org/linux-cve-announce/2025120957-CVE-2023-53842-d1e7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53843",
"url": "https://lore.kernel.org/linux-cve-announce/2025120958-CVE-2023-53843-195d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53844",
"url": "https://lore.kernel.org/linux-cve-announce/2025120958-CVE-2023-53844-92b4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53845",
"url": "https://lore.kernel.org/linux-cve-announce/2025120959-CVE-2023-53845-b919@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53846",
"url": "https://lore.kernel.org/linux-cve-announce/2025120959-CVE-2023-53846-70c9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53847",
"url": "https://lore.kernel.org/linux-cve-announce/2025120959-CVE-2023-53847-1f94@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53848",
"url": "https://lore.kernel.org/linux-cve-announce/2025120900-CVE-2023-53848-8cd8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53849",
"url": "https://lore.kernel.org/linux-cve-announce/2025120900-CVE-2023-53849-2108@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53850",
"url": "https://lore.kernel.org/linux-cve-announce/2025120900-CVE-2023-53850-5649@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53851",
"url": "https://lore.kernel.org/linux-cve-announce/2025120901-CVE-2023-53851-a201@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53852",
"url": "https://lore.kernel.org/linux-cve-announce/2025120901-CVE-2023-53852-69a1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53853",
"url": "https://lore.kernel.org/linux-cve-announce/2025120902-CVE-2023-53853-424f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53854",
"url": "https://lore.kernel.org/linux-cve-announce/2025120902-CVE-2023-53854-be24@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53855",
"url": "https://lore.kernel.org/linux-cve-announce/2025120902-CVE-2023-53855-9798@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53856",
"url": "https://lore.kernel.org/linux-cve-announce/2025120903-CVE-2023-53856-ed42@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53857",
"url": "https://lore.kernel.org/linux-cve-announce/2025120903-CVE-2023-53857-5513@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53858",
"url": "https://lore.kernel.org/linux-cve-announce/2025120904-CVE-2023-53858-87d4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53859",
"url": "https://lore.kernel.org/linux-cve-announce/2025120904-CVE-2023-53859-1c16@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53860",
"url": "https://lore.kernel.org/linux-cve-announce/2025120904-CVE-2023-53860-3722@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53861",
"url": "https://lore.kernel.org/linux-cve-announce/2025120905-CVE-2023-53861-22c6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53862",
"url": "https://lore.kernel.org/linux-cve-announce/2025120905-CVE-2023-53862-81d5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53863",
"url": "https://lore.kernel.org/linux-cve-announce/2025120905-CVE-2023-53863-8742@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53864",
"url": "https://lore.kernel.org/linux-cve-announce/2025120906-CVE-2023-53864-8bca@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53865",
"url": "https://lore.kernel.org/linux-cve-announce/2025120906-CVE-2023-53865-b26b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53866",
"url": "https://lore.kernel.org/linux-cve-announce/2025120907-CVE-2023-53866-59ec@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40327",
"url": "https://lore.kernel.org/linux-cve-announce/2025120908-CVE-2025-40327-e82c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40328",
"url": "https://lore.kernel.org/linux-cve-announce/2025120909-CVE-2025-40328-a95b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40329",
"url": "https://lore.kernel.org/linux-cve-announce/2025120910-CVE-2025-40329-1ead@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40330",
"url": "https://lore.kernel.org/linux-cve-announce/2025120910-CVE-2025-40330-d2a2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40331",
"url": "https://lore.kernel.org/linux-cve-announce/2025120910-CVE-2025-40331-ee3c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40332",
"url": "https://lore.kernel.org/linux-cve-announce/2025120910-CVE-2025-40332-7e62@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40333",
"url": "https://lore.kernel.org/linux-cve-announce/2025120910-CVE-2025-40333-4f6a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40334",
"url": "https://lore.kernel.org/linux-cve-announce/2025120910-CVE-2025-40334-82a0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40335",
"url": "https://lore.kernel.org/linux-cve-announce/2025120911-CVE-2025-40335-8c1e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40336",
"url": "https://lore.kernel.org/linux-cve-announce/2025120911-CVE-2025-40336-781e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40337",
"url": "https://lore.kernel.org/linux-cve-announce/2025120911-CVE-2025-40337-d3bd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40338",
"url": "https://lore.kernel.org/linux-cve-announce/2025120911-CVE-2025-40338-c637@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40339",
"url": "https://lore.kernel.org/linux-cve-announce/2025120911-CVE-2025-40339-82ee@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40340",
"url": "https://lore.kernel.org/linux-cve-announce/2025120912-CVE-2025-40340-4d41@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40341",
"url": "https://lore.kernel.org/linux-cve-announce/2025120912-CVE-2025-40341-c778@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40342",
"url": "https://lore.kernel.org/linux-cve-announce/2025120912-CVE-2025-40342-a237@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40343",
"url": "https://lore.kernel.org/linux-cve-announce/2025120912-CVE-2025-40343-dbb0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40344",
"url": "https://lore.kernel.org/linux-cve-announce/2025120912-CVE-2025-40344-0c59@gregkh/"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4404 vom 2025-12-12",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00015.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.4-2025-116 vom 2026-01-05",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.4-2025-116.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.15-2025-096 vom 2026-01-05",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-2025-096.html"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
"tracking": {
"current_release_date": "2026-01-05T23:00:00.000+00:00",
"generator": {
"date": "2026-01-06T08:20:17.037+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2765",
"initial_release_date": "2025-12-08T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-12-08T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-12-14T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2026-01-05T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Amazon aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T028462",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:unspecified"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50631",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50631"
},
{
"cve": "CVE-2022-50632",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50632"
},
{
"cve": "CVE-2022-50633",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50633"
},
{
"cve": "CVE-2022-50634",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50634"
},
{
"cve": "CVE-2022-50635",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50635"
},
{
"cve": "CVE-2022-50636",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50636"
},
{
"cve": "CVE-2022-50637",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50637"
},
{
"cve": "CVE-2022-50638",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50638"
},
{
"cve": "CVE-2022-50639",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50639"
},
{
"cve": "CVE-2022-50640",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50640"
},
{
"cve": "CVE-2022-50641",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50641"
},
{
"cve": "CVE-2022-50642",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50642"
},
{
"cve": "CVE-2022-50643",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50643"
},
{
"cve": "CVE-2022-50644",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50644"
},
{
"cve": "CVE-2022-50645",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50645"
},
{
"cve": "CVE-2022-50646",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50646"
},
{
"cve": "CVE-2022-50647",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50647"
},
{
"cve": "CVE-2022-50648",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50648"
},
{
"cve": "CVE-2022-50649",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50649"
},
{
"cve": "CVE-2022-50650",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50650"
},
{
"cve": "CVE-2022-50651",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50651"
},
{
"cve": "CVE-2022-50652",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50652"
},
{
"cve": "CVE-2022-50653",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50653"
},
{
"cve": "CVE-2022-50654",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50654"
},
{
"cve": "CVE-2022-50655",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50655"
},
{
"cve": "CVE-2022-50656",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50656"
},
{
"cve": "CVE-2022-50657",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50657"
},
{
"cve": "CVE-2022-50658",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50658"
},
{
"cve": "CVE-2022-50659",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50659"
},
{
"cve": "CVE-2022-50660",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50660"
},
{
"cve": "CVE-2022-50661",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50661"
},
{
"cve": "CVE-2022-50662",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50662"
},
{
"cve": "CVE-2022-50663",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50663"
},
{
"cve": "CVE-2022-50664",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50664"
},
{
"cve": "CVE-2022-50665",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50665"
},
{
"cve": "CVE-2022-50666",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50666"
},
{
"cve": "CVE-2022-50667",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50667"
},
{
"cve": "CVE-2022-50668",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50668"
},
{
"cve": "CVE-2022-50669",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50669"
},
{
"cve": "CVE-2022-50670",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50670"
},
{
"cve": "CVE-2022-50671",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50671"
},
{
"cve": "CVE-2022-50672",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50672"
},
{
"cve": "CVE-2022-50673",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50673"
},
{
"cve": "CVE-2022-50674",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50674"
},
{
"cve": "CVE-2022-50675",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50675"
},
{
"cve": "CVE-2022-50676",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50676"
},
{
"cve": "CVE-2022-50677",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50677"
},
{
"cve": "CVE-2022-50678",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50678"
},
{
"cve": "CVE-2022-50679",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2022-50679"
},
{
"cve": "CVE-2023-53777",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53777"
},
{
"cve": "CVE-2023-53778",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53778"
},
{
"cve": "CVE-2023-53779",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53779"
},
{
"cve": "CVE-2023-53780",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53780"
},
{
"cve": "CVE-2023-53781",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53781"
},
{
"cve": "CVE-2023-53782",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53782"
},
{
"cve": "CVE-2023-53783",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53783"
},
{
"cve": "CVE-2023-53784",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53784"
},
{
"cve": "CVE-2023-53785",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53785"
},
{
"cve": "CVE-2023-53786",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53786"
},
{
"cve": "CVE-2023-53787",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53787"
},
{
"cve": "CVE-2023-53788",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53788"
},
{
"cve": "CVE-2023-53789",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53789"
},
{
"cve": "CVE-2023-53790",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53790"
},
{
"cve": "CVE-2023-53791",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53791"
},
{
"cve": "CVE-2023-53792",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53792"
},
{
"cve": "CVE-2023-53793",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53793"
},
{
"cve": "CVE-2023-53794",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53794"
},
{
"cve": "CVE-2023-53795",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53795"
},
{
"cve": "CVE-2023-53796",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53796"
},
{
"cve": "CVE-2023-53797",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53797"
},
{
"cve": "CVE-2023-53798",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53798"
},
{
"cve": "CVE-2023-53799",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53799"
},
{
"cve": "CVE-2023-53800",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53800"
},
{
"cve": "CVE-2023-53801",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53801"
},
{
"cve": "CVE-2023-53802",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53802"
},
{
"cve": "CVE-2023-53803",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53803"
},
{
"cve": "CVE-2023-53804",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53804"
},
{
"cve": "CVE-2023-53805",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53805"
},
{
"cve": "CVE-2023-53806",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53806"
},
{
"cve": "CVE-2023-53807",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53807"
},
{
"cve": "CVE-2023-53808",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53808"
},
{
"cve": "CVE-2023-53809",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53809"
},
{
"cve": "CVE-2023-53810",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53810"
},
{
"cve": "CVE-2023-53811",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53811"
},
{
"cve": "CVE-2023-53812",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53812"
},
{
"cve": "CVE-2023-53813",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53813"
},
{
"cve": "CVE-2023-53814",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53814"
},
{
"cve": "CVE-2023-53815",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53815"
},
{
"cve": "CVE-2023-53816",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53816"
},
{
"cve": "CVE-2023-53817",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53817"
},
{
"cve": "CVE-2023-53818",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53818"
},
{
"cve": "CVE-2023-53819",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53819"
},
{
"cve": "CVE-2023-53820",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53820"
},
{
"cve": "CVE-2023-53821",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53821"
},
{
"cve": "CVE-2023-53822",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53822"
},
{
"cve": "CVE-2023-53823",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53823"
},
{
"cve": "CVE-2023-53824",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53824"
},
{
"cve": "CVE-2023-53825",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53825"
},
{
"cve": "CVE-2023-53826",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53826"
},
{
"cve": "CVE-2023-53827",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53827"
},
{
"cve": "CVE-2023-53828",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53828"
},
{
"cve": "CVE-2023-53829",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53829"
},
{
"cve": "CVE-2023-53830",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53830"
},
{
"cve": "CVE-2023-53831",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53831"
},
{
"cve": "CVE-2023-53832",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53832"
},
{
"cve": "CVE-2023-53833",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53833"
},
{
"cve": "CVE-2023-53834",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53834"
},
{
"cve": "CVE-2023-53835",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53835"
},
{
"cve": "CVE-2023-53836",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53836"
},
{
"cve": "CVE-2023-53837",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53837"
},
{
"cve": "CVE-2023-53838",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53838"
},
{
"cve": "CVE-2023-53839",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53839"
},
{
"cve": "CVE-2023-53840",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53840"
},
{
"cve": "CVE-2023-53841",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53841"
},
{
"cve": "CVE-2023-53842",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53842"
},
{
"cve": "CVE-2023-53843",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53843"
},
{
"cve": "CVE-2023-53844",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53844"
},
{
"cve": "CVE-2023-53845",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53845"
},
{
"cve": "CVE-2023-53846",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53846"
},
{
"cve": "CVE-2023-53847",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53847"
},
{
"cve": "CVE-2023-53848",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53848"
},
{
"cve": "CVE-2023-53849",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53849"
},
{
"cve": "CVE-2023-53850",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53850"
},
{
"cve": "CVE-2023-53851",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53851"
},
{
"cve": "CVE-2023-53852",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53852"
},
{
"cve": "CVE-2023-53853",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53853"
},
{
"cve": "CVE-2023-53854",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53854"
},
{
"cve": "CVE-2023-53855",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53855"
},
{
"cve": "CVE-2023-53856",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53856"
},
{
"cve": "CVE-2023-53857",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53857"
},
{
"cve": "CVE-2023-53858",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53858"
},
{
"cve": "CVE-2023-53859",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53859"
},
{
"cve": "CVE-2023-53860",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53860"
},
{
"cve": "CVE-2023-53861",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53861"
},
{
"cve": "CVE-2023-53862",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53862"
},
{
"cve": "CVE-2023-53863",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53863"
},
{
"cve": "CVE-2023-53864",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53864"
},
{
"cve": "CVE-2023-53865",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53865"
},
{
"cve": "CVE-2023-53866",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2023-53866"
},
{
"cve": "CVE-2025-40327",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40327"
},
{
"cve": "CVE-2025-40328",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40328"
},
{
"cve": "CVE-2025-40329",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40329"
},
{
"cve": "CVE-2025-40330",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40330"
},
{
"cve": "CVE-2025-40331",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40331"
},
{
"cve": "CVE-2025-40332",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40332"
},
{
"cve": "CVE-2025-40333",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40333"
},
{
"cve": "CVE-2025-40334",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40334"
},
{
"cve": "CVE-2025-40335",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40335"
},
{
"cve": "CVE-2025-40336",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40336"
},
{
"cve": "CVE-2025-40337",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40337"
},
{
"cve": "CVE-2025-40338",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40338"
},
{
"cve": "CVE-2025-40339",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40339"
},
{
"cve": "CVE-2025-40340",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40340"
},
{
"cve": "CVE-2025-40341",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40341"
},
{
"cve": "CVE-2025-40342",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40342"
},
{
"cve": "CVE-2025-40343",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40343"
},
{
"cve": "CVE-2025-40344",
"product_status": {
"known_affected": [
"T028462",
"2951",
"398363"
]
},
"release_date": "2025-12-08T23:00:00.000+00:00",
"title": "CVE-2025-40344"
}
]
}
CVE-2023-53849 (GCVE-0-2023-53849)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/msm: fix workqueue leak on bind errors
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix workqueue leak on bind errors
Make sure to destroy the workqueue also in case of early errors during
bind (e.g. a subcomponent failing to bind).
Since commit c3b790ea07a1 ("drm: Manage drm_mode_config_init with
drmm_") the mode config will be freed when the drm device is released
also when using the legacy interface, but add an explicit cleanup for
consistency and to facilitate backporting.
Patchwork: https://patchwork.freedesktop.org/patch/525093/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
060530f1ea6740eb767085008d183f89ccdd289c , < 6e1476225ec02eeebc4b79f793506f80bc4bca8f
(git)
Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < 28e34db2f3e0130872e2384dd9df9f82bd89e967 (git) Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < 8551c4b7c8ffb42f759547e5c39da5980abf2432 (git) Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < a75b49db6529b2af049eafd938fae888451c3685 (git) Affected: 3e796097404e325fa8d4f48a2af61f2e01e3ef02 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e1476225ec02eeebc4b79f793506f80bc4bca8f",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "28e34db2f3e0130872e2384dd9df9f82bd89e967",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "8551c4b7c8ffb42f759547e5c39da5980abf2432",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "a75b49db6529b2af049eafd938fae888451c3685",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"status": "affected",
"version": "3e796097404e325fa8d4f48a2af61f2e01e3ef02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix workqueue leak on bind errors\n\nMake sure to destroy the workqueue also in case of early errors during\nbind (e.g. a subcomponent failing to bind).\n\nSince commit c3b790ea07a1 (\"drm: Manage drm_mode_config_init with\ndrmm_\") the mode config will be freed when the drm device is released\nalso when using the legacy interface, but add an explicit cleanup for\nconsistency and to facilitate backporting.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525093/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:13.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e1476225ec02eeebc4b79f793506f80bc4bca8f"
},
{
"url": "https://git.kernel.org/stable/c/28e34db2f3e0130872e2384dd9df9f82bd89e967"
},
{
"url": "https://git.kernel.org/stable/c/8551c4b7c8ffb42f759547e5c39da5980abf2432"
},
{
"url": "https://git.kernel.org/stable/c/a75b49db6529b2af049eafd938fae888451c3685"
}
],
"title": "drm/msm: fix workqueue leak on bind errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53849",
"datePublished": "2025-12-09T01:30:13.402Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:13.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53816 (GCVE-0-2023-53816)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amdkfd: fix potential kgd_mem UAFs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: fix potential kgd_mem UAFs
kgd_mem pointers returned by kfd_process_device_translate_handle are
only guaranteed to be valid while p->mutex is held. As soon as the mutex
is unlocked, another thread can free the BO.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a488a7ad71401169cecee75dc94bcce642e2c53 , < 5045360f3bb62ccd4f87202e33489f71f8bbc3fc
(git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 5ca14fb5552ac13a2402d306c0bd2379a71610ff (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 9da050b0d9e04439d225a2ec3044af70cdfb3933 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_chardev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5045360f3bb62ccd4f87202e33489f71f8bbc3fc",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "5ca14fb5552ac13a2402d306c0bd2379a71610ff",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "9da050b0d9e04439d225a2ec3044af70cdfb3933",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_chardev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: fix potential kgd_mem UAFs\n\nkgd_mem pointers returned by kfd_process_device_translate_handle are\nonly guaranteed to be valid while p-\u003emutex is held. As soon as the mutex\nis unlocked, another thread can free the BO."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:25.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5045360f3bb62ccd4f87202e33489f71f8bbc3fc"
},
{
"url": "https://git.kernel.org/stable/c/5ca14fb5552ac13a2402d306c0bd2379a71610ff"
},
{
"url": "https://git.kernel.org/stable/c/9da050b0d9e04439d225a2ec3044af70cdfb3933"
}
],
"title": "drm/amdkfd: fix potential kgd_mem UAFs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53816",
"datePublished": "2025-12-09T00:01:14.166Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-20T08:51:25.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53847 (GCVE-0-2023-53847)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
usb-storage: alauda: Fix uninit-value in alauda_check_media()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb-storage: alauda: Fix uninit-value in alauda_check_media()
Syzbot got KMSAN to complain about access to an uninitialized value in
the alauda subdriver of usb-storage:
BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0
drivers/usb/storage/alauda.c:1137
CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
__msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460
The problem is that alauda_check_media() doesn't verify that its USB
transfer succeeded before trying to use the received data. What
should happen if the transfer fails isn't entirely clear, but a
reasonably conservative approach is to pretend that no media is
present.
A similar problem exists in a usb_stor_dbg() call in
alauda_get_media_status(). In this case, when an error occurs the
call is redundant, because usb_stor_ctrl_transfer() already will print
a debugging message.
Finally, unrelated to the uninitialized memory access, is the fact
that alauda_check_media() performs DMA to a buffer on the stack.
Fortunately usb-storage provides a general purpose DMA-able buffer for
uses like this. We'll use it instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 153c3e85873cc3e2f387169783c3a227bad9a95a
(git)
Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 49d380bcd6cba987c6085fae6464c9c087e8d9a0 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 044f4446e06bb03c52216697b14867ebc555ad3b (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < fe7c3a445d22783d27fe8bd0521a8aab1eb9da65 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 7a11d1e2625bdb2346f6586773b20b20977278ac (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 373e0ab8c4c516561493f1acf367c7ee7dc053c2 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < a6ff6e7a9dd69364547751db0f626a10a6d628d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/alauda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "153c3e85873cc3e2f387169783c3a227bad9a95a",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "49d380bcd6cba987c6085fae6464c9c087e8d9a0",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "044f4446e06bb03c52216697b14867ebc555ad3b",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "fe7c3a445d22783d27fe8bd0521a8aab1eb9da65",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "7a11d1e2625bdb2346f6586773b20b20977278ac",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "373e0ab8c4c516561493f1acf367c7ee7dc053c2",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "a6ff6e7a9dd69364547751db0f626a10a6d628d2",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/alauda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Fix uninit-value in alauda_check_media()\n\nSyzbot got KMSAN to complain about access to an uninitialized value in\nthe alauda subdriver of usb-storage:\n\nBUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0\ndrivers/usb/storage/alauda.c:1137\nCPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x191/0x1f0 lib/dump_stack.c:113\n kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108\n __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250\n alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460\n\nThe problem is that alauda_check_media() doesn\u0027t verify that its USB\ntransfer succeeded before trying to use the received data. What\nshould happen if the transfer fails isn\u0027t entirely clear, but a\nreasonably conservative approach is to pretend that no media is\npresent.\n\nA similar problem exists in a usb_stor_dbg() call in\nalauda_get_media_status(). In this case, when an error occurs the\ncall is redundant, because usb_stor_ctrl_transfer() already will print\na debugging message.\n\nFinally, unrelated to the uninitialized memory access, is the fact\nthat alauda_check_media() performs DMA to a buffer on the stack.\nFortunately usb-storage provides a general purpose DMA-able buffer for\nuses like this. We\u0027ll use it instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:10.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/153c3e85873cc3e2f387169783c3a227bad9a95a"
},
{
"url": "https://git.kernel.org/stable/c/49d380bcd6cba987c6085fae6464c9c087e8d9a0"
},
{
"url": "https://git.kernel.org/stable/c/044f4446e06bb03c52216697b14867ebc555ad3b"
},
{
"url": "https://git.kernel.org/stable/c/fe7c3a445d22783d27fe8bd0521a8aab1eb9da65"
},
{
"url": "https://git.kernel.org/stable/c/7a11d1e2625bdb2346f6586773b20b20977278ac"
},
{
"url": "https://git.kernel.org/stable/c/0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd"
},
{
"url": "https://git.kernel.org/stable/c/373e0ab8c4c516561493f1acf367c7ee7dc053c2"
},
{
"url": "https://git.kernel.org/stable/c/a6ff6e7a9dd69364547751db0f626a10a6d628d2"
}
],
"title": "usb-storage: alauda: Fix uninit-value in alauda_check_media()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53847",
"datePublished": "2025-12-09T01:30:10.344Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:10.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53864 (GCVE-0-2023-53864)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
When disabling overlay plane in mxsfb_plane_overlay_atomic_update(),
overlay plane's framebuffer pointer is NULL. So, dereferencing it would
cause a kernel Oops(NULL pointer dereferencing). Fix the issue by
disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < 8bf2d4ca521d3acb57fc1607386e749b3cc92aaf
(git)
Affected: cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < 0f98de0a11d29821d9448114178ddc1b1fe32a18 (git) Affected: cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < aa656d48e871a1b062e1bbf9474d8b831c35074c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mxsfb/mxsfb_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bf2d4ca521d3acb57fc1607386e749b3cc92aaf",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
},
{
"lessThan": "0f98de0a11d29821d9448114178ddc1b1fe32a18",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
},
{
"lessThan": "aa656d48e871a1b062e1bbf9474d8b831c35074c",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mxsfb/mxsfb_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()\n\nWhen disabling overlay plane in mxsfb_plane_overlay_atomic_update(),\noverlay plane\u0027s framebuffer pointer is NULL. So, dereferencing it would\ncause a kernel Oops(NULL pointer dereferencing). Fix the issue by\ndisabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:33.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bf2d4ca521d3acb57fc1607386e749b3cc92aaf"
},
{
"url": "https://git.kernel.org/stable/c/0f98de0a11d29821d9448114178ddc1b1fe32a18"
},
{
"url": "https://git.kernel.org/stable/c/aa656d48e871a1b062e1bbf9474d8b831c35074c"
}
],
"title": "drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53864",
"datePublished": "2025-12-09T01:30:33.263Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:33.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40344 (GCVE-0-2025-40344)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:10 – Updated: 2025-12-09 04:10
VLAI?
EPSS
Title
ASoC: Intel: avs: Disable periods-elapsed work when closing PCM
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: avs: Disable periods-elapsed work when closing PCM
avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio
stream while period-elapsed work services its IRQs. As the former
frees the DAI's private context, these two operations shall be
synchronized to avoid slab-use-after-free or worse errors.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0dbb186c3510cad4e9f443e801bf2e6ab5770c00 , < ca6d2b7aca778afbf8c0c4b330d10cb228c14052
(git)
Affected: 0dbb186c3510cad4e9f443e801bf2e6ab5770c00 , < b41fca4aa60be896ba8a81b57aac5dcc6eee66c0 (git) Affected: 0dbb186c3510cad4e9f443e801bf2e6ab5770c00 , < 845f716dc5f354c719f6fda35048b6c2eca99331 (git) Affected: 31087af37d6b1586b76d4acf3e0c1634a4617ba6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca6d2b7aca778afbf8c0c4b330d10cb228c14052",
"status": "affected",
"version": "0dbb186c3510cad4e9f443e801bf2e6ab5770c00",
"versionType": "git"
},
{
"lessThan": "b41fca4aa60be896ba8a81b57aac5dcc6eee66c0",
"status": "affected",
"version": "0dbb186c3510cad4e9f443e801bf2e6ab5770c00",
"versionType": "git"
},
{
"lessThan": "845f716dc5f354c719f6fda35048b6c2eca99331",
"status": "affected",
"version": "0dbb186c3510cad4e9f443e801bf2e6ab5770c00",
"versionType": "git"
},
{
"status": "affected",
"version": "31087af37d6b1586b76d4acf3e0c1634a4617ba6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Disable periods-elapsed work when closing PCM\n\navs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio\nstream while period-elapsed work services its IRQs. As the former\nfrees the DAI\u0027s private context, these two operations shall be\nsynchronized to avoid slab-use-after-free or worse errors."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:10:03.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca6d2b7aca778afbf8c0c4b330d10cb228c14052"
},
{
"url": "https://git.kernel.org/stable/c/b41fca4aa60be896ba8a81b57aac5dcc6eee66c0"
},
{
"url": "https://git.kernel.org/stable/c/845f716dc5f354c719f6fda35048b6c2eca99331"
}
],
"title": "ASoC: Intel: avs: Disable periods-elapsed work when closing PCM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40344",
"datePublished": "2025-12-09T04:10:03.253Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-09T04:10:03.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50657 (GCVE-0-2022-50657)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
riscv: mm: add missing memcpy in kasan_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: mm: add missing memcpy in kasan_init
Hi Atish,
It seems that the panic is due to the missing memcpy during kasan_init.
Could you please check whether this patch is helpful?
When doing kasan_populate, the new allocated base_pud/base_p4d should
contain kasan_early_shadow_{pud, p4d}'s content. Add the missing memcpy
to avoid page fault when read/write kasan shadow region.
Tested on:
- qemu with sv57 and CONFIG_KASAN on.
- qemu with sv48 and CONFIG_KASAN on.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/mm/kasan_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff0f6becf3a6f817838b6f80a2c9cca43dce0576",
"status": "affected",
"version": "8fbdccd2b17335e1881a23865e98c63fcc345938",
"versionType": "git"
},
{
"lessThan": "9f2ac64d6ca60db99132e08628ac2899f956a0ec",
"status": "affected",
"version": "8fbdccd2b17335e1881a23865e98c63fcc345938",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/mm/kasan_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: add missing memcpy in kasan_init\n\nHi Atish,\n\nIt seems that the panic is due to the missing memcpy during kasan_init.\nCould you please check whether this patch is helpful?\n\nWhen doing kasan_populate, the new allocated base_pud/base_p4d should\ncontain kasan_early_shadow_{pud, p4d}\u0027s content. Add the missing memcpy\nto avoid page fault when read/write kasan shadow region.\n\nTested on:\n - qemu with sv57 and CONFIG_KASAN on.\n - qemu with sv48 and CONFIG_KASAN on."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:04.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff0f6becf3a6f817838b6f80a2c9cca43dce0576"
},
{
"url": "https://git.kernel.org/stable/c/9f2ac64d6ca60db99132e08628ac2899f956a0ec"
}
],
"title": "riscv: mm: add missing memcpy in kasan_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50657",
"datePublished": "2025-12-09T01:29:04.968Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:04.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53802 (GCVE-0-2023-53802)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
It is stated that ath9k_htc_rx_msg() either frees the provided skb or
passes its management to another callback function. However, the skb is
not freed in case there is no another callback function, and Syzkaller was
able to cause a memory leak. Also minor comment fix.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < b11f95f65cc52ee3a756e6f6a88df37a203e25bd
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 68171c006c8645a3e0293a6c3e6037c6538ac1c5 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 564bc2222bf50eb6cdee715a5431bf4dc9f923c1 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < ec246dfe006b2a8f36353f7489e4f525114db9a5 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < c0c0614f143b568cd0e9525d53cf12e5dcd11987 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 5a84e51f72580fc70066b03f3dac38421e702a0b (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < bbfababb4f899fe1556eac195f9774b6fe675fb6 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b11f95f65cc52ee3a756e6f6a88df37a203e25bd",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "68171c006c8645a3e0293a6c3e6037c6538ac1c5",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "564bc2222bf50eb6cdee715a5431bf4dc9f923c1",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "ec246dfe006b2a8f36353f7489e4f525114db9a5",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "c0c0614f143b568cd0e9525d53cf12e5dcd11987",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "5a84e51f72580fc70066b03f3dac38421e702a0b",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "bbfababb4f899fe1556eac195f9774b6fe675fb6",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function\n\nIt is stated that ath9k_htc_rx_msg() either frees the provided skb or\npasses its management to another callback function. However, the skb is\nnot freed in case there is no another callback function, and Syzkaller was\nable to cause a memory leak. Also minor comment fix.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:58.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b11f95f65cc52ee3a756e6f6a88df37a203e25bd"
},
{
"url": "https://git.kernel.org/stable/c/68171c006c8645a3e0293a6c3e6037c6538ac1c5"
},
{
"url": "https://git.kernel.org/stable/c/564bc2222bf50eb6cdee715a5431bf4dc9f923c1"
},
{
"url": "https://git.kernel.org/stable/c/ec246dfe006b2a8f36353f7489e4f525114db9a5"
},
{
"url": "https://git.kernel.org/stable/c/c0c0614f143b568cd0e9525d53cf12e5dcd11987"
},
{
"url": "https://git.kernel.org/stable/c/5a84e51f72580fc70066b03f3dac38421e702a0b"
},
{
"url": "https://git.kernel.org/stable/c/bbfababb4f899fe1556eac195f9774b6fe675fb6"
},
{
"url": "https://git.kernel.org/stable/c/9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69"
}
],
"title": "wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53802",
"datePublished": "2025-12-09T00:00:58.582Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:58.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50653 (GCVE-0-2022-50653)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
mmc: atmel-mci: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: atmel-mci: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and calling mmc_free_host()
in the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d2be0749a59096a334c94dc48f43294193cb8ed , < 99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2
(git)
Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 6bb26abb92f25e582a0976091a10b539fe3796db (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 00ac0f5f95920f003cd6ece53cdc759549b69118 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 1925472dec31ec061d57412b3a65a056ea24f340 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < cc8bb436f3c842a86b9082d97933582120d180e2 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 85946ceb0fac20ab39cdb85333086daf0291a553 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 9e6e8c43726673ca2abcaac87640b9215fd72f4c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/atmel-mci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "6bb26abb92f25e582a0976091a10b539fe3796db",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "00ac0f5f95920f003cd6ece53cdc759549b69118",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "1925472dec31ec061d57412b3a65a056ea24f340",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "cc8bb436f3c842a86b9082d97933582120d180e2",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "85946ceb0fac20ab39cdb85333086daf0291a553",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "9e6e8c43726673ca2abcaac87640b9215fd72f4c",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/atmel-mci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: atmel-mci: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it\u0027s not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nSo fix this by checking the return value and calling mmc_free_host()\nin the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:27.592Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2"
},
{
"url": "https://git.kernel.org/stable/c/6bb26abb92f25e582a0976091a10b539fe3796db"
},
{
"url": "https://git.kernel.org/stable/c/00ac0f5f95920f003cd6ece53cdc759549b69118"
},
{
"url": "https://git.kernel.org/stable/c/1925472dec31ec061d57412b3a65a056ea24f340"
},
{
"url": "https://git.kernel.org/stable/c/cc8bb436f3c842a86b9082d97933582120d180e2"
},
{
"url": "https://git.kernel.org/stable/c/85946ceb0fac20ab39cdb85333086daf0291a553"
},
{
"url": "https://git.kernel.org/stable/c/9e6e8c43726673ca2abcaac87640b9215fd72f4c"
}
],
"title": "mmc: atmel-mci: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50653",
"datePublished": "2025-12-09T00:00:27.592Z",
"dateReserved": "2025-12-08T23:57:43.372Z",
"dateUpdated": "2025-12-09T00:00:27.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53814 (GCVE-0-2023-53814)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
PCI: Fix dropping valid root bus resources with .end = zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix dropping valid root bus resources with .end = zero
On r8a7791/koelsch:
kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
# cat /sys/kernel/debug/kmemleak
unreferenced object 0xc3a34e00 (size 64):
comm "swapper/0", pid 1, jiffies 4294937460 (age 199.080s)
hex dump (first 32 bytes):
b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...]..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<fe3aa979>] __kmalloc+0xf0/0x140
[<34bd6bc0>] resource_list_create_entry+0x18/0x38
[<767046bc>] pci_add_resource_offset+0x20/0x68
[<b3f3edf2>] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390
When coalescing two resources for a contiguous aperture, the second
resource is enlarged to cover the full contiguous range, while the first
resource is marked invalid. This invalidation is done by clearing the
flags, start, and end members.
When adding the initial resources to the bus later, invalid resources are
skipped. Unfortunately, the check for an invalid resource considers only
the end member, causing false positives.
E.g. on r8a7791/koelsch, root bus resource 0 ("bus 00") is skipped, and no
longer registered with pci_bus_insert_busn_res() (causing the memory leak),
nor printed:
pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges:
pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -> 0x00ee080000
pci-rcar-gen2 ee090000.pci: PCI: revision 11
pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00
-pci_bus 0000:00: root bus resource [bus 00]
pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff]
Fix this by only skipping resources where all of the flags, start, and end
members are zero.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fd168b7d1d7cfc61cea561b1e3cc47aefc9e8f19 , < e4af080f3ef6a65b0d702988c2471a47c9ae2cc0
(git)
Affected: 7c3855c423b17f6ca211858afb0cef20569914c7 , < fe6a1fbe83f5b23d7db93596b793561230f06b40 (git) Affected: 7c3855c423b17f6ca211858afb0cef20569914c7 , < 7e6f2714d93cdf977b6124a80af2cf0e14e2d407 (git) Affected: 7c3855c423b17f6ca211858afb0cef20569914c7 , < 9d8ba74a181b1c81def21168795ed96cbe6f05ed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/probe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4af080f3ef6a65b0d702988c2471a47c9ae2cc0",
"status": "affected",
"version": "fd168b7d1d7cfc61cea561b1e3cc47aefc9e8f19",
"versionType": "git"
},
{
"lessThan": "fe6a1fbe83f5b23d7db93596b793561230f06b40",
"status": "affected",
"version": "7c3855c423b17f6ca211858afb0cef20569914c7",
"versionType": "git"
},
{
"lessThan": "7e6f2714d93cdf977b6124a80af2cf0e14e2d407",
"status": "affected",
"version": "7c3855c423b17f6ca211858afb0cef20569914c7",
"versionType": "git"
},
{
"lessThan": "9d8ba74a181b1c81def21168795ed96cbe6f05ed",
"status": "affected",
"version": "7c3855c423b17f6ca211858afb0cef20569914c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/probe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix dropping valid root bus resources with .end = zero\n\nOn r8a7791/koelsch:\n\n kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n # cat /sys/kernel/debug/kmemleak\n unreferenced object 0xc3a34e00 (size 64):\n comm \"swapper/0\", pid 1, jiffies 4294937460 (age 199.080s)\n hex dump (first 32 bytes):\n b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...]..........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cfe3aa979\u003e] __kmalloc+0xf0/0x140\n [\u003c34bd6bc0\u003e] resource_list_create_entry+0x18/0x38\n [\u003c767046bc\u003e] pci_add_resource_offset+0x20/0x68\n [\u003cb3f3edf2\u003e] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390\n\nWhen coalescing two resources for a contiguous aperture, the second\nresource is enlarged to cover the full contiguous range, while the first\nresource is marked invalid. This invalidation is done by clearing the\nflags, start, and end members.\n\nWhen adding the initial resources to the bus later, invalid resources are\nskipped. Unfortunately, the check for an invalid resource considers only\nthe end member, causing false positives.\n\nE.g. on r8a7791/koelsch, root bus resource 0 (\"bus 00\") is skipped, and no\nlonger registered with pci_bus_insert_busn_res() (causing the memory leak),\nnor printed:\n\n pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges:\n pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -\u003e 0x00ee080000\n pci-rcar-gen2 ee090000.pci: PCI: revision 11\n pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00\n -pci_bus 0000:00: root bus resource [bus 00]\n pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff]\n\nFix this by only skipping resources where all of the flags, start, and end\nmembers are zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:11.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4af080f3ef6a65b0d702988c2471a47c9ae2cc0"
},
{
"url": "https://git.kernel.org/stable/c/fe6a1fbe83f5b23d7db93596b793561230f06b40"
},
{
"url": "https://git.kernel.org/stable/c/7e6f2714d93cdf977b6124a80af2cf0e14e2d407"
},
{
"url": "https://git.kernel.org/stable/c/9d8ba74a181b1c81def21168795ed96cbe6f05ed"
}
],
"title": "PCI: Fix dropping valid root bus resources with .end = zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53814",
"datePublished": "2025-12-09T00:01:11.827Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:11.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53791 (GCVE-0-2023-53791)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
md: fix warning for holder mismatch from export_rdev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix warning for holder mismatch from export_rdev()
Commit a1d767191096 ("md: use mddev->external to select holder in
export_rdev()") fix the problem that 'claim_rdev' is used for
blkdev_get_by_dev() while 'rdev' is used for blkdev_put().
However, if mddev->external is changed from 0 to 1, then 'rdev' is used
for blkdev_get_by_dev() while 'claim_rdev' is used for blkdev_put(). And
this problem can be reporduced reliably by following:
New file: mdadm/tests/23rdev-lifetime
devname=${dev0##*/}
devt=`cat /sys/block/$devname/dev`
pid=""
runtime=2
clean_up_test() {
pill -9 $pid
echo clear > /sys/block/md0/md/array_state
}
trap 'clean_up_test' EXIT
add_by_sysfs() {
while true; do
echo $devt > /sys/block/md0/md/new_dev
done
}
remove_by_sysfs(){
while true; do
echo remove > /sys/block/md0/md/dev-${devname}/state
done
}
echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"
add_by_sysfs &
pid="$pid $!"
remove_by_sysfs &
pid="$pid $!"
sleep $runtime
exit 0
Test cmd:
./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime
Test result:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330
Modules linked in: multipath md_mod loop
CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50
RIP: 0010:blkdev_put+0x27c/0x330
Call Trace:
<TASK>
export_rdev.isra.23+0x50/0xa0 [md_mod]
mddev_unlock+0x19d/0x300 [md_mod]
rdev_attr_store+0xec/0x190 [md_mod]
sysfs_kf_write+0x52/0x70
kernfs_fop_write_iter+0x19a/0x2a0
vfs_write+0x3b5/0x770
ksys_write+0x74/0x150
__x64_sys_write+0x22/0x30
do_syscall_64+0x40/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix the problem by recording if 'rdev' is used as holder.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99fcd427178d0f58f5520f8f01df727f8eaeb2c7",
"status": "affected",
"version": "a1d7671910965ca9f8f0377e7e3bfd1179fba4d8",
"versionType": "git"
},
{
"lessThan": "99892147f028d711f9d40fefad4f33632593864c",
"status": "affected",
"version": "a1d7671910965ca9f8f0377e7e3bfd1179fba4d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix warning for holder mismatch from export_rdev()\n\nCommit a1d767191096 (\"md: use mddev-\u003eexternal to select holder in\nexport_rdev()\") fix the problem that \u0027claim_rdev\u0027 is used for\nblkdev_get_by_dev() while \u0027rdev\u0027 is used for blkdev_put().\n\nHowever, if mddev-\u003eexternal is changed from 0 to 1, then \u0027rdev\u0027 is used\nfor blkdev_get_by_dev() while \u0027claim_rdev\u0027 is used for blkdev_put(). And\nthis problem can be reporduced reliably by following:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n pill -9 $pid\n echo clear \u003e /sys/block/md0/md/array_state\n}\n\ntrap \u0027clean_up_test\u0027 EXIT\n\nadd_by_sysfs() {\n while true; do\n echo $devt \u003e /sys/block/md0/md/new_dev\n done\n}\n\nremove_by_sysfs(){\n while true; do\n echo remove \u003e /sys/block/md0/md/dev-${devname}/state\n done\n}\n\necho md0 \u003e /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs \u0026\npid=\"$pid $!\"\n\nremove_by_sysfs \u0026\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330\nModules linked in: multipath md_mod loop\nCPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50\nRIP: 0010:blkdev_put+0x27c/0x330\nCall Trace:\n \u003cTASK\u003e\n export_rdev.isra.23+0x50/0xa0 [md_mod]\n mddev_unlock+0x19d/0x300 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix the problem by recording if \u0027rdev\u0027 is used as holder."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:48.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99fcd427178d0f58f5520f8f01df727f8eaeb2c7"
},
{
"url": "https://git.kernel.org/stable/c/99892147f028d711f9d40fefad4f33632593864c"
}
],
"title": "md: fix warning for holder mismatch from export_rdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53791",
"datePublished": "2025-12-09T00:00:48.301Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:48.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50660 (GCVE-0-2022-50660)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
wifi: ipw2200: fix memory leak in ipw_wdev_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ipw2200: fix memory leak in ipw_wdev_init()
In the error path of ipw_wdev_init(), exception value is returned, and
the memory applied for in the function is not released. Also the memory
is not released in ipw_pci_probe(). As a result, memory leakage occurs.
So memory release needs to be added to the error path of ipw_wdev_init().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 75d20ba9506eb90d92e660e04dd887ff1495fcc3
(git)
Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < fb3517b92a45c8004ac26250ae041a24eb23fef1 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 112c1af02b8f535baf42ef9d807aea963705ef15 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 8a2eb9d9d0c1535bc8e22840193bff4cdcac878b (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 9424ea9d557ef41d86eb40b6349ae991c3dcff89 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 62ec7e8bf42f1542f966dda687c654aae81718c8 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 1f590fb3d14e5db3a9e06ee141b1685c429278ce (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 9fe21dc626117fb44a8eb393713a86a620128ce3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/ipw2x00/ipw2200.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75d20ba9506eb90d92e660e04dd887ff1495fcc3",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "fb3517b92a45c8004ac26250ae041a24eb23fef1",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "112c1af02b8f535baf42ef9d807aea963705ef15",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "8a2eb9d9d0c1535bc8e22840193bff4cdcac878b",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "9424ea9d557ef41d86eb40b6349ae991c3dcff89",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "62ec7e8bf42f1542f966dda687c654aae81718c8",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "1f590fb3d14e5db3a9e06ee141b1685c429278ce",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "9fe21dc626117fb44a8eb393713a86a620128ce3",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/ipw2x00/ipw2200.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ipw2200: fix memory leak in ipw_wdev_init()\n\nIn the error path of ipw_wdev_init(), exception value is returned, and\nthe memory applied for in the function is not released. Also the memory\nis not released in ipw_pci_probe(). As a result, memory leakage occurs.\nSo memory release needs to be added to the error path of ipw_wdev_init()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:08.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75d20ba9506eb90d92e660e04dd887ff1495fcc3"
},
{
"url": "https://git.kernel.org/stable/c/fb3517b92a45c8004ac26250ae041a24eb23fef1"
},
{
"url": "https://git.kernel.org/stable/c/112c1af02b8f535baf42ef9d807aea963705ef15"
},
{
"url": "https://git.kernel.org/stable/c/8a2eb9d9d0c1535bc8e22840193bff4cdcac878b"
},
{
"url": "https://git.kernel.org/stable/c/9424ea9d557ef41d86eb40b6349ae991c3dcff89"
},
{
"url": "https://git.kernel.org/stable/c/62ec7e8bf42f1542f966dda687c654aae81718c8"
},
{
"url": "https://git.kernel.org/stable/c/1f590fb3d14e5db3a9e06ee141b1685c429278ce"
},
{
"url": "https://git.kernel.org/stable/c/9fe21dc626117fb44a8eb393713a86a620128ce3"
}
],
"title": "wifi: ipw2200: fix memory leak in ipw_wdev_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50660",
"datePublished": "2025-12-09T01:29:08.387Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:08.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53830 (GCVE-0-2023-53830)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
platform/x86: think-lmi: Fix memory leak when showing current settings
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: think-lmi: Fix memory leak when showing current settings
When retriving a item string with tlmi_setting(), the result has to be
freed using kfree(). In current_value_show() however, malformed
item strings are not freed, causing a memory leak.
Fix this by eliminating the early return responsible for this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < b9396d991abe8d1ac31a043274ab20b49f92c2e6
(git)
Affected: 0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < 9071525bfcb1f5674117dbed3eca0cd7b122813b (git) Affected: 0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < 5f99014c19fa50a5719c0bb78143282632675893 (git) Affected: 0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < a3c4c053014585dcf20f4df954791b74d8a8afcd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/think-lmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9396d991abe8d1ac31a043274ab20b49f92c2e6",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
},
{
"lessThan": "9071525bfcb1f5674117dbed3eca0cd7b122813b",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
},
{
"lessThan": "5f99014c19fa50a5719c0bb78143282632675893",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
},
{
"lessThan": "a3c4c053014585dcf20f4df954791b74d8a8afcd",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/think-lmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix memory leak when showing current settings\n\nWhen retriving a item string with tlmi_setting(), the result has to be\nfreed using kfree(). In current_value_show() however, malformed\nitem strings are not freed, causing a memory leak.\nFix this by eliminating the early return responsible for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:44.966Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9396d991abe8d1ac31a043274ab20b49f92c2e6"
},
{
"url": "https://git.kernel.org/stable/c/9071525bfcb1f5674117dbed3eca0cd7b122813b"
},
{
"url": "https://git.kernel.org/stable/c/5f99014c19fa50a5719c0bb78143282632675893"
},
{
"url": "https://git.kernel.org/stable/c/a3c4c053014585dcf20f4df954791b74d8a8afcd"
}
],
"title": "platform/x86: think-lmi: Fix memory leak when showing current settings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53830",
"datePublished": "2025-12-09T01:29:44.966Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:44.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40342 (GCVE-0-2025-40342)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
nvme-fc: use lock accessing port_state and rport state
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: use lock accessing port_state and rport state
nvme_fc_unregister_remote removes the remote port on a lport object at
any point in time when there is no active association. This races with
with the reconnect logic, because nvme_fc_create_association is not
taking a lock to check the port_state and atomically increase the
active count on the rport.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e399441de9115cd472b8ace6c517708273ca7997 , < de3d91af47bc015031e7721b100a29989f6498a5
(git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < e8cde03de8674b05f2c5e0870729049eba517800 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 4253e0a4546138a2bf9cb6acf66b32fee677fc7c (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 25f4bf1f7979a7871974fd36c79d69ff1cf4b446 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 9950af4303942081dc8c7a5fdc3688c17c7eb6c0 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < a2f7fa75c4a2a07328fa22ccbef461db76790b55 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 891cdbb162ccdb079cd5228ae43bdeebce8597ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de3d91af47bc015031e7721b100a29989f6498a5",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "e8cde03de8674b05f2c5e0870729049eba517800",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "4253e0a4546138a2bf9cb6acf66b32fee677fc7c",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "25f4bf1f7979a7871974fd36c79d69ff1cf4b446",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "9950af4303942081dc8c7a5fdc3688c17c7eb6c0",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "a2f7fa75c4a2a07328fa22ccbef461db76790b55",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "891cdbb162ccdb079cd5228ae43bdeebce8597ad",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:12.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5"
},
{
"url": "https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800"
},
{
"url": "https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c"
},
{
"url": "https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446"
},
{
"url": "https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0"
},
{
"url": "https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55"
},
{
"url": "https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad"
}
],
"title": "nvme-fc: use lock accessing port_state and rport state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40342",
"datePublished": "2025-12-09T04:09:59.673Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:12.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53813 (GCVE-0-2023-53813)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
ext4: fix rbtree traversal bug in ext4_mb_use_preallocated
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix rbtree traversal bug in ext4_mb_use_preallocated
During allocations, while looking for preallocations(PA) in the per
inode rbtree, we can't do a direct traversal of the tree because
ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted
and that can cause direct traversal to skip some entries. This was
leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy
our request and ultimately tried to create a new PA that would overlap
with the missed one.
To makes sure we handle that case while still keeping the performance of
the rbtree, we make use of the fact that the only pa that could possibly
overlap the original goal start is the one that satisfies the below
conditions:
1. It must have it's logical start immediately to the left of
(ie less than) original logical start.
2. It must not be deleted
To find this pa we use the following traversal method:
1. Descend into the rbtree normally to find the immediate neighboring
PA. Here we keep descending irrespective of if the PA is deleted or if
it overlaps with our request etc. The goal is to find an immediately
adjacent PA.
2. If the found PA is on right of original goal, use rb_prev() to find
the left adjacent PA.
3. Check if this PA is deleted and keep moving left with rb_prev() until
a non deleted PA is found.
4. This is the PA we are looking for. Now we can check if it can satisfy
the original request and proceed accordingly.
This approach also takes care of having deleted PAs in the tree.
(While we are at it, also fix a possible overflow bug in calculating the
end of a PA)
[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "339fee69a1daa71d6f97e47a867e2c32419a2406",
"status": "affected",
"version": "3872778664e36528caf8b27f355e75482f6d562d",
"versionType": "git"
},
{
"lessThan": "9d3de7ee192a6a253f475197fe4d2e2af10a731f",
"status": "affected",
"version": "3872778664e36528caf8b27f355e75482f6d562d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix rbtree traversal bug in ext4_mb_use_preallocated\n\nDuring allocations, while looking for preallocations(PA) in the per\ninode rbtree, we can\u0027t do a direct traversal of the tree because\next4_mb_discard_group_preallocation() can paralelly mark the pa deleted\nand that can cause direct traversal to skip some entries. This was\nleading to a BUG_ON() being hit [1] when we missed a PA that could satisfy\nour request and ultimately tried to create a new PA that would overlap\nwith the missed one.\n\nTo makes sure we handle that case while still keeping the performance of\nthe rbtree, we make use of the fact that the only pa that could possibly\noverlap the original goal start is the one that satisfies the below\nconditions:\n\n 1. It must have it\u0027s logical start immediately to the left of\n (ie less than) original logical start.\n\n 2. It must not be deleted\n\nTo find this pa we use the following traversal method:\n\n1. Descend into the rbtree normally to find the immediate neighboring\nPA. Here we keep descending irrespective of if the PA is deleted or if\nit overlaps with our request etc. The goal is to find an immediately\nadjacent PA.\n\n2. If the found PA is on right of original goal, use rb_prev() to find\nthe left adjacent PA.\n\n3. Check if this PA is deleted and keep moving left with rb_prev() until\na non deleted PA is found.\n\n4. This is the PA we are looking for. Now we can check if it can satisfy\nthe original request and proceed accordingly.\n\nThis approach also takes care of having deleted PAs in the tree.\n\n(While we are at it, also fix a possible overflow bug in calculating the\nend of a PA)\n\n[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:10.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/339fee69a1daa71d6f97e47a867e2c32419a2406"
},
{
"url": "https://git.kernel.org/stable/c/9d3de7ee192a6a253f475197fe4d2e2af10a731f"
}
],
"title": "ext4: fix rbtree traversal bug in ext4_mb_use_preallocated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53813",
"datePublished": "2025-12-09T00:01:10.886Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:10.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53837 (GCVE-0-2023-53837)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
drm/msm: fix NULL-deref on snapshot tear down
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix NULL-deref on snapshot tear down
In case of early initialisation errors and on platforms that do not use
the DPU controller, the deinitilisation code can be called with the kms
pointer set to NULL.
Patchwork: https://patchwork.freedesktop.org/patch/525099/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98659487b845c05b6bed85d881713545db674c7c , < 8f0e1ad5327a3499e7f09157cb714302a856e8a4
(git)
Affected: 98659487b845c05b6bed85d881713545db674c7c , < 16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < 8eca32b5b92a0be956a8934d7eddf4f70c107927 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < 19fe79ae816a7e3400df1eb4d27530bf9b8ae258 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < a465353b9250802f87b97123e33a17f51277f0b1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f0e1ad5327a3499e7f09157cb714302a856e8a4",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "8eca32b5b92a0be956a8934d7eddf4f70c107927",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "19fe79ae816a7e3400df1eb4d27530bf9b8ae258",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "a465353b9250802f87b97123e33a17f51277f0b1",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix NULL-deref on snapshot tear down\n\nIn case of early initialisation errors and on platforms that do not use\nthe DPU controller, the deinitilisation code can be called with the kms\npointer set to NULL.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525099/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:53.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f0e1ad5327a3499e7f09157cb714302a856e8a4"
},
{
"url": "https://git.kernel.org/stable/c/16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175"
},
{
"url": "https://git.kernel.org/stable/c/8eca32b5b92a0be956a8934d7eddf4f70c107927"
},
{
"url": "https://git.kernel.org/stable/c/19fe79ae816a7e3400df1eb4d27530bf9b8ae258"
},
{
"url": "https://git.kernel.org/stable/c/a465353b9250802f87b97123e33a17f51277f0b1"
}
],
"title": "drm/msm: fix NULL-deref on snapshot tear down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53837",
"datePublished": "2025-12-09T01:29:53.194Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:53.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40329 (GCVE-0-2025-40329)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
The Mesa issue referenced below pointed out a possible deadlock:
[ 1231.611031] Possible interrupt unsafe locking scenario:
[ 1231.611033] CPU0 CPU1
[ 1231.611034] ---- ----
[ 1231.611035] lock(&xa->xa_lock#17);
[ 1231.611038] local_irq_disable();
[ 1231.611039] lock(&fence->lock);
[ 1231.611041] lock(&xa->xa_lock#17);
[ 1231.611044] <Interrupt>
[ 1231.611045] lock(&fence->lock);
[ 1231.611047]
*** DEADLOCK ***
In this example, CPU0 would be any function accessing job->dependencies
through the xa_* functions that don't disable interrupts (eg:
drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).
CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling
callback so in an interrupt context. It will deadlock when trying to
grab the xa_lock which is already held by CPU0.
Replacing all xa_* usage by their xa_*_irq counterparts would fix
this issue, but Christian pointed out another issue: dma_fence_signal
takes fence.lock and so does dma_fence_add_callback.
dma_fence_signal() // locks f1.lock
-> drm_sched_entity_kill_jobs_cb()
-> foreach dependencies
-> dma_fence_add_callback() // locks f2.lock
This will deadlock if f1 and f2 share the same spinlock.
To fix both issues, the code iterating on dependencies and re-arming them
is moved out to drm_sched_entity_kill_jobs_work().
[phasta: commit message nits]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 70150b9443dddf02157d821c68abf438f55a2e8e
(git)
Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 0d63031ee4a57be0252cb9a4e09ae921c75cece9 (git) Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 3e8ada4fd838e3fd2cca94000dac054f3a347c01 (git) Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 487df8b698345dd5a91346335f05170ed5f29d4e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70150b9443dddf02157d821c68abf438f55a2e8e",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "0d63031ee4a57be0252cb9a4e09ae921c75cece9",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "3e8ada4fd838e3fd2cca94000dac054f3a347c01",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "487df8b698345dd5a91346335f05170ed5f29d4e",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb\n\nThe Mesa issue referenced below pointed out a possible deadlock:\n\n[ 1231.611031] Possible interrupt unsafe locking scenario:\n\n[ 1231.611033] CPU0 CPU1\n[ 1231.611034] ---- ----\n[ 1231.611035] lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611038] local_irq_disable();\n[ 1231.611039] lock(\u0026fence-\u003elock);\n[ 1231.611041] lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611044] \u003cInterrupt\u003e\n[ 1231.611045] lock(\u0026fence-\u003elock);\n[ 1231.611047]\n *** DEADLOCK ***\n\nIn this example, CPU0 would be any function accessing job-\u003edependencies\nthrough the xa_* functions that don\u0027t disable interrupts (eg:\ndrm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).\n\nCPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling\ncallback so in an interrupt context. It will deadlock when trying to\ngrab the xa_lock which is already held by CPU0.\n\nReplacing all xa_* usage by their xa_*_irq counterparts would fix\nthis issue, but Christian pointed out another issue: dma_fence_signal\ntakes fence.lock and so does dma_fence_add_callback.\n\n dma_fence_signal() // locks f1.lock\n -\u003e drm_sched_entity_kill_jobs_cb()\n -\u003e foreach dependencies\n -\u003e dma_fence_add_callback() // locks f2.lock\n\nThis will deadlock if f1 and f2 share the same spinlock.\n\nTo fix both issues, the code iterating on dependencies and re-arming them\nis moved out to drm_sched_entity_kill_jobs_work().\n\n[phasta: commit message nits]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:46.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e"
},
{
"url": "https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9"
},
{
"url": "https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01"
},
{
"url": "https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e"
}
],
"title": "drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40329",
"datePublished": "2025-12-09T04:09:46.156Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:46.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53779 (GCVE-0-2023-53779)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:07
VLAI?
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-01-05T10:07:07.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53779",
"datePublished": "2025-12-09T00:00:35.001Z",
"dateRejected": "2026-01-05T10:07:07.675Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2026-01-05T10:07:07.675Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40343 (GCVE-0-2025-40343)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:10 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
nvmet-fc: avoid scheduling association deletion twice
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface,
nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and
then nvmet_disable_port(). Both functions will eventually schedule all
remaining associations for deletion.
The current implementation checks whether an association is about to be
removed, but only after the work item has already been scheduled. As a
result, it is possible for the first scheduled work item to free all
resources, and then for the same work item to be scheduled again for
deletion.
Because the association list is an RCU list, it is not possible to take
a lock and remove the list entry directly, so it cannot be looked up
again. Instead, a flag (terminating) must be used to determine whether
the association is already in the process of being deleted.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a07b4970f464f13640e28e16dad6cfa33647cc99 , < 2f4852db87e25d4e226b25cb6f652fef9504360e
(git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 85e2ce1920cb511d57aae59f0df6ff85b28bf04d (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 601ed47b2363c24d948d7bac0c23abc8bd459570 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 04d17540ef51e2c291eb863ca87fd332259b2d40 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < c09ac9a63fc3aaf4670ad7b5e4f5afd764424154 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < f2537be4f8421f6495edfa0bc284d722f253841d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f4852db87e25d4e226b25cb6f652fef9504360e",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "85e2ce1920cb511d57aae59f0df6ff85b28bf04d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "601ed47b2363c24d948d7bac0c23abc8bd459570",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "04d17540ef51e2c291eb863ca87fd332259b2d40",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "c09ac9a63fc3aaf4670ad7b5e4f5afd764424154",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "f2537be4f8421f6495edfa0bc284d722f253841d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid scheduling association deletion twice\n\nWhen forcefully shutting down a port via the configfs interface,\nnvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and\nthen nvmet_disable_port(). Both functions will eventually schedule all\nremaining associations for deletion.\n\nThe current implementation checks whether an association is about to be\nremoved, but only after the work item has already been scheduled. As a\nresult, it is possible for the first scheduled work item to free all\nresources, and then for the same work item to be scheduled again for\ndeletion.\n\nBecause the association list is an RCU list, it is not possible to take\na lock and remove the list entry directly, so it cannot be looked up\nagain. Instead, a flag (terminating) must be used to determine whether\nthe association is already in the process of being deleted."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:13.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e"
},
{
"url": "https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d"
},
{
"url": "https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570"
},
{
"url": "https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40"
},
{
"url": "https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154"
},
{
"url": "https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d"
}
],
"title": "nvmet-fc: avoid scheduling association deletion twice",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40343",
"datePublished": "2025-12-09T04:10:00.973Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:13.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53781 (GCVE-0-2023-53781)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
smc: Fix use-after-free in tcp_write_timer_handler().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in tcp_write_timer_handler().
With Eric's ref tracker, syzbot finally found a repro for
use-after-free in tcp_write_timer_handler() by kernel TCP
sockets. [0]
If SMC creates a kernel socket in __smc_create(), the kernel
socket is supposed to be freed in smc_clcsock_release() by
calling sock_release() when we close() the parent SMC socket.
However, at the end of smc_clcsock_release(), the kernel
socket's sk_state might not be TCP_CLOSE. This means that
we have not called inet_csk_destroy_sock() in __tcp_close()
and have not stopped the TCP timers.
The kernel socket's TCP timers can be fired later, so we
need to hold a refcnt for net as we do for MPTCP subflows
in mptcp_subflow_create_socket().
[0]:
leaked reference.
sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)
inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)
__sock_create (net/socket.c:1546)
smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)
__sock_create (net/socket.c:1546)
__sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)
__x64_sys_socket (net/socket.c:1672)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
==================================================================
BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)
Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091
CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:107)
print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
kasan_report (mm/kasan/report.c:538)
tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)
tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)
call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
__run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)
run_timer_softirq (kernel/time/timer.c:2037)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)
__irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)
irq_exit_rcu (kernel/softirq.c:664)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1cc41c8acfc1ee30b4868559058db97fa44b0137",
"status": "affected",
"version": "ac7138746e14137a451f8539614cdd349153e0c0",
"versionType": "git"
},
{
"lessThan": "9744d2bf19762703704ecba885b7ac282c02eacf",
"status": "affected",
"version": "ac7138746e14137a451f8539614cdd349153e0c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in tcp_write_timer_handler().\n\nWith Eric\u0027s ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\n\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\n\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket\u0027s sk_state might not be TCP_CLOSE. This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\n\nThe kernel socket\u0027s TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n\n[0]:\nleaked reference.\n sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\n inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n __sock_create (net/socket.c:1546)\n smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n __sock_create (net/socket.c:1546)\n __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n __x64_sys_socket (net/socket.c:1672)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\n\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107)\n print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n kasan_report (mm/kasan/report.c:538)\n tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\n tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\n run_timer_softirq (kernel/time/timer.c:2037)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\n irq_exit_rcu (kernel/softirq.c:664)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:36.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137"
},
{
"url": "https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf"
}
],
"title": "smc: Fix use-after-free in tcp_write_timer_handler().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53781",
"datePublished": "2025-12-09T00:00:36.831Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:36.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50659 (GCVE-0-2022-50659)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
hwrng: geode - Fix PCI device refcount leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: geode - Fix PCI device refcount leak
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. We add a new struct
'amd_geode_priv' to record pointer of the pci_dev and membase, and then
add missing pci_dev_put() for the normal and error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ef5d862734b84239e0140319a95fb0bbff5ef394 , < 88f4ea623f59155280d99d1a59a968f838472c4a
(git)
Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < e2f44baf62567c5cfbc274974c7d96dddad53ccc (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < 6b9e43c4098f1310f5b4d52121d007a219fa5d43 (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < 5cc818ad53df650cac8fb41d9066665366af3f03 (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < aa96aff394a511cc7bb7df08d1b8504d4d97671e (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < 82bd423ed977847652b2048b0f8dcf049b1847a9 (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < 874f798c2db5ad595e46982d7f727a679dacb048 (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < 19b7b85773b18457ff85a9ff4f5e2a2d4bf7ed0c (git) Affected: ef5d862734b84239e0140319a95fb0bbff5ef394 , < 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/geode-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88f4ea623f59155280d99d1a59a968f838472c4a",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "e2f44baf62567c5cfbc274974c7d96dddad53ccc",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "6b9e43c4098f1310f5b4d52121d007a219fa5d43",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "5cc818ad53df650cac8fb41d9066665366af3f03",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "aa96aff394a511cc7bb7df08d1b8504d4d97671e",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "82bd423ed977847652b2048b0f8dcf049b1847a9",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "874f798c2db5ad595e46982d7f727a679dacb048",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "19b7b85773b18457ff85a9ff4f5e2a2d4bf7ed0c",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
},
{
"lessThan": "9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445",
"status": "affected",
"version": "ef5d862734b84239e0140319a95fb0bbff5ef394",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/geode-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: geode - Fix PCI device refcount leak\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. We add a new struct\n\u0027amd_geode_priv\u0027 to record pointer of the pci_dev and membase, and then\nadd missing pci_dev_put() for the normal and error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:07.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88f4ea623f59155280d99d1a59a968f838472c4a"
},
{
"url": "https://git.kernel.org/stable/c/e2f44baf62567c5cfbc274974c7d96dddad53ccc"
},
{
"url": "https://git.kernel.org/stable/c/6b9e43c4098f1310f5b4d52121d007a219fa5d43"
},
{
"url": "https://git.kernel.org/stable/c/5cc818ad53df650cac8fb41d9066665366af3f03"
},
{
"url": "https://git.kernel.org/stable/c/aa96aff394a511cc7bb7df08d1b8504d4d97671e"
},
{
"url": "https://git.kernel.org/stable/c/82bd423ed977847652b2048b0f8dcf049b1847a9"
},
{
"url": "https://git.kernel.org/stable/c/874f798c2db5ad595e46982d7f727a679dacb048"
},
{
"url": "https://git.kernel.org/stable/c/19b7b85773b18457ff85a9ff4f5e2a2d4bf7ed0c"
},
{
"url": "https://git.kernel.org/stable/c/9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445"
}
],
"title": "hwrng: geode - Fix PCI device refcount leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50659",
"datePublished": "2025-12-09T01:29:07.236Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:07.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50671 (GCVE-0-2022-50671)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
RDMA/rxe: Fix "kernel NULL pointer dereference" error
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix "kernel NULL pointer dereference" error
When rxe_queue_init in the function rxe_qp_init_req fails,
both qp->req.task.func and qp->req.task.arg are not initialized.
Because of creation of qp fails, the function rxe_create_qp will
call rxe_qp_do_cleanup to handle allocated resource.
Before calling __rxe_do_task, both qp->req.task.func and
qp->req.task.arg should be checked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 48cd7098e71735ccafa0b3cf27c53924f9cb5b2f
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < eca119693010032d6cc6e7e9b4fb2c363c7e12ce (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 9c5dd6993c794703e74c6ba17ac78ca0211ef940 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 0d773c58d702f0a7c16ee8d69617fd2c28350795 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < cdce36a88def550773142a34ef727a830cad96a8 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f2f405af70e6f0419e718d23fa304798a5405c41 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bb33fa65da77f5f02dbee6f25cebaeedfcd70028 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 3b8752f086eb6865cc3662ad13249b03024501e5 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < a625ca30eff806395175ebad3ac1399014bdb280 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48cd7098e71735ccafa0b3cf27c53924f9cb5b2f",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "eca119693010032d6cc6e7e9b4fb2c363c7e12ce",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "9c5dd6993c794703e74c6ba17ac78ca0211ef940",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "0d773c58d702f0a7c16ee8d69617fd2c28350795",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "cdce36a88def550773142a34ef727a830cad96a8",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f2f405af70e6f0419e718d23fa304798a5405c41",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bb33fa65da77f5f02dbee6f25cebaeedfcd70028",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "3b8752f086eb6865cc3662ad13249b03024501e5",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "a625ca30eff806395175ebad3ac1399014bdb280",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix \"kernel NULL pointer dereference\" error\n\nWhen rxe_queue_init in the function rxe_qp_init_req fails,\nboth qp-\u003ereq.task.func and qp-\u003ereq.task.arg are not initialized.\n\nBecause of creation of qp fails, the function rxe_create_qp will\ncall rxe_qp_do_cleanup to handle allocated resource.\n\nBefore calling __rxe_do_task, both qp-\u003ereq.task.func and\nqp-\u003ereq.task.arg should be checked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:22.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48cd7098e71735ccafa0b3cf27c53924f9cb5b2f"
},
{
"url": "https://git.kernel.org/stable/c/eca119693010032d6cc6e7e9b4fb2c363c7e12ce"
},
{
"url": "https://git.kernel.org/stable/c/9c5dd6993c794703e74c6ba17ac78ca0211ef940"
},
{
"url": "https://git.kernel.org/stable/c/0d773c58d702f0a7c16ee8d69617fd2c28350795"
},
{
"url": "https://git.kernel.org/stable/c/cdce36a88def550773142a34ef727a830cad96a8"
},
{
"url": "https://git.kernel.org/stable/c/f2f405af70e6f0419e718d23fa304798a5405c41"
},
{
"url": "https://git.kernel.org/stable/c/bb33fa65da77f5f02dbee6f25cebaeedfcd70028"
},
{
"url": "https://git.kernel.org/stable/c/3b8752f086eb6865cc3662ad13249b03024501e5"
},
{
"url": "https://git.kernel.org/stable/c/a625ca30eff806395175ebad3ac1399014bdb280"
}
],
"title": "RDMA/rxe: Fix \"kernel NULL pointer dereference\" error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50671",
"datePublished": "2025-12-09T01:29:22.950Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:22.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50676 (GCVE-0-2022-50676)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for
commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in
rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section
protected by lock_sock() without realizing that rds_send_xmit() might call
lock_sock().
We don't need to protect cancel_delayed_work_sync() using lock_sock(), for
even if rds_{send,recv}_worker() re-queued this work while __flush_work()
from cancel_delayed_work_sync() was waiting for this work to complete,
retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP
bit.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < 5d2ba255e93211e541373469dffbda7c99dfa0e5
(git)
Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < 2425007c0967a7c04b0dee7cce05ecf0ca869ad1 (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < e3cb25d3ad08f5dbd53ce2b31720cad529944322 (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < 360aa7219285fac63dab99706a16f2daf3222abe (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < 30bfa5aa7228eb1e67663d67e553627e572cc717 (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < c380c28ab9b15fc53565909c814f6dd3e7f77c4b (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < afe7053c390fe8ff27d0c2ceaece5625283044ba (git) Affected: ac3615e7f3cffe2a1a6b25172dfd09e138593d82 , < a91b750fd6629354460282bbf5146c01b05c4859 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d2ba255e93211e541373469dffbda7c99dfa0e5",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "2425007c0967a7c04b0dee7cce05ecf0ca869ad1",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "e3cb25d3ad08f5dbd53ce2b31720cad529944322",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "360aa7219285fac63dab99706a16f2daf3222abe",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "30bfa5aa7228eb1e67663d67e553627e572cc717",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "c380c28ab9b15fc53565909c814f6dd3e7f77c4b",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "afe7053c390fe8ff27d0c2ceaece5625283044ba",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
},
{
"lessThan": "a91b750fd6629354460282bbf5146c01b05c4859",
"status": "affected",
"version": "ac3615e7f3cffe2a1a6b25172dfd09e138593d82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: don\u0027t hold sock lock when cancelling work from rds_tcp_reset_callbacks()\n\nsyzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for\ncommit ac3615e7f3cffe2a (\"RDS: TCP: Reduce code duplication in\nrds_tcp_reset_callbacks()\") added cancel_delayed_work_sync() into a section\nprotected by lock_sock() without realizing that rds_send_xmit() might call\nlock_sock().\n\nWe don\u0027t need to protect cancel_delayed_work_sync() using lock_sock(), for\neven if rds_{send,recv}_worker() re-queued this work while __flush_work()\n from cancel_delayed_work_sync() was waiting for this work to complete,\nretried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP\nbit."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:29.166Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d2ba255e93211e541373469dffbda7c99dfa0e5"
},
{
"url": "https://git.kernel.org/stable/c/2425007c0967a7c04b0dee7cce05ecf0ca869ad1"
},
{
"url": "https://git.kernel.org/stable/c/e3cb25d3ad08f5dbd53ce2b31720cad529944322"
},
{
"url": "https://git.kernel.org/stable/c/360aa7219285fac63dab99706a16f2daf3222abe"
},
{
"url": "https://git.kernel.org/stable/c/da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c"
},
{
"url": "https://git.kernel.org/stable/c/30bfa5aa7228eb1e67663d67e553627e572cc717"
},
{
"url": "https://git.kernel.org/stable/c/c380c28ab9b15fc53565909c814f6dd3e7f77c4b"
},
{
"url": "https://git.kernel.org/stable/c/afe7053c390fe8ff27d0c2ceaece5625283044ba"
},
{
"url": "https://git.kernel.org/stable/c/a91b750fd6629354460282bbf5146c01b05c4859"
}
],
"title": "net: rds: don\u0027t hold sock lock when cancelling work from rds_tcp_reset_callbacks()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50676",
"datePublished": "2025-12-09T01:29:29.166Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:29.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53799 (GCVE-0-2023-53799)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
crypto: api - Use work queue in crypto_destroy_instance
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: api - Use work queue in crypto_destroy_instance
The function crypto_drop_spawn expects to be called in process
context. However, when an instance is unregistered while it still
has active users, the last user may cause the instance to be freed
in atomic context.
Fix this by delaying the freeing to a work queue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c
(git)
Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 048545d9fc6424b0a11e7e8771225bb9afe09422 (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < c4cb61c5f976183c07d16b0071f0c60bc212ef1f (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 867a146690960ac7b89ce40f4ee60dd32eeb1682 (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algapi.c",
"include/crypto/algapi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "048545d9fc6424b0a11e7e8771225bb9afe09422",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "c4cb61c5f976183c07d16b0071f0c60bc212ef1f",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "867a146690960ac7b89ce40f4ee60dd32eeb1682",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "9ae4577bc077a7e32c3c7d442c95bc76865c0f17",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algapi.c",
"include/crypto/algapi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: api - Use work queue in crypto_destroy_instance\n\nThe function crypto_drop_spawn expects to be called in process\ncontext. However, when an instance is unregistered while it still\nhas active users, the last user may cause the instance to be freed\nin atomic context.\n\nFix this by delaying the freeing to a work queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:55.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c"
},
{
"url": "https://git.kernel.org/stable/c/048545d9fc6424b0a11e7e8771225bb9afe09422"
},
{
"url": "https://git.kernel.org/stable/c/c4cb61c5f976183c07d16b0071f0c60bc212ef1f"
},
{
"url": "https://git.kernel.org/stable/c/867a146690960ac7b89ce40f4ee60dd32eeb1682"
},
{
"url": "https://git.kernel.org/stable/c/c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d"
},
{
"url": "https://git.kernel.org/stable/c/9ae4577bc077a7e32c3c7d442c95bc76865c0f17"
}
],
"title": "crypto: api - Use work queue in crypto_destroy_instance",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53799",
"datePublished": "2025-12-09T00:00:55.629Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:55.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53848 (GCVE-0-2023-53848)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
md/raid5-cache: fix a deadlock in r5l_exit_log()
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5-cache: fix a deadlock in r5l_exit_log()
Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing
work") introduce a new problem:
// caller hold reconfig_mutex
r5l_exit_log
flush_work(&log->disable_writeback_work)
r5c_disable_writeback_async
wait_event
/*
* conf->log is not NULL, and mddev_trylock()
* will fail, wait_event() can never pass.
*/
conf->log = NULL
Fix this problem by setting 'config->log' to NULL before wake_up() as it
used to be, so that wait_event() from r5c_disable_writeback_async() can
exist. In the meantime, move forward md_unregister_thread() so that
null-ptr-deref this commit fixed can still be fixed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b13015af94cf405f73ff64ce0797269554020c37 , < ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b
(git)
Affected: b13015af94cf405f73ff64ce0797269554020c37 , < 71cf23271f015a57038bdc4669952096f9fe5500 (git) Affected: b13015af94cf405f73ff64ce0797269554020c37 , < c406984738215dc20ac2dc63e49d70f20797730e (git) Affected: b13015af94cf405f73ff64ce0797269554020c37 , < a705b11b358dee677aad80630e7608b2d5f56691 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "71cf23271f015a57038bdc4669952096f9fe5500",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "c406984738215dc20ac2dc63e49d70f20797730e",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "a705b11b358dee677aad80630e7608b2d5f56691",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix a deadlock in r5l_exit_log()\n\nCommit b13015af94cf (\"md/raid5-cache: Clear conf-\u003elog after finishing\nwork\") introduce a new problem:\n\n// caller hold reconfig_mutex\nr5l_exit_log\n flush_work(\u0026log-\u003edisable_writeback_work)\n\t\t\tr5c_disable_writeback_async\n\t\t\t wait_event\n\t\t\t /*\n\t\t\t * conf-\u003elog is not NULL, and mddev_trylock()\n\t\t\t * will fail, wait_event() can never pass.\n\t\t\t */\n conf-\u003elog = NULL\n\nFix this problem by setting \u0027config-\u003elog\u0027 to NULL before wake_up() as it\nused to be, so that wait_event() from r5c_disable_writeback_async() can\nexist. In the meantime, move forward md_unregister_thread() so that\nnull-ptr-deref this commit fixed can still be fixed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:11.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b"
},
{
"url": "https://git.kernel.org/stable/c/71cf23271f015a57038bdc4669952096f9fe5500"
},
{
"url": "https://git.kernel.org/stable/c/c406984738215dc20ac2dc63e49d70f20797730e"
},
{
"url": "https://git.kernel.org/stable/c/a705b11b358dee677aad80630e7608b2d5f56691"
}
],
"title": "md/raid5-cache: fix a deadlock in r5l_exit_log()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53848",
"datePublished": "2025-12-09T01:30:11.895Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:11.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53838 (GCVE-0-2023-53838)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
f2fs: synchronize atomic write aborts
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: synchronize atomic write aborts
To fix a race condition between atomic write aborts, I use the inode
lock and make COW inode to be re-usable thoroughout the whole
atomic file inode lifetime.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3db1de0e582c358dd013f3703cd55b5fe4076436 , < 102b82708c1523b36d421cb8687746906069bc17
(git)
Affected: 3db1de0e582c358dd013f3703cd55b5fe4076436 , < b7724360714642099cec907f54f42e55f5325453 (git) Affected: 3db1de0e582c358dd013f3703cd55b5fe4076436 , < a46bebd502fe1a3bd1d22f64cedd93e7e7702693 (git) Affected: 6db52f1944417c2601182a591a704e2f119c5215 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c",
"fs/f2fs/inode.c",
"fs/f2fs/segment.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "102b82708c1523b36d421cb8687746906069bc17",
"status": "affected",
"version": "3db1de0e582c358dd013f3703cd55b5fe4076436",
"versionType": "git"
},
{
"lessThan": "b7724360714642099cec907f54f42e55f5325453",
"status": "affected",
"version": "3db1de0e582c358dd013f3703cd55b5fe4076436",
"versionType": "git"
},
{
"lessThan": "a46bebd502fe1a3bd1d22f64cedd93e7e7702693",
"status": "affected",
"version": "3db1de0e582c358dd013f3703cd55b5fe4076436",
"versionType": "git"
},
{
"status": "affected",
"version": "6db52f1944417c2601182a591a704e2f119c5215",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c",
"fs/f2fs/inode.c",
"fs/f2fs/segment.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: synchronize atomic write aborts\n\nTo fix a race condition between atomic write aborts, I use the inode\nlock and make COW inode to be re-usable thoroughout the whole\natomic file inode lifetime."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:54.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/102b82708c1523b36d421cb8687746906069bc17"
},
{
"url": "https://git.kernel.org/stable/c/b7724360714642099cec907f54f42e55f5325453"
},
{
"url": "https://git.kernel.org/stable/c/a46bebd502fe1a3bd1d22f64cedd93e7e7702693"
}
],
"title": "f2fs: synchronize atomic write aborts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53838",
"datePublished": "2025-12-09T01:29:54.419Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:54.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53844 (GCVE-0-2023-53844)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/ttm: Don't leak a resource on swapout move error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Don't leak a resource on swapout move error
If moving the bo to system for swapout failed, we were leaking
a resource. Fix.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834
(git)
Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < f037f6038736bd038ddb9c72de979a08cc1ee3b5 (git) Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < 4a5b37ea6797d7a53e6dd004aa37e149f40199ce (git) Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < a590f03d8de7c4cb7ce4916dc7f2fd10711faabe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "f037f6038736bd038ddb9c72de979a08cc1ee3b5",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "4a5b37ea6797d7a53e6dd004aa37e149f40199ce",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "a590f03d8de7c4cb7ce4916dc7f2fd10711faabe",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Don\u0027t leak a resource on swapout move error\n\nIf moving the bo to system for swapout failed, we were leaking\na resource. Fix."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:06.863Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834"
},
{
"url": "https://git.kernel.org/stable/c/f037f6038736bd038ddb9c72de979a08cc1ee3b5"
},
{
"url": "https://git.kernel.org/stable/c/4a5b37ea6797d7a53e6dd004aa37e149f40199ce"
},
{
"url": "https://git.kernel.org/stable/c/a590f03d8de7c4cb7ce4916dc7f2fd10711faabe"
}
],
"title": "drm/ttm: Don\u0027t leak a resource on swapout move error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53844",
"datePublished": "2025-12-09T01:30:06.863Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:06.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53863 (GCVE-0-2023-53863)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
netlink: do not hard code device address lenth in fdb dumps
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: do not hard code device address lenth in fdb dumps
syzbot reports that some netdev devices do not have a six bytes
address [1]
Replace ETH_ALEN by dev->addr_len.
[1] (Case of a device where dev->addr_len = 4)
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copyout+0xb8/0x100 lib/iov_iter.c:169
_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
copy_to_iter include/linux/uio.h:206 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
sock_recvmsg_nosec net/socket.c:1019 [inline]
sock_recvmsg net/socket.c:1040 [inline]
____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was stored to memory at:
__nla_put lib/nlattr.c:1009 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1067
nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
slab_alloc_node mm/slub.c:3451 [inline]
__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
kmalloc include/linux/slab.h:559 [inline]
__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
notifier_call_chain kernel/notifier.c:93 [inline]
raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
do_set_master net/core/rtnetlink.c:2626 [inline]
rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf28/0x1230 net/netlink/af_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d83b060360485454fcd6870340ec01d6f96f2295 , < 61d1bf3c34bf5fe936c50d1a4bc460babcc85e88
(git)
Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < bd1de6107f10e7d4c2aabe3397b58d63672fc511 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 44db85c6e1a184b99a2cdf56b525ac63c4962c22 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 619384319b137908d1008c92426c9daa95c06b90 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < e9331c8fa4c69f09d2c71682af75586f77266e81 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < b6f2d4618fc697886ad41e215ae20638153e42d0 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 73862118bd9dec850aa8e775145647ddd23aedf8 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < aa5406950726e336c5c9585b09799a734b6e77bf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/rtnetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61d1bf3c34bf5fe936c50d1a4bc460babcc85e88",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "bd1de6107f10e7d4c2aabe3397b58d63672fc511",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "44db85c6e1a184b99a2cdf56b525ac63c4962c22",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "619384319b137908d1008c92426c9daa95c06b90",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "e9331c8fa4c69f09d2c71682af75586f77266e81",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "b6f2d4618fc697886ad41e215ae20638153e42d0",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "73862118bd9dec850aa8e775145647ddd23aedf8",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "aa5406950726e336c5c9585b09799a734b6e77bf",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/rtnetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: do not hard code device address lenth in fdb dumps\n\nsyzbot reports that some netdev devices do not have a six bytes\naddress [1]\n\nReplace ETH_ALEN by dev-\u003eaddr_len.\n\n[1] (Case of a device where dev-\u003eaddr_len = 4)\n\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopyout+0xb8/0x100 lib/iov_iter.c:169\n_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536\ncopy_to_iter include/linux/uio.h:206 [inline]\nsimple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513\n__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\nskb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527\nskb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\nnetlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970\nsock_recvmsg_nosec net/socket.c:1019 [inline]\nsock_recvmsg net/socket.c:1040 [inline]\n____sys_recvmsg+0x283/0x7f0 net/socket.c:2722\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n__nla_put lib/nlattr.c:1009 [inline]\nnla_put+0x1c6/0x230 lib/nlattr.c:1067\nnlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071\nnlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]\nndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456\nrtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629\nnetlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268\nnetlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995\nsock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019\n____sys_recvmsg+0x664/0x7f0 net/socket.c:2720\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716\nslab_alloc_node mm/slub.c:3451 [inline]\n__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490\nkmalloc_trace+0x51/0x200 mm/slab_common.c:1057\nkmalloc include/linux/slab.h:559 [inline]\n__hw_addr_create net/core/dev_addr_lists.c:60 [inline]\n__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118\n__dev_mc_add net/core/dev_addr_lists.c:867 [inline]\ndev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885\nigmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680\nipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754\nipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708\naddrconf_type_change net/ipv6/addrconf.c:3731 [inline]\naddrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699\nnotifier_call_chain kernel/notifier.c:93 [inline]\nraw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1935 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:1973 [inline]\ncall_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987\nbond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906\ndo_set_master net/core/rtnetlink.c:2626 [inline]\nrtnl_newlink_create net/core/rtnetlink.c:3460 [inline]\n__rtnl_newlink net/core/rtnetlink.c:3660 [inline]\nrtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673\nrtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395\nnetlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546\nrtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0xf28/0x1230 net/netlink/af_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:32.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61d1bf3c34bf5fe936c50d1a4bc460babcc85e88"
},
{
"url": "https://git.kernel.org/stable/c/c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3"
},
{
"url": "https://git.kernel.org/stable/c/bd1de6107f10e7d4c2aabe3397b58d63672fc511"
},
{
"url": "https://git.kernel.org/stable/c/44db85c6e1a184b99a2cdf56b525ac63c4962c22"
},
{
"url": "https://git.kernel.org/stable/c/619384319b137908d1008c92426c9daa95c06b90"
},
{
"url": "https://git.kernel.org/stable/c/e9331c8fa4c69f09d2c71682af75586f77266e81"
},
{
"url": "https://git.kernel.org/stable/c/b6f2d4618fc697886ad41e215ae20638153e42d0"
},
{
"url": "https://git.kernel.org/stable/c/73862118bd9dec850aa8e775145647ddd23aedf8"
},
{
"url": "https://git.kernel.org/stable/c/aa5406950726e336c5c9585b09799a734b6e77bf"
}
],
"title": "netlink: do not hard code device address lenth in fdb dumps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53863",
"datePublished": "2025-12-09T01:30:32.109Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:32.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53789 (GCVE-0-2023-53789)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
iommu/amd: Improve page fault error reporting
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Improve page fault error reporting
If IOMMU domain for device group is not setup properly then we may hit
IOMMU page fault. Current page fault handler assumes that domain is
always setup and it will hit NULL pointer derefence (see below sample log).
Lets check whether domain is setup or not and log appropriate message.
Sample log:
----------
amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6
BUG: kernel NULL pointer dereference, address: 0000000000000058
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89
Hardware name: xxx
RIP: 0010:report_iommu_fault+0x11/0x90
[...]
Call Trace:
<TASK>
amd_iommu_int_thread+0x60c/0x760
? __pfx_irq_thread_fn+0x10/0x10
irq_thread_fn+0x1f/0x60
irq_thread+0xea/0x1a0
? preempt_count_add+0x6a/0xa0
? __pfx_irq_thread_dtor+0x10/0x10
? __pfx_irq_thread+0x10/0x10
kthread+0xe9/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
</TASK>
[joro: Edit commit message]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9f78e446bde812d18f228976f2c6b8f25b93f08b , < be8301e2d5a8b95c04ae8e35d7bfee7b0f03f83a
(git)
Affected: 9f78e446bde812d18f228976f2c6b8f25b93f08b , < 446080b353f048b1fddaec1434cb3d27b5de7efe (git) Affected: 9f78e446bde812d18f228976f2c6b8f25b93f08b , < 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be8301e2d5a8b95c04ae8e35d7bfee7b0f03f83a",
"status": "affected",
"version": "9f78e446bde812d18f228976f2c6b8f25b93f08b",
"versionType": "git"
},
{
"lessThan": "446080b353f048b1fddaec1434cb3d27b5de7efe",
"status": "affected",
"version": "9f78e446bde812d18f228976f2c6b8f25b93f08b",
"versionType": "git"
},
{
"lessThan": "996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc",
"status": "affected",
"version": "9f78e446bde812d18f228976f2c6b8f25b93f08b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Improve page fault error reporting\n\nIf IOMMU domain for device group is not setup properly then we may hit\nIOMMU page fault. Current page fault handler assumes that domain is\nalways setup and it will hit NULL pointer derefence (see below sample log).\n\nLets check whether domain is setup or not and log appropriate message.\n\nSample log:\n----------\n amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89\n Hardware name: xxx\n RIP: 0010:report_iommu_fault+0x11/0x90\n [...]\n Call Trace:\n \u003cTASK\u003e\n amd_iommu_int_thread+0x60c/0x760\n ? __pfx_irq_thread_fn+0x10/0x10\n irq_thread_fn+0x1f/0x60\n irq_thread+0xea/0x1a0\n ? preempt_count_add+0x6a/0xa0\n ? __pfx_irq_thread_dtor+0x10/0x10\n ? __pfx_irq_thread+0x10/0x10\n kthread+0xe9/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \u003c/TASK\u003e\n\n[joro: Edit commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:53.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be8301e2d5a8b95c04ae8e35d7bfee7b0f03f83a"
},
{
"url": "https://git.kernel.org/stable/c/446080b353f048b1fddaec1434cb3d27b5de7efe"
},
{
"url": "https://git.kernel.org/stable/c/996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc"
}
],
"title": "iommu/amd: Improve page fault error reporting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53789",
"datePublished": "2025-12-09T00:00:45.461Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2026-01-05T10:32:53.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50647 (GCVE-0-2022-50647)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
RISC-V: Make port I/O string accessors actually work
Summary
In the Linux kernel, the following vulnerability has been resolved:
RISC-V: Make port I/O string accessors actually work
Fix port I/O string accessors such as `insb', `outsb', etc. which use
the physical PCI port I/O address rather than the corresponding memory
mapping to get at the requested location, which in turn breaks at least
accesses made by our parport driver to a PCIe parallel port such as:
PCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20
parport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP]
causing a memory access fault:
Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008
Oops [#1]
Modules linked in:
CPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23
Hardware name: SiFive HiFive Unmatched A00 (DT)
epc : parport_pc_fifo_write_block_pio+0x266/0x416
ra : parport_pc_fifo_write_block_pio+0xb4/0x416
epc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60
gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000
t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0
s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000
a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb
a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000
s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50
s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000
s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000
s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930
t5 : 0000000000001000 t6 : 0000000000040000
status: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f
[<ffffffff80543212>] parport_pc_compat_write_block_pio+0xfe/0x200
[<ffffffff8053bbc0>] parport_write+0x46/0xf8
[<ffffffff8050530e>] lp_write+0x158/0x2d2
[<ffffffff80185716>] vfs_write+0x8e/0x2c2
[<ffffffff80185a74>] ksys_write+0x52/0xc2
[<ffffffff80185af2>] sys_write+0xe/0x16
[<ffffffff80003770>] ret_from_syscall+0x0/0x2
---[ end trace 0000000000000000 ]---
For simplicity address the problem by adding PCI_IOBASE to the physical
address requested in the respective wrapper macros only, observing that
the raw accessors such as `__insb', `__outsb', etc. are not supposed to
be used other than by said macros. Remove the cast to `long' that is no
longer needed on `addr' now that it is used as an offset from PCI_IOBASE
and add parentheses around `addr' needed for predictable evaluation in
macro expansion. No need to make said adjustments in separate changes
given that current code is gravely broken and does not ever work.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fab957c11efe2f405e08b9f0d080524bc2631428 , < 2c60db6869fe5213471fcf4fe5704dc29da8b5ee
(git)
Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 2ce9fab94b8db61f014e43ddf80dd1524ae6dff4 (git) Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < dc235db7b79a352d07d62e8757ad856dbf1564c1 (git) Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 140b2b92dbefffa7f4f7211a1fd399a6e79e71c4 (git) Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 1acee4616930fc07265cb8e539753a8062daa8e0 (git) Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 9cc205e3c17d5716da7ebb7fa0c985555e95d009 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c60db6869fe5213471fcf4fe5704dc29da8b5ee",
"status": "affected",
"version": "fab957c11efe2f405e08b9f0d080524bc2631428",
"versionType": "git"
},
{
"lessThan": "2ce9fab94b8db61f014e43ddf80dd1524ae6dff4",
"status": "affected",
"version": "fab957c11efe2f405e08b9f0d080524bc2631428",
"versionType": "git"
},
{
"lessThan": "dc235db7b79a352d07d62e8757ad856dbf1564c1",
"status": "affected",
"version": "fab957c11efe2f405e08b9f0d080524bc2631428",
"versionType": "git"
},
{
"lessThan": "140b2b92dbefffa7f4f7211a1fd399a6e79e71c4",
"status": "affected",
"version": "fab957c11efe2f405e08b9f0d080524bc2631428",
"versionType": "git"
},
{
"lessThan": "1acee4616930fc07265cb8e539753a8062daa8e0",
"status": "affected",
"version": "fab957c11efe2f405e08b9f0d080524bc2631428",
"versionType": "git"
},
{
"lessThan": "9cc205e3c17d5716da7ebb7fa0c985555e95d009",
"status": "affected",
"version": "fab957c11efe2f405e08b9f0d080524bc2631428",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: Make port I/O string accessors actually work\n\nFix port I/O string accessors such as `insb\u0027, `outsb\u0027, etc. which use\nthe physical PCI port I/O address rather than the corresponding memory\nmapping to get at the requested location, which in turn breaks at least\naccesses made by our parport driver to a PCIe parallel port such as:\n\nPCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20\nparport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP]\n\ncausing a memory access fault:\n\nUnable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008\nOops [#1]\nModules linked in:\nCPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23\nHardware name: SiFive HiFive Unmatched A00 (DT)\nepc : parport_pc_fifo_write_block_pio+0x266/0x416\n ra : parport_pc_fifo_write_block_pio+0xb4/0x416\nepc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60\n gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000\n t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0\n s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000\n a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb\n a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000\n s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50\n s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000\n s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000\n s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930\n t5 : 0000000000001000 t6 : 0000000000040000\nstatus: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f\n[\u003cffffffff80543212\u003e] parport_pc_compat_write_block_pio+0xfe/0x200\n[\u003cffffffff8053bbc0\u003e] parport_write+0x46/0xf8\n[\u003cffffffff8050530e\u003e] lp_write+0x158/0x2d2\n[\u003cffffffff80185716\u003e] vfs_write+0x8e/0x2c2\n[\u003cffffffff80185a74\u003e] ksys_write+0x52/0xc2\n[\u003cffffffff80185af2\u003e] sys_write+0xe/0x16\n[\u003cffffffff80003770\u003e] ret_from_syscall+0x0/0x2\n---[ end trace 0000000000000000 ]---\n\nFor simplicity address the problem by adding PCI_IOBASE to the physical\naddress requested in the respective wrapper macros only, observing that\nthe raw accessors such as `__insb\u0027, `__outsb\u0027, etc. are not supposed to\nbe used other than by said macros. Remove the cast to `long\u0027 that is no\nlonger needed on `addr\u0027 now that it is used as an offset from PCI_IOBASE\nand add parentheses around `addr\u0027 needed for predictable evaluation in\nmacro expansion. No need to make said adjustments in separate changes\ngiven that current code is gravely broken and does not ever work."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:21.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c60db6869fe5213471fcf4fe5704dc29da8b5ee"
},
{
"url": "https://git.kernel.org/stable/c/2ce9fab94b8db61f014e43ddf80dd1524ae6dff4"
},
{
"url": "https://git.kernel.org/stable/c/dc235db7b79a352d07d62e8757ad856dbf1564c1"
},
{
"url": "https://git.kernel.org/stable/c/140b2b92dbefffa7f4f7211a1fd399a6e79e71c4"
},
{
"url": "https://git.kernel.org/stable/c/1acee4616930fc07265cb8e539753a8062daa8e0"
},
{
"url": "https://git.kernel.org/stable/c/9cc205e3c17d5716da7ebb7fa0c985555e95d009"
}
],
"title": "RISC-V: Make port I/O string accessors actually work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50647",
"datePublished": "2025-12-09T00:00:21.501Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:21.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50666 (GCVE-0-2022-50666)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
RDMA/siw: Fix QP destroy to wait for all references dropped.
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix QP destroy to wait for all references dropped.
Delay QP destroy completion until all siw references to QP are
dropped. The calling RDMA core will free QP structure after
successful return from siw_qp_destroy() call, so siw must not
hold any remaining reference to the QP upon return.
A use-after-free was encountered in xfstest generic/460, while
testing NFSoRDMA. Here, after a TCP connection drop by peer,
the triggered siw_cm_work_handler got delayed until after
QP destroy call, referencing a QP which has already freed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 5c75d608fad58301b63e7d69200c13c3a1d411da
(git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 74ad141e995a730760b1bcfa14854b7f1057d6bc (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737 (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < a3c278807a459e6f50afee6971cabe74cccfb490 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw.h",
"drivers/infiniband/sw/siw/siw_qp.c",
"drivers/infiniband/sw/siw/siw_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c75d608fad58301b63e7d69200c13c3a1d411da",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "74ad141e995a730760b1bcfa14854b7f1057d6bc",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "a3c278807a459e6f50afee6971cabe74cccfb490",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw.h",
"drivers/infiniband/sw/siw/siw_qp.c",
"drivers/infiniband/sw/siw/siw_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix QP destroy to wait for all references dropped.\n\nDelay QP destroy completion until all siw references to QP are\ndropped. The calling RDMA core will free QP structure after\nsuccessful return from siw_qp_destroy() call, so siw must not\nhold any remaining reference to the QP upon return.\nA use-after-free was encountered in xfstest generic/460, while\ntesting NFSoRDMA. Here, after a TCP connection drop by peer,\nthe triggered siw_cm_work_handler got delayed until after\nQP destroy call, referencing a QP which has already freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:16.813Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c75d608fad58301b63e7d69200c13c3a1d411da"
},
{
"url": "https://git.kernel.org/stable/c/74ad141e995a730760b1bcfa14854b7f1057d6bc"
},
{
"url": "https://git.kernel.org/stable/c/0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737"
},
{
"url": "https://git.kernel.org/stable/c/a3c278807a459e6f50afee6971cabe74cccfb490"
}
],
"title": "RDMA/siw: Fix QP destroy to wait for all references dropped.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50666",
"datePublished": "2025-12-09T01:29:16.813Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:16.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53810 (GCVE-0-2023-53810)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
blk-mq: release crypto keyslot before reporting I/O complete
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: release crypto keyslot before reporting I/O complete
Once all I/O using a blk_crypto_key has completed, filesystems can call
blk_crypto_evict_key(). However, the block layer currently doesn't call
blk_crypto_put_keyslot() until the request is being freed, which happens
after upper layers have been told (via bio_endio()) the I/O has
completed. This causes a race condition where blk_crypto_evict_key()
can see 'slot_refs != 0' without there being an actual bug.
This makes __blk_crypto_evict_key() hit the
'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without
doing anything, eventually causing a use-after-free in
blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only
been seen when per-file keys are being used with fscrypt.)
There are two options to fix this: either release the keyslot before
bio_endio() is called on the request's last bio, or make
__blk_crypto_evict_key() ignore slot_refs. Let's go with the first
solution, since it preserves the ability to report bugs (via
WARN_ON_ONCE) where a key is evicted while still in-use.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a892c8d52c02284076fbbacae6692aa5c5807d11 , < 874bdf43b4a7dc5463c31508f62b3e42eb237b08
(git)
Affected: a892c8d52c02284076fbbacae6692aa5c5807d11 , < d206f79d9cd658665b37ce8134c6ec849ac7af0c (git) Affected: a892c8d52c02284076fbbacae6692aa5c5807d11 , < 7d206ec7a04e8545828191b6ea8b49d3ea61391f (git) Affected: a892c8d52c02284076fbbacae6692aa5c5807d11 , < b278570e2c59d538216f8b656e97680188a8fba4 (git) Affected: a892c8d52c02284076fbbacae6692aa5c5807d11 , < 92d5d233b9ff531cf9cc36ab4251779e07adb633 (git) Affected: a892c8d52c02284076fbbacae6692aa5c5807d11 , < 9cd1e566676bbcb8a126acd921e4e194e6339603 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-crypto-internal.h",
"block/blk-crypto.c",
"block/blk-merge.c",
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "874bdf43b4a7dc5463c31508f62b3e42eb237b08",
"status": "affected",
"version": "a892c8d52c02284076fbbacae6692aa5c5807d11",
"versionType": "git"
},
{
"lessThan": "d206f79d9cd658665b37ce8134c6ec849ac7af0c",
"status": "affected",
"version": "a892c8d52c02284076fbbacae6692aa5c5807d11",
"versionType": "git"
},
{
"lessThan": "7d206ec7a04e8545828191b6ea8b49d3ea61391f",
"status": "affected",
"version": "a892c8d52c02284076fbbacae6692aa5c5807d11",
"versionType": "git"
},
{
"lessThan": "b278570e2c59d538216f8b656e97680188a8fba4",
"status": "affected",
"version": "a892c8d52c02284076fbbacae6692aa5c5807d11",
"versionType": "git"
},
{
"lessThan": "92d5d233b9ff531cf9cc36ab4251779e07adb633",
"status": "affected",
"version": "a892c8d52c02284076fbbacae6692aa5c5807d11",
"versionType": "git"
},
{
"lessThan": "9cd1e566676bbcb8a126acd921e4e194e6339603",
"status": "affected",
"version": "a892c8d52c02284076fbbacae6692aa5c5807d11",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-crypto-internal.h",
"block/blk-crypto.c",
"block/blk-merge.c",
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: release crypto keyslot before reporting I/O complete\n\nOnce all I/O using a blk_crypto_key has completed, filesystems can call\nblk_crypto_evict_key(). However, the block layer currently doesn\u0027t call\nblk_crypto_put_keyslot() until the request is being freed, which happens\nafter upper layers have been told (via bio_endio()) the I/O has\ncompleted. This causes a race condition where blk_crypto_evict_key()\ncan see \u0027slot_refs != 0\u0027 without there being an actual bug.\n\nThis makes __blk_crypto_evict_key() hit the\n\u0027WARN_ON_ONCE(atomic_read(\u0026slot-\u003eslot_refs) != 0)\u0027 and return without\ndoing anything, eventually causing a use-after-free in\nblk_crypto_reprogram_all_keys(). (This is a very rare bug and has only\nbeen seen when per-file keys are being used with fscrypt.)\n\nThere are two options to fix this: either release the keyslot before\nbio_endio() is called on the request\u0027s last bio, or make\n__blk_crypto_evict_key() ignore slot_refs. Let\u0027s go with the first\nsolution, since it preserves the ability to report bugs (via\nWARN_ON_ONCE) where a key is evicted while still in-use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:08.062Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/874bdf43b4a7dc5463c31508f62b3e42eb237b08"
},
{
"url": "https://git.kernel.org/stable/c/d206f79d9cd658665b37ce8134c6ec849ac7af0c"
},
{
"url": "https://git.kernel.org/stable/c/7d206ec7a04e8545828191b6ea8b49d3ea61391f"
},
{
"url": "https://git.kernel.org/stable/c/b278570e2c59d538216f8b656e97680188a8fba4"
},
{
"url": "https://git.kernel.org/stable/c/92d5d233b9ff531cf9cc36ab4251779e07adb633"
},
{
"url": "https://git.kernel.org/stable/c/9cd1e566676bbcb8a126acd921e4e194e6339603"
}
],
"title": "blk-mq: release crypto keyslot before reporting I/O complete",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53810",
"datePublished": "2025-12-09T00:01:08.062Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:08.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53809 (GCVE-0-2023-53809)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
When a file descriptor of pppol2tp socket is passed as file descriptor
of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().
This situation is reproduced by the following program:
int main(void)
{
int sock;
struct sockaddr_pppol2tp addr;
sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (sock < 0) {
perror("socket");
return 1;
}
addr.sa_family = AF_PPPOX;
addr.sa_protocol = PX_PROTO_OL2TP;
addr.pppol2tp.pid = 0;
addr.pppol2tp.fd = sock;
addr.pppol2tp.addr.sin_family = PF_INET;
addr.pppol2tp.addr.sin_port = htons(0);
addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1");
addr.pppol2tp.s_tunnel = 1;
addr.pppol2tp.s_session = 0;
addr.pppol2tp.d_tunnel = 0;
addr.pppol2tp.d_session = 0;
if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {
perror("connect");
return 1;
}
return 0;
}
This program causes the following lockdep warning:
============================================
WARNING: possible recursive locking detected
6.2.0-rc5-00205-gc96618275234 #56 Not tainted
--------------------------------------------
repro/8607 is trying to acquire lock:
ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0
but task is already holding lock:
ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sk_lock-AF_PPPOX);
lock(sk_lock-AF_PPPOX);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by repro/8607:
#0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
stack backtrace:
CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x178
__lock_acquire.cold+0x119/0x3b9
? lockdep_hardirqs_on_prepare+0x410/0x410
lock_acquire+0x1e0/0x610
? l2tp_tunnel_register+0x2b7/0x11c0
? lock_downgrade+0x710/0x710
? __fget_files+0x283/0x3e0
lock_sock_nested+0x3a/0xf0
? l2tp_tunnel_register+0x2b7/0x11c0
l2tp_tunnel_register+0x2b7/0x11c0
? sprintf+0xc4/0x100
? l2tp_tunnel_del_work+0x6b0/0x6b0
? debug_object_deactivate+0x320/0x320
? lockdep_init_map_type+0x16d/0x7a0
? lockdep_init_map_type+0x16d/0x7a0
? l2tp_tunnel_create+0x2bf/0x4b0
? l2tp_tunnel_create+0x3c6/0x4b0
pppol2tp_connect+0x14e1/0x1a30
? pppol2tp_put_sk+0xd0/0xd0
? aa_sk_perm+0x2b7/0xa80
? aa_af_perm+0x260/0x260
? bpf_lsm_socket_connect+0x9/0x10
? pppol2tp_put_sk+0xd0/0xd0
__sys_connect_file+0x14f/0x190
__sys_connect+0x133/0x160
? __sys_connect_file+0x190/0x190
? lockdep_hardirqs_on+0x7d/0x100
? ktime_get_coarse_real_ts64+0x1b7/0x200
? ktime_get_coarse_real_ts64+0x147/0x200
? __audit_syscall_entry+0x396/0x500
__x64_sys_connect+0x72/0xb0
do_syscall_64+0x38/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
This patch fixes the issue by getting/creating the tunnel before
locking the pppol2tp socket.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d77e5c0ad79004b5ef901895437e9cce6dfcc7e , < 4a413d360959962995e16a899cf2b9ef53e9fcb9
(git)
Affected: 77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce , < f6df58aa15f7d469f69b1dd21b001ff483255244 (git) Affected: cef0845b6dcfa2f6c2c832e7f9622551456c741d , < 4bb736b40475528ac1aa8c98b368563618488a70 (git) Affected: 0b2c59720e65885a394a017d0cf9cab118914682 , < 5370647dd745bb3d8f37057006be207ddd8e9314 (git) Affected: 0b2c59720e65885a394a017d0cf9cab118914682 , < 9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a413d360959962995e16a899cf2b9ef53e9fcb9",
"status": "affected",
"version": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
"versionType": "git"
},
{
"lessThan": "f6df58aa15f7d469f69b1dd21b001ff483255244",
"status": "affected",
"version": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
"versionType": "git"
},
{
"lessThan": "4bb736b40475528ac1aa8c98b368563618488a70",
"status": "affected",
"version": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
"versionType": "git"
},
{
"lessThan": "5370647dd745bb3d8f37057006be207ddd8e9314",
"status": "affected",
"version": "0b2c59720e65885a394a017d0cf9cab118914682",
"versionType": "git"
},
{
"lessThan": "9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac",
"status": "affected",
"version": "0b2c59720e65885a394a017d0cf9cab118914682",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()\n\nWhen a file descriptor of pppol2tp socket is passed as file descriptor\nof UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().\nThis situation is reproduced by the following program:\n\nint main(void)\n{\n\tint sock;\n\tstruct sockaddr_pppol2tp addr;\n\n\tsock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);\n\tif (sock \u003c 0) {\n\t\tperror(\"socket\");\n\t\treturn 1;\n\t}\n\n\taddr.sa_family = AF_PPPOX;\n\taddr.sa_protocol = PX_PROTO_OL2TP;\n\taddr.pppol2tp.pid = 0;\n\taddr.pppol2tp.fd = sock;\n\taddr.pppol2tp.addr.sin_family = PF_INET;\n\taddr.pppol2tp.addr.sin_port = htons(0);\n\taddr.pppol2tp.addr.sin_addr.s_addr = inet_addr(\"192.168.0.1\");\n\taddr.pppol2tp.s_tunnel = 1;\n\taddr.pppol2tp.s_session = 0;\n\taddr.pppol2tp.d_tunnel = 0;\n\taddr.pppol2tp.d_session = 0;\n\n\tif (connect(sock, (const struct sockaddr *)\u0026addr, sizeof(addr)) \u003c 0) {\n\t\tperror(\"connect\");\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nThis program causes the following lockdep warning:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.2.0-rc5-00205-gc96618275234 #56 Not tainted\n --------------------------------------------\n repro/8607 is trying to acquire lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0\n\n but task is already holding lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(sk_lock-AF_PPPOX);\n lock(sk_lock-AF_PPPOX);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 1 lock held by repro/8607:\n #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n stack backtrace:\n CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x100/0x178\n __lock_acquire.cold+0x119/0x3b9\n ? lockdep_hardirqs_on_prepare+0x410/0x410\n lock_acquire+0x1e0/0x610\n ? l2tp_tunnel_register+0x2b7/0x11c0\n ? lock_downgrade+0x710/0x710\n ? __fget_files+0x283/0x3e0\n lock_sock_nested+0x3a/0xf0\n ? l2tp_tunnel_register+0x2b7/0x11c0\n l2tp_tunnel_register+0x2b7/0x11c0\n ? sprintf+0xc4/0x100\n ? l2tp_tunnel_del_work+0x6b0/0x6b0\n ? debug_object_deactivate+0x320/0x320\n ? lockdep_init_map_type+0x16d/0x7a0\n ? lockdep_init_map_type+0x16d/0x7a0\n ? l2tp_tunnel_create+0x2bf/0x4b0\n ? l2tp_tunnel_create+0x3c6/0x4b0\n pppol2tp_connect+0x14e1/0x1a30\n ? pppol2tp_put_sk+0xd0/0xd0\n ? aa_sk_perm+0x2b7/0xa80\n ? aa_af_perm+0x260/0x260\n ? bpf_lsm_socket_connect+0x9/0x10\n ? pppol2tp_put_sk+0xd0/0xd0\n __sys_connect_file+0x14f/0x190\n __sys_connect+0x133/0x160\n ? __sys_connect_file+0x190/0x190\n ? lockdep_hardirqs_on+0x7d/0x100\n ? ktime_get_coarse_real_ts64+0x1b7/0x200\n ? ktime_get_coarse_real_ts64+0x147/0x200\n ? __audit_syscall_entry+0x396/0x500\n __x64_sys_connect+0x72/0xb0\n do_syscall_64+0x38/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes the issue by getting/creating the tunnel before\nlocking the pppol2tp socket."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:07.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a413d360959962995e16a899cf2b9ef53e9fcb9"
},
{
"url": "https://git.kernel.org/stable/c/f6df58aa15f7d469f69b1dd21b001ff483255244"
},
{
"url": "https://git.kernel.org/stable/c/4bb736b40475528ac1aa8c98b368563618488a70"
},
{
"url": "https://git.kernel.org/stable/c/5370647dd745bb3d8f37057006be207ddd8e9314"
},
{
"url": "https://git.kernel.org/stable/c/9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac"
}
],
"title": "l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53809",
"datePublished": "2025-12-09T00:01:07.120Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:07.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53843 (GCVE-0-2023-53843)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
net: openvswitch: reject negative ifindex
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: reject negative ifindex
Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs
in an xarray")) refactored the handling of pre-assigned ifindexes
and let syzbot surface a latent problem in ovs. ovs does not validate
ifindex, making it possible to create netdev ports with negative
ifindex values. It's easy to repro with YNL:
$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \
--do new \
--json '{"upcall-pid": 1, "name":"my-dp"}'
$ ./cli.py --spec netlink/specs/ovs_vport.yaml \
--do new \
--json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
$ ip link show
-65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff
...
Validate the inputs. Now the second command correctly returns:
$ ./cli.py --spec netlink/specs/ovs_vport.yaml \
--do new \
--json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
lib.ynl.NlError: Netlink error: Numerical result out of range
nl_len = 108 (92) nl_flags = 0x300 nl_type = 2
error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'}
Accept 0 since it used to be silently ignored.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
54c4ef34c4b6f9720fded620e2893894f9f2c554 , < c965a58376146dcfdda186819462e8eb3aadef3a
(git)
Affected: 54c4ef34c4b6f9720fded620e2893894f9f2c554 , < 881faff9e548a7ddfb11595be7c1c649217d27db (git) Affected: 54c4ef34c4b6f9720fded620e2893894f9f2c554 , < a552bfa16bab4ce901ee721346a28c4e483f4066 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c965a58376146dcfdda186819462e8eb3aadef3a",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
},
{
"lessThan": "881faff9e548a7ddfb11595be7c1c649217d27db",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
},
{
"lessThan": "a552bfa16bab4ce901ee721346a28c4e483f4066",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: reject negative ifindex\n\nRecent changes in net-next (commit 759ab1edb56c (\"net: store netdevs\nin an xarray\")) refactored the handling of pre-assigned ifindexes\nand let syzbot surface a latent problem in ovs. ovs does not validate\nifindex, making it possible to create netdev ports with negative\nifindex values. It\u0027s easy to repro with YNL:\n\n$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \\\n --do new \\\n\t --json \u0027{\"upcall-pid\": 1, \"name\":\"my-dp\"}\u0027\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\n$ ip link show\n-65536: some-port0: \u003cBROADCAST,MULTICAST\u003e mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000\n link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff\n...\n\nValidate the inputs. Now the second command correctly returns:\n\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\nlib.ynl.NlError: Netlink error: Numerical result out of range\nnl_len = 108 (92) nl_flags = 0x300 nl_type = 2\n\terror: -34\textack: {\u0027msg\u0027: \u0027integer out of range\u0027, \u0027unknown\u0027: [[type:4 len:36] b\u0027\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x03\\x00\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x08\\x00\\x01\\x00\\x08\\x00\\x00\\x00\u0027], \u0027bad-attr\u0027: \u0027.ifindex\u0027}\n\nAccept 0 since it used to be silently ignored."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:05.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a"
},
{
"url": "https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db"
},
{
"url": "https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066"
}
],
"title": "net: openvswitch: reject negative ifindex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53843",
"datePublished": "2025-12-09T01:30:05.698Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:30:05.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50675 (GCVE-0-2022-50675)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE
is untagged"), mte_sync_tags() was only called for pte_tagged() entries
(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use
test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently
setting PG_mte_tagged on an untagged page.
The above commit was required as guests may enable MTE without any
control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.
However, the side-effect was that any page with a PTE that looked like
swap (or migration) was getting PG_mte_tagged set automatically. A
subsequent page copy (e.g. migration) copied the tags to the destination
page even if the tags were owned by KASAN.
This issue was masked by the page_kasan_tag_reset() call introduced in
commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags").
When this commit was reverted (20794545c146), KASAN started reporting
access faults because the overriding tags in a page did not match the
original page->flags (with CONFIG_KASAN_HW_TAGS=y):
BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26
Read at addr f5ff000017f2e000 by task syz-executor.1/2218
Pointer tag: [f5], memory tag: [f2]
Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual
place where tags are cleared (mte_sync_page_tags()) or restored
(mte_restore_tags()).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
69e3b846d8a753f9f279f29531ca56b0f7563ad0 , < 918002bdbe4328c8c0164a22e8ebf2384b80dc23
(git)
Affected: 69e3b846d8a753f9f279f29531ca56b0f7563ad0 , < 749e9fc18b1e1a3f93a9512e91bd7f93002d2821 (git) Affected: 69e3b846d8a753f9f279f29531ca56b0f7563ad0 , < a8e5e5146ad08d794c58252bab00b261045ef16d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/mte.c",
"arch/arm64/mm/mteswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918002bdbe4328c8c0164a22e8ebf2384b80dc23",
"status": "affected",
"version": "69e3b846d8a753f9f279f29531ca56b0f7563ad0",
"versionType": "git"
},
{
"lessThan": "749e9fc18b1e1a3f93a9512e91bd7f93002d2821",
"status": "affected",
"version": "69e3b846d8a753f9f279f29531ca56b0f7563ad0",
"versionType": "git"
},
{
"lessThan": "a8e5e5146ad08d794c58252bab00b261045ef16d",
"status": "affected",
"version": "69e3b846d8a753f9f279f29531ca56b0f7563ad0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/mte.c",
"arch/arm64/mm/mteswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.82",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored\n\nPrior to commit 69e3b846d8a7 (\"arm64: mte: Sync tags for pages where PTE\nis untagged\"), mte_sync_tags() was only called for pte_tagged() entries\n(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use\ntest_and_set_bit(PG_mte_tagged, \u0026page-\u003eflags) without inadvertently\nsetting PG_mte_tagged on an untagged page.\n\nThe above commit was required as guests may enable MTE without any\ncontrol at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.\nHowever, the side-effect was that any page with a PTE that looked like\nswap (or migration) was getting PG_mte_tagged set automatically. A\nsubsequent page copy (e.g. migration) copied the tags to the destination\npage even if the tags were owned by KASAN.\n\nThis issue was masked by the page_kasan_tag_reset() call introduced in\ncommit e5b8d9218951 (\"arm64: mte: reset the page tag in page-\u003eflags\").\nWhen this commit was reverted (20794545c146), KASAN started reporting\naccess faults because the overriding tags in a page did not match the\noriginal page-\u003eflags (with CONFIG_KASAN_HW_TAGS=y):\n\n BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26\n Read at addr f5ff000017f2e000 by task syz-executor.1/2218\n Pointer tag: [f5], memory tag: [f2]\n\nMove the PG_mte_tagged bit setting from mte_sync_tags() to the actual\nplace where tags are cleared (mte_sync_page_tags()) or restored\n(mte_restore_tags())."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:27.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918002bdbe4328c8c0164a22e8ebf2384b80dc23"
},
{
"url": "https://git.kernel.org/stable/c/749e9fc18b1e1a3f93a9512e91bd7f93002d2821"
},
{
"url": "https://git.kernel.org/stable/c/a8e5e5146ad08d794c58252bab00b261045ef16d"
}
],
"title": "arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50675",
"datePublished": "2025-12-09T01:29:27.926Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:27.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53801 (GCVE-0-2023-53801)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
iommu/sprd: Release dma buffer to avoid memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/sprd: Release dma buffer to avoid memory leak
When attaching to a domain, the driver would alloc a DMA buffer which
is used to store address mapping table, and it need to be released
when the IOMMU domain is freed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b23e4fc4e3faed0b8b604079c44a244da3ec941a , < 92c089a931fd3939cd32318cf4f54e69e8f51a19
(git)
Affected: b23e4fc4e3faed0b8b604079c44a244da3ec941a , < 8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9 (git) Affected: b23e4fc4e3faed0b8b604079c44a244da3ec941a , < d0a917fd5e3b3ed9d9306b4260ba684b982da9f3 (git) Affected: b23e4fc4e3faed0b8b604079c44a244da3ec941a , < 9afea57384d4ae7b2034593eac7fa76c7122762a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/sprd-iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92c089a931fd3939cd32318cf4f54e69e8f51a19",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
},
{
"lessThan": "8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
},
{
"lessThan": "d0a917fd5e3b3ed9d9306b4260ba684b982da9f3",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
},
{
"lessThan": "9afea57384d4ae7b2034593eac7fa76c7122762a",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/sprd-iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.81",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sprd: Release dma buffer to avoid memory leak\n\nWhen attaching to a domain, the driver would alloc a DMA buffer which\nis used to store address mapping table, and it need to be released\nwhen the IOMMU domain is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:22.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92c089a931fd3939cd32318cf4f54e69e8f51a19"
},
{
"url": "https://git.kernel.org/stable/c/8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9"
},
{
"url": "https://git.kernel.org/stable/c/d0a917fd5e3b3ed9d9306b4260ba684b982da9f3"
},
{
"url": "https://git.kernel.org/stable/c/9afea57384d4ae7b2034593eac7fa76c7122762a"
}
],
"title": "iommu/sprd: Release dma buffer to avoid memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53801",
"datePublished": "2025-12-09T00:00:57.388Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-20T08:51:22.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53792 (GCVE-0-2023-53792)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
nvme-core: fix memory leak in dhchap_ctrl_secret
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix memory leak in dhchap_ctrl_secret
Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we
return when nvme_auth_generate_key() returns error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 43d0724d756a13694f612a8a151f835ad6425b93
(git)
Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 39b90fc75943406d2bd60fd1ea041aca2559cc5f (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8 (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 99c2dcc8ffc24e210a3aa05c204d92f3ef460b05 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43d0724d756a13694f612a8a151f835ad6425b93",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "39b90fc75943406d2bd60fd1ea041aca2559cc5f",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "99c2dcc8ffc24e210a3aa05c204d92f3ef460b05",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_ctrl_secret\n\nFree dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we\nreturn when nvme_auth_generate_key() returns error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:49.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43d0724d756a13694f612a8a151f835ad6425b93"
},
{
"url": "https://git.kernel.org/stable/c/39b90fc75943406d2bd60fd1ea041aca2559cc5f"
},
{
"url": "https://git.kernel.org/stable/c/6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8"
},
{
"url": "https://git.kernel.org/stable/c/99c2dcc8ffc24e210a3aa05c204d92f3ef460b05"
}
],
"title": "nvme-core: fix memory leak in dhchap_ctrl_secret",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53792",
"datePublished": "2025-12-09T00:00:49.221Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:49.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50672 (GCVE-0-2022-50672)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
mailbox: zynq-ipi: fix error handling while device_register() fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: zynq-ipi: fix error handling while device_register() fails
If device_register() fails, it has two issues:
1. The name allocated by dev_set_name() is leaked.
2. The parent of device is not NULL, device_unregister() is called
in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because
of removing not added device.
Call put_device() to give up the reference, so the name is freed in
kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()
to avoid null-ptr-deref.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < b3a5c76f61e2b380e29dfc6705854ca1ee85501d
(git)
Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < a39b4de0804f9fe0ae911b359ffd4afe7d9d933b (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < 4f05d8e2fb3ab702c2633a74571e1b31cb579985 (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < 3fcf079958c00d83c51e4f250abf2c77fe9cc1b9 (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < a6792a0cdef0b1c2d77920246283a72537e60e94 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3a5c76f61e2b380e29dfc6705854ca1ee85501d",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "a39b4de0804f9fe0ae911b359ffd4afe7d9d933b",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "4f05d8e2fb3ab702c2633a74571e1b31cb579985",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "3fcf079958c00d83c51e4f250abf2c77fe9cc1b9",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "a6792a0cdef0b1c2d77920246283a72537e60e94",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynq-ipi: fix error handling while device_register() fails\n\nIf device_register() fails, it has two issues:\n1. The name allocated by dev_set_name() is leaked.\n2. The parent of device is not NULL, device_unregister() is called\n in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because\n of removing not added device.\n\nCall put_device() to give up the reference, so the name is freed in\nkobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()\nto avoid null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:24.072Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3a5c76f61e2b380e29dfc6705854ca1ee85501d"
},
{
"url": "https://git.kernel.org/stable/c/a39b4de0804f9fe0ae911b359ffd4afe7d9d933b"
},
{
"url": "https://git.kernel.org/stable/c/4f05d8e2fb3ab702c2633a74571e1b31cb579985"
},
{
"url": "https://git.kernel.org/stable/c/f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a"
},
{
"url": "https://git.kernel.org/stable/c/3fcf079958c00d83c51e4f250abf2c77fe9cc1b9"
},
{
"url": "https://git.kernel.org/stable/c/a6792a0cdef0b1c2d77920246283a72537e60e94"
}
],
"title": "mailbox: zynq-ipi: fix error handling while device_register() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50672",
"datePublished": "2025-12-09T01:29:24.072Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:24.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53861 (GCVE-0-2023-53861)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
ext4: correct grp validation in ext4_mb_good_group
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: correct grp validation in ext4_mb_good_group
Group corruption check will access memory of grp and will trigger kernel
crash if grp is NULL. So do NULL check before corruption check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
100c0ad6c04597fefeaaba2bb1827cc015d95067 , < 245759d987b617d183061db6ab8886ebb5cc78e9
(git)
Affected: 620a3c28221bb219b81bc0bffd065cc187494302 , < 3e24082f16825279054a2b8a5e668d65070bbf07 (git) Affected: b4319e457d6e3fb33e443efeaf4634fc36e8a9ed , < 772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < 83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4 (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < e69d665987db0e37896adf78a7e718f9a0a75d3f (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 (git) Affected: 31668cebf45adfb6283e465e641c4f5a21b07afa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "245759d987b617d183061db6ab8886ebb5cc78e9",
"status": "affected",
"version": "100c0ad6c04597fefeaaba2bb1827cc015d95067",
"versionType": "git"
},
{
"lessThan": "3e24082f16825279054a2b8a5e668d65070bbf07",
"status": "affected",
"version": "620a3c28221bb219b81bc0bffd065cc187494302",
"versionType": "git"
},
{
"lessThan": "772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d",
"status": "affected",
"version": "b4319e457d6e3fb33e443efeaf4634fc36e8a9ed",
"versionType": "git"
},
{
"lessThan": "83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"lessThan": "e69d665987db0e37896adf78a7e718f9a0a75d3f",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"lessThan": "a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"status": "affected",
"version": "31668cebf45adfb6283e465e641c4f5a21b07afa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: correct grp validation in ext4_mb_good_group\n\nGroup corruption check will access memory of grp and will trigger kernel\ncrash if grp is NULL. So do NULL check before corruption check."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:29.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/245759d987b617d183061db6ab8886ebb5cc78e9"
},
{
"url": "https://git.kernel.org/stable/c/3e24082f16825279054a2b8a5e668d65070bbf07"
},
{
"url": "https://git.kernel.org/stable/c/772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d"
},
{
"url": "https://git.kernel.org/stable/c/83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4"
},
{
"url": "https://git.kernel.org/stable/c/e69d665987db0e37896adf78a7e718f9a0a75d3f"
},
{
"url": "https://git.kernel.org/stable/c/a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93"
}
],
"title": "ext4: correct grp validation in ext4_mb_good_group",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53861",
"datePublished": "2025-12-09T01:30:29.423Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:29.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50658 (GCVE-0-2022-50658)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
cpufreq: qcom: fix memory leak in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: qcom: fix memory leak in error path
If for some reason the speedbin length is incorrect, then there is a
memory leak in the error path because we never free the speedbin buffer.
This commit fixes the error path to always free the speedbin buffer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < e55feb31df3fc78b880d6e9d4b5853f05c974833
(git)
Affected: a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < b5606e3ab1f7cc00d89903f4a11fe57747bb3a68 (git) Affected: a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48 (git) Affected: a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < 9f42cf54403a42cb092636804d2628d8ecf71e75 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/qcom-cpufreq-nvmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e55feb31df3fc78b880d6e9d4b5853f05c974833",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
},
{
"lessThan": "b5606e3ab1f7cc00d89903f4a11fe57747bb3a68",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
},
{
"lessThan": "b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
},
{
"lessThan": "9f42cf54403a42cb092636804d2628d8ecf71e75",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/qcom-cpufreq-nvmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom: fix memory leak in error path\n\nIf for some reason the speedbin length is incorrect, then there is a\nmemory leak in the error path because we never free the speedbin buffer.\nThis commit fixes the error path to always free the speedbin buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:06.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e55feb31df3fc78b880d6e9d4b5853f05c974833"
},
{
"url": "https://git.kernel.org/stable/c/b5606e3ab1f7cc00d89903f4a11fe57747bb3a68"
},
{
"url": "https://git.kernel.org/stable/c/b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48"
},
{
"url": "https://git.kernel.org/stable/c/9f42cf54403a42cb092636804d2628d8ecf71e75"
}
],
"title": "cpufreq: qcom: fix memory leak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50658",
"datePublished": "2025-12-09T01:29:06.106Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:06.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53796 (GCVE-0-2023-53796)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
f2fs: fix information leak in f2fs_move_inline_dirents()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix information leak in f2fs_move_inline_dirents()
When converting an inline directory to a regular one, f2fs is leaking
uninitialized memory to disk because it doesn't initialize the entire
directory block. Fix this by zero-initializing the block.
This bug was introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded
initializing when converting inline dentry"), which didn't consider the
security implications of leaking uninitialized memory to disk.
This was found by running xfstest generic/435 on a KMSAN-enabled kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < 4e3b4b170bd43db1d8a93a6bd0ea434b17cc86f7
(git)
Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < a6807ef0f3b3d8508d3b07a2e35de8a91820a014 (git) Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < 2bef8314fcf94ddc27e22d03f237c0fafd00de33 (git) Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < 00b5587326625d0fddb2a5f5a3d4acd950102ace (git) Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < 117d4f6687b1f74423b5d398ea95c63b262a8e73 (git) Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < f07a8d61b6ea81bb3cbe0638af40f8824d6147fd (git) Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < eebaecef0095bb8f493c03982da75c6e7bae1056 (git) Affected: 4ec17d688d74b6b7cb10043c57ff4818cde2b0ca , < 9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e3b4b170bd43db1d8a93a6bd0ea434b17cc86f7",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "a6807ef0f3b3d8508d3b07a2e35de8a91820a014",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "2bef8314fcf94ddc27e22d03f237c0fafd00de33",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "00b5587326625d0fddb2a5f5a3d4acd950102ace",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "117d4f6687b1f74423b5d398ea95c63b262a8e73",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "f07a8d61b6ea81bb3cbe0638af40f8824d6147fd",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "eebaecef0095bb8f493c03982da75c6e7bae1056",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
},
{
"lessThan": "9a5571cff4ffcfc24847df9fd545cc5799ac0ee5",
"status": "affected",
"version": "4ec17d688d74b6b7cb10043c57ff4818cde2b0ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix information leak in f2fs_move_inline_dirents()\n\nWhen converting an inline directory to a regular one, f2fs is leaking\nuninitialized memory to disk because it doesn\u0027t initialize the entire\ndirectory block. Fix this by zero-initializing the block.\n\nThis bug was introduced by commit 4ec17d688d74 (\"f2fs: avoid unneeded\ninitializing when converting inline dentry\"), which didn\u0027t consider the\nsecurity implications of leaking uninitialized memory to disk.\n\nThis was found by running xfstest generic/435 on a KMSAN-enabled kernel."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:52.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e3b4b170bd43db1d8a93a6bd0ea434b17cc86f7"
},
{
"url": "https://git.kernel.org/stable/c/a6807ef0f3b3d8508d3b07a2e35de8a91820a014"
},
{
"url": "https://git.kernel.org/stable/c/2bef8314fcf94ddc27e22d03f237c0fafd00de33"
},
{
"url": "https://git.kernel.org/stable/c/00b5587326625d0fddb2a5f5a3d4acd950102ace"
},
{
"url": "https://git.kernel.org/stable/c/117d4f6687b1f74423b5d398ea95c63b262a8e73"
},
{
"url": "https://git.kernel.org/stable/c/f07a8d61b6ea81bb3cbe0638af40f8824d6147fd"
},
{
"url": "https://git.kernel.org/stable/c/eebaecef0095bb8f493c03982da75c6e7bae1056"
},
{
"url": "https://git.kernel.org/stable/c/9a5571cff4ffcfc24847df9fd545cc5799ac0ee5"
}
],
"title": "f2fs: fix information leak in f2fs_move_inline_dirents()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53796",
"datePublished": "2025-12-09T00:00:52.919Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:52.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50638 (GCVE-0-2022-50638)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
We got a issue as fllows:
==================================================================
kernel BUG at fs/ext4/extents_status.c:203!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349
RIP: 0010:ext4_es_end.isra.0+0x34/0x42
RSP: 0018:ffffc9000143b768 EFLAGS: 00010203
RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff
RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0
R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000
FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__es_tree_search.isra.0+0x6d/0xf5
ext4_es_cache_extent+0xfa/0x230
ext4_cache_extents+0xd2/0x110
ext4_find_extent+0x5d5/0x8c0
ext4_ext_map_blocks+0x9c/0x1d30
ext4_map_blocks+0x431/0xa50
ext4_mpage_readpages+0x48e/0xe40
ext4_readahead+0x47/0x50
read_pages+0x82/0x530
page_cache_ra_unbounded+0x199/0x2a0
do_page_cache_ra+0x47/0x70
page_cache_ra_order+0x242/0x400
ondemand_readahead+0x1e8/0x4b0
page_cache_sync_ra+0xf4/0x110
filemap_get_pages+0x131/0xb20
filemap_read+0xda/0x4b0
generic_file_read_iter+0x13a/0x250
ext4_file_read_iter+0x59/0x1d0
vfs_read+0x28f/0x460
ksys_read+0x73/0x160
__x64_sys_read+0x1e/0x30
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
==================================================================
In the above issue, ioctl invokes the swap_inode_boot_loader function to
swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and
disordered extents, and i_nlink is set to 1. The extents check for inode in
the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.
While links_count is set to 1, the extents are not initialized in
swap_inode_boot_loader. After the ioctl command is executed successfully,
the extents are swapped to inode<12>, in this case, run the `cat` command
to view inode<12>. And Bug_ON is triggered due to the incorrect extents.
When the boot loader inode is not initialized, its imode can be one of the
following:
1) the imode is a bad type, which is marked as bad_inode in ext4_iget and
set to S_IFREG.
2) the imode is good type but not S_IFREG.
3) the imode is S_IFREG.
The BUG_ON may be triggered by bypassing the check in cases 1 and 2.
Therefore, when the boot loader inode is bad_inode or its imode is not
S_IFREG, initialize the inode to avoid triggering the BUG.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
393d1d1d76933886d5e1ce603214c9987589c6d5 , < e76ede9d2c9e0af4573342b56d7cdbf757c18084
(git)
Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < a95ba369255ddcdc5e43d38bc5203537bdf3a518 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 5f8d36abd2059bf1bd016b17d1fe78d8613deddd (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 78e335fb573e6a85718c4c24d5a052718a99a9ed (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 71e99ec1315fe98d322b17b9a28f204aaf15ffee (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < d480a49c15c465cb9a16db1379f4996e9b5bb9cc (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < feec0ea94c5ef4aa118750284c8a921698733ef2 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < a125c8806b7d3c3815b6f9f59d395b9d7527b0ef (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 991ed014de0840c5dc405b679168924afb2952ac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e76ede9d2c9e0af4573342b56d7cdbf757c18084",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "a95ba369255ddcdc5e43d38bc5203537bdf3a518",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "5f8d36abd2059bf1bd016b17d1fe78d8613deddd",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "78e335fb573e6a85718c4c24d5a052718a99a9ed",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "71e99ec1315fe98d322b17b9a28f204aaf15ffee",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "d480a49c15c465cb9a16db1379f4996e9b5bb9cc",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "feec0ea94c5ef4aa118750284c8a921698733ef2",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "a125c8806b7d3c3815b6f9f59d395b9d7527b0ef",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "991ed014de0840c5dc405b679168924afb2952ac",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad boot loader inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:203!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349\n RIP: 0010:ext4_es_end.isra.0+0x34/0x42\n RSP: 0018:ffffc9000143b768 EFLAGS: 00010203\n RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff\n RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0\n R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000\n FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n __es_tree_search.isra.0+0x6d/0xf5\n ext4_es_cache_extent+0xfa/0x230\n ext4_cache_extents+0xd2/0x110\n ext4_find_extent+0x5d5/0x8c0\n ext4_ext_map_blocks+0x9c/0x1d30\n ext4_map_blocks+0x431/0xa50\n ext4_mpage_readpages+0x48e/0xe40\n ext4_readahead+0x47/0x50\n read_pages+0x82/0x530\n page_cache_ra_unbounded+0x199/0x2a0\n do_page_cache_ra+0x47/0x70\n page_cache_ra_order+0x242/0x400\n ondemand_readahead+0x1e8/0x4b0\n page_cache_sync_ra+0xf4/0x110\n filemap_get_pages+0x131/0xb20\n filemap_read+0xda/0x4b0\n generic_file_read_iter+0x13a/0x250\n ext4_file_read_iter+0x59/0x1d0\n vfs_read+0x28f/0x460\n ksys_read+0x73/0x160\n __x64_sys_read+0x1e/0x30\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n==================================================================\n\nIn the above issue, ioctl invokes the swap_inode_boot_loader function to\nswap inode\u003c5\u003e and inode\u003c12\u003e. However, inode\u003c5\u003e contain incorrect imode and\ndisordered extents, and i_nlink is set to 1. The extents check for inode in\nthe ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.\nWhile links_count is set to 1, the extents are not initialized in\nswap_inode_boot_loader. After the ioctl command is executed successfully,\nthe extents are swapped to inode\u003c12\u003e, in this case, run the `cat` command\nto view inode\u003c12\u003e. And Bug_ON is triggered due to the incorrect extents.\n\nWhen the boot loader inode is not initialized, its imode can be one of the\nfollowing:\n1) the imode is a bad type, which is marked as bad_inode in ext4_iget and\n set to S_IFREG.\n2) the imode is good type but not S_IFREG.\n3) the imode is S_IFREG.\n\nThe BUG_ON may be triggered by bypassing the check in cases 1 and 2.\nTherefore, when the boot loader inode is bad_inode or its imode is not\nS_IFREG, initialize the inode to avoid triggering the BUG."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:24.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e76ede9d2c9e0af4573342b56d7cdbf757c18084"
},
{
"url": "https://git.kernel.org/stable/c/a95ba369255ddcdc5e43d38bc5203537bdf3a518"
},
{
"url": "https://git.kernel.org/stable/c/5f8d36abd2059bf1bd016b17d1fe78d8613deddd"
},
{
"url": "https://git.kernel.org/stable/c/78e335fb573e6a85718c4c24d5a052718a99a9ed"
},
{
"url": "https://git.kernel.org/stable/c/71e99ec1315fe98d322b17b9a28f204aaf15ffee"
},
{
"url": "https://git.kernel.org/stable/c/d480a49c15c465cb9a16db1379f4996e9b5bb9cc"
},
{
"url": "https://git.kernel.org/stable/c/feec0ea94c5ef4aa118750284c8a921698733ef2"
},
{
"url": "https://git.kernel.org/stable/c/a125c8806b7d3c3815b6f9f59d395b9d7527b0ef"
},
{
"url": "https://git.kernel.org/stable/c/991ed014de0840c5dc405b679168924afb2952ac"
}
],
"title": "ext4: fix bug_on in __es_tree_search caused by bad boot loader inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50638",
"datePublished": "2025-12-09T00:00:11.665Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-23T13:30:24.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40340 (GCVE-0-2025-40340)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
I saw an oops in xe_gem_fault when running the xe-fast-feedback
testlist against the realtime kernel without debug options enabled.
The panic happens after core_hotunplug unbind-rebind finishes.
Presumably what happens is that a process mmaps, unlocks because
of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,
causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since
there was nothing left to populate, and then oopses in
"mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource
is NULL.
It's convoluted, but fits the data and explains the oops after
the test exits.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd08ebf6c3525a7ea2186e636df064ea47281987 , < 99428bd6123d5676209dfb1d7a8f176cc830b665
(git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 29a3064f9c5a908aaf0b39cd6ed30374db11840d (git) Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 1cda3c755bb7770be07d75949bb0f45fb88651f6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99428bd6123d5676209dfb1d7a8f176cc830b665",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "29a3064f9c5a908aaf0b39cd6ed30374db11840d",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "1cda3c755bb7770be07d75949bb0f45fb88651f6",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.\n\nI saw an oops in xe_gem_fault when running the xe-fast-feedback\ntestlist against the realtime kernel without debug options enabled.\n\nThe panic happens after core_hotunplug unbind-rebind finishes.\nPresumably what happens is that a process mmaps, unlocks because\nof the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,\ncausing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since\nthere was nothing left to populate, and then oopses in\n\"mem_type_is_vram(tbo-\u003eresource-\u003emem_type)\" because tbo-\u003eresource\nis NULL.\n\nIt\u0027s convoluted, but fits the data and explains the oops after\nthe test exits."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:11.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665"
},
{
"url": "https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d"
},
{
"url": "https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6"
}
],
"title": "drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40340",
"datePublished": "2025-12-09T04:09:57.059Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:11.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40327 (GCVE-0-2025-40327)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
perf/core: Fix system hang caused by cpu-clock usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Fix system hang caused by cpu-clock usage
cpu-clock usage by the async-profiler tool can trigger a system hang,
which got bisected back to the following commit by Octavia Togami:
18dbcbfabfff ("perf: Fix the POLL_HUP delivery breakage") causes this issue
The root cause of the hang is that cpu-clock is a special type of SW
event which relies on hrtimers. The __perf_event_overflow() callback
is invoked from the hrtimer handler for cpu-clock events, and
__perf_event_overflow() tries to call cpu_clock_event_stop()
to stop the event, which calls htimer_cancel() to cancel the hrtimer.
But that's a recursion into the hrtimer code from a hrtimer handler,
which (unsurprisingly) deadlocks.
To fix this bug, use hrtimer_try_to_cancel() instead, and set
the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer()
to stop the event once it sees the PERF_HES_STOPPED flag.
[ mingo: Fixed the comments and improved the changelog. ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b8c512811644cf2f5eaf6f44e928683c54127f0",
"status": "affected",
"version": "18dbcbfabfffc4a5d3ea10290c5ad27f22b0d240",
"versionType": "git"
},
{
"lessThan": "eb3182ef0405ff2f6668fd3e5ff9883f60ce8801",
"status": "affected",
"version": "18dbcbfabfffc4a5d3ea10290c5ad27f22b0d240",
"versionType": "git"
},
{
"status": "affected",
"version": "b2de0c9ce8e542b5cb4cd3944620d9dd1ea1f0ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix system hang caused by cpu-clock usage\n\ncpu-clock usage by the async-profiler tool can trigger a system hang,\nwhich got bisected back to the following commit by Octavia Togami:\n\n 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue\n\nThe root cause of the hang is that cpu-clock is a special type of SW\nevent which relies on hrtimers. The __perf_event_overflow() callback\nis invoked from the hrtimer handler for cpu-clock events, and\n__perf_event_overflow() tries to call cpu_clock_event_stop()\nto stop the event, which calls htimer_cancel() to cancel the hrtimer.\n\nBut that\u0027s a recursion into the hrtimer code from a hrtimer handler,\nwhich (unsurprisingly) deadlocks.\n\nTo fix this bug, use hrtimer_try_to_cancel() instead, and set\nthe PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer()\nto stop the event once it sees the PERF_HES_STOPPED flag.\n\n[ mingo: Fixed the comments and improved the changelog. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:43.522Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b8c512811644cf2f5eaf6f44e928683c54127f0"
},
{
"url": "https://git.kernel.org/stable/c/eb3182ef0405ff2f6668fd3e5ff9883f60ce8801"
}
],
"title": "perf/core: Fix system hang caused by cpu-clock usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40327",
"datePublished": "2025-12-09T04:09:43.522Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:43.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50643 (GCVE-0-2022-50643)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
cifs: Fix xid leak in cifs_copy_file_range()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix xid leak in cifs_copy_file_range()
If the file is used by swap, before return -EOPNOTSUPP, should
free the xid, otherwise, the xid will be leaked.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2
(git)
Affected: 4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < 27cfd3afaab000a455194338db3b7f2031fde9d0 (git) Affected: 4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < dc283313d1ca378d787cb55c1e580dc3de852680 (git) Affected: 4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < 9a97df404a402fe1174d2d1119f87ff2a0ca2fe9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
},
{
"lessThan": "27cfd3afaab000a455194338db3b7f2031fde9d0",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
},
{
"lessThan": "dc283313d1ca378d787cb55c1e580dc3de852680",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
},
{
"lessThan": "9a97df404a402fe1174d2d1119f87ff2a0ca2fe9",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_copy_file_range()\n\nIf the file is used by swap, before return -EOPNOTSUPP, should\nfree the xid, otherwise, the xid will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:17.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2"
},
{
"url": "https://git.kernel.org/stable/c/27cfd3afaab000a455194338db3b7f2031fde9d0"
},
{
"url": "https://git.kernel.org/stable/c/dc283313d1ca378d787cb55c1e580dc3de852680"
},
{
"url": "https://git.kernel.org/stable/c/9a97df404a402fe1174d2d1119f87ff2a0ca2fe9"
}
],
"title": "cifs: Fix xid leak in cifs_copy_file_range()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50643",
"datePublished": "2025-12-09T00:00:17.684Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:17.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50642 (GCVE-0-2022-50642)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
platform/chrome: cros_ec_typec: zero out stale pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_typec: zero out stale pointers
`cros_typec_get_switch_handles` allocates four pointers when obtaining
type-c switch handles. These pointers are all freed if failing to obtain
any of them; therefore, pointers in `port` become stale. The stale
pointers eventually cause use-after-free or double free in later code
paths. Zeroing out all pointer fields after freeing to eliminate these
stale pointers.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f28adb41dab4a2795fd959750df57adffd2bb0be , < 0ceadb5a3e45f1b81cf54bd496b40a5e50b6bd40
(git)
Affected: f28adb41dab4a2795fd959750df57adffd2bb0be , < b610758bb3e0674644c1255cdafc2f46b7e05ff9 (git) Affected: f28adb41dab4a2795fd959750df57adffd2bb0be , < 6613f36a2fa5c69e528bccba8b3d831f759dad2f (git) Affected: f28adb41dab4a2795fd959750df57adffd2bb0be , < 9a8aadcf0b459c1257b9477fd6402e1d5952ae07 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_typec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ceadb5a3e45f1b81cf54bd496b40a5e50b6bd40",
"status": "affected",
"version": "f28adb41dab4a2795fd959750df57adffd2bb0be",
"versionType": "git"
},
{
"lessThan": "b610758bb3e0674644c1255cdafc2f46b7e05ff9",
"status": "affected",
"version": "f28adb41dab4a2795fd959750df57adffd2bb0be",
"versionType": "git"
},
{
"lessThan": "6613f36a2fa5c69e528bccba8b3d831f759dad2f",
"status": "affected",
"version": "f28adb41dab4a2795fd959750df57adffd2bb0be",
"versionType": "git"
},
{
"lessThan": "9a8aadcf0b459c1257b9477fd6402e1d5952ae07",
"status": "affected",
"version": "f28adb41dab4a2795fd959750df57adffd2bb0be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_typec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_typec: zero out stale pointers\n\n`cros_typec_get_switch_handles` allocates four pointers when obtaining\ntype-c switch handles. These pointers are all freed if failing to obtain\nany of them; therefore, pointers in `port` become stale. The stale\npointers eventually cause use-after-free or double free in later code\npaths. Zeroing out all pointer fields after freeing to eliminate these\nstale pointers."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:16.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ceadb5a3e45f1b81cf54bd496b40a5e50b6bd40"
},
{
"url": "https://git.kernel.org/stable/c/b610758bb3e0674644c1255cdafc2f46b7e05ff9"
},
{
"url": "https://git.kernel.org/stable/c/6613f36a2fa5c69e528bccba8b3d831f759dad2f"
},
{
"url": "https://git.kernel.org/stable/c/9a8aadcf0b459c1257b9477fd6402e1d5952ae07"
}
],
"title": "platform/chrome: cros_ec_typec: zero out stale pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50642",
"datePublished": "2025-12-09T00:00:16.490Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:16.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53866 (GCVE-0-2023-53866)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ASoC: soc-compress: Reposition and add pcm_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-compress: Reposition and add pcm_mutex
If panic_on_warn is set and compress stream(DPCM) is started,
then kernel panic occurred because card->pcm_mutex isn't held appropriately.
In the following functions, warning were issued at this line
"snd_soc_dpcm_mutex_assert_held".
static int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,
struct snd_soc_pcm_runtime *be, int stream)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
void dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
void snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,
int stream, int action)
{
...
snd_soc_dpcm_mutex_assert_held(rtd);
...
}
int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,
int event)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
These functions are called by soc_compr_set_params_fe, soc_compr_open_fe
and soc_compr_free_fe
without pcm_mutex locking. And this is call stack.
[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750
[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750
[ 414.527945][ T2179] Call trace:
[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750
[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc
[ 414.527972][ T2179] snd_compr_open+0x180/0x248
[ 414.527981][ T2179] snd_open+0x15c/0x194
[ 414.528003][ T2179] chrdev_open+0x1b0/0x220
[ 414.528023][ T2179] do_dentry_open+0x30c/0x594
[ 414.528045][ T2179] vfs_open+0x34/0x44
[ 414.528053][ T2179] path_openat+0x914/0xb08
[ 414.528062][ T2179] do_filp_open+0xc0/0x170
[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c
[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4
[ 414.528084][ T2179] invoke_syscall+0x48/0x10c
[ 414.528094][ T2179] el0_svc_common+0xbc/0x104
[ 414.528099][ T2179] do_el0_svc+0x34/0xd8
[ 414.528103][ T2179] el0_svc+0x34/0xc4
[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc
[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4
[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...
So, I reposition and add pcm_mutex to resolve lockdep error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b7898396f4bbe160f546d0c5e9fa17cca9a7d153 , < 9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651
(git)
Affected: b7898396f4bbe160f546d0c5e9fa17cca9a7d153 , < 37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d (git) Affected: b7898396f4bbe160f546d0c5e9fa17cca9a7d153 , < aa9ff6a4955fdba02b54fbc4386db876603703b7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651",
"status": "affected",
"version": "b7898396f4bbe160f546d0c5e9fa17cca9a7d153",
"versionType": "git"
},
{
"lessThan": "37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d",
"status": "affected",
"version": "b7898396f4bbe160f546d0c5e9fa17cca9a7d153",
"versionType": "git"
},
{
"lessThan": "aa9ff6a4955fdba02b54fbc4386db876603703b7",
"status": "affected",
"version": "b7898396f4bbe160f546d0c5e9fa17cca9a7d153",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-compress: Reposition and add pcm_mutex\n\nIf panic_on_warn is set and compress stream(DPCM) is started,\nthen kernel panic occurred because card-\u003epcm_mutex isn\u0027t held appropriately.\nIn the following functions, warning were issued at this line\n\"snd_soc_dpcm_mutex_assert_held\".\n\nstatic int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,\n\t\tstruct snd_soc_pcm_runtime *be, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,\n\t\t\t int stream, int action)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(rtd);\n\t...\n}\n\nint dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,\n\tint event)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nThese functions are called by soc_compr_set_params_fe, soc_compr_open_fe\nand soc_compr_free_fe\nwithout pcm_mutex locking. And this is call stack.\n\n[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750\n[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750\n[ 414.527945][ T2179] Call trace:\n[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750\n[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc\n[ 414.527972][ T2179] snd_compr_open+0x180/0x248\n[ 414.527981][ T2179] snd_open+0x15c/0x194\n[ 414.528003][ T2179] chrdev_open+0x1b0/0x220\n[ 414.528023][ T2179] do_dentry_open+0x30c/0x594\n[ 414.528045][ T2179] vfs_open+0x34/0x44\n[ 414.528053][ T2179] path_openat+0x914/0xb08\n[ 414.528062][ T2179] do_filp_open+0xc0/0x170\n[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c\n[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4\n[ 414.528084][ T2179] invoke_syscall+0x48/0x10c\n[ 414.528094][ T2179] el0_svc_common+0xbc/0x104\n[ 414.528099][ T2179] do_el0_svc+0x34/0xd8\n[ 414.528103][ T2179] el0_svc+0x34/0xc4\n[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc\n[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4\n[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...\n\nSo, I reposition and add pcm_mutex to resolve lockdep error."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:13.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651"
},
{
"url": "https://git.kernel.org/stable/c/37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d"
},
{
"url": "https://git.kernel.org/stable/c/aa9ff6a4955fdba02b54fbc4386db876603703b7"
}
],
"title": "ASoC: soc-compress: Reposition and add pcm_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53866",
"datePublished": "2025-12-09T01:30:35.817Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2026-01-05T10:33:13.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50673 (GCVE-0-2022-50673)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
ext4: fix use-after-free in ext4_orphan_cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4_orphan_cleanup
I caught a issue as follows:
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
Read of size 8 at addr ffff88814b13f378 by task mount/710
CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
Call Trace:
<TASK>
dump_stack_lvl+0x73/0x9f
print_report+0x25d/0x759
kasan_report+0xc0/0x120
__asan_load8+0x99/0x140
__list_add_valid+0x28/0x1a0
ext4_orphan_cleanup+0x564/0x9d0 [ext4]
__ext4_fill_super+0x48e2/0x5300 [ext4]
ext4_fill_super+0x19f/0x3a0 [ext4]
get_tree_bdev+0x27b/0x450
ext4_get_tree+0x19/0x30 [ext4]
vfs_get_tree+0x49/0x150
path_mount+0xaae/0x1350
do_mount+0xe2/0x110
__x64_sys_mount+0xf0/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
--- loop1: assume last_orphan is 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
ext4_truncate --> return 0
ext4_inode_attach_jinode --> return -ENOMEM
iput(inode) --> free inode<12>
--- loop2: last_orphan is still 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
// use inode<12> and trigger UAF
To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 7f801a1593cb957f73659732836b2dafbdfc7709
(git)
Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 026a4490b5381229a30f23d073b58e8e35ee6858 (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 7223d5e75f26352354ea2c0ccf8b579821b52adf (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < cf0e0817b0f925b70d101d7014ea81b7094e1159 (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < c2bdbd4c69308835d1b6f6ba74feeccbfe113478 (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 7908b8a541b1578cc61b4da7f19b604a931441da (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < a71248b1accb2b42e4980afef4fa4a27fa0e36f5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f801a1593cb957f73659732836b2dafbdfc7709",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "026a4490b5381229a30f23d073b58e8e35ee6858",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "7223d5e75f26352354ea2c0ccf8b579821b52adf",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "cf0e0817b0f925b70d101d7014ea81b7094e1159",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "c2bdbd4c69308835d1b6f6ba74feeccbfe113478",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "7908b8a541b1578cc61b4da7f19b604a931441da",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "a71248b1accb2b42e4980afef4fa4a27fa0e36f5",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI caught a issue as follows:\n==================================================================\n BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\n Read of size 8 at addr ffff88814b13f378 by task mount/710\n\n CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x73/0x9f\n print_report+0x25d/0x759\n kasan_report+0xc0/0x120\n __asan_load8+0x99/0x140\n __list_add_valid+0x28/0x1a0\n ext4_orphan_cleanup+0x564/0x9d0 [ext4]\n __ext4_fill_super+0x48e2/0x5300 [ext4]\n ext4_fill_super+0x19f/0x3a0 [ext4]\n get_tree_bdev+0x27b/0x450\n ext4_get_tree+0x19/0x30 [ext4]\n vfs_get_tree+0x49/0x150\n path_mount+0xaae/0x1350\n do_mount+0xe2/0x110\n __x64_sys_mount+0xf0/0x190\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n [...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n --- loop1: assume last_orphan is 12 ---\n list_add(\u0026EXT4_I(inode)-\u003ei_orphan, \u0026EXT4_SB(sb)-\u003es_orphan)\n ext4_truncate --\u003e return 0\n ext4_inode_attach_jinode --\u003e return -ENOMEM\n iput(inode) --\u003e free inode\u003c12\u003e\n --- loop2: last_orphan is still 12 ---\n list_add(\u0026EXT4_I(inode)-\u003ei_orphan, \u0026EXT4_SB(sb)-\u003es_orphan);\n // use inode\u003c12\u003e and trigger UAF\n\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:30.545Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709"
},
{
"url": "https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858"
},
{
"url": "https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf"
},
{
"url": "https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159"
},
{
"url": "https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478"
},
{
"url": "https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da"
},
{
"url": "https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5"
}
],
"title": "ext4: fix use-after-free in ext4_orphan_cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50673",
"datePublished": "2025-12-09T01:29:25.220Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-23T13:30:30.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53836 (GCVE-0-2023-53836)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
bpf, sockmap: Fix skb refcnt race after locking changes
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix skb refcnt race after locking changes
There is a race where skb's from the sk_psock_backlog can be referenced
after userspace side has already skb_consumed() the sk_buff and its refcnt
dropped to zer0 causing use after free.
The flow is the following:
while ((skb = skb_peek(&psock->ingress_skb))
sk_psock_handle_Skb(psock, skb, ..., ingress)
if (!ingress) ...
sk_psock_skb_ingress
sk_psock_skb_ingress_enqueue(skb)
msg->skb = skb
sk_psock_queue_msg(psock, msg)
skb_dequeue(&psock->ingress_skb)
The sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is
what the application reads when recvmsg() is called. An application can
read this anytime after the msg is placed on the queue. The recvmsg hook
will also read msg->skb and then after user space reads the msg will call
consume_skb(skb) on it effectively free'ing it.
But, the race is in above where backlog queue still has a reference to
the skb and calls skb_dequeue(). If the skb_dequeue happens after the
user reads and free's the skb we have a use after free.
The !ingress case does not suffer from this problem because it uses
sendmsg_*(sk, msg) which does not pass the sk_buff further down the
stack.
The following splat was observed with 'test_progs -t sockmap_listen':
[ 1022.710250][ T2556] general protection fault, ...
[...]
[ 1022.712830][ T2556] Workqueue: events sk_psock_backlog
[ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80
[ 1022.713653][ T2556] Code: ...
[...]
[ 1022.720699][ T2556] Call Trace:
[ 1022.720984][ T2556] <TASK>
[ 1022.721254][ T2556] ? die_addr+0x32/0x80^M
[ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0
[ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30
[ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80
[ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300
[ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0
[ 1022.723633][ T2556] worker_thread+0x4f/0x3a0
[ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10
[ 1022.724386][ T2556] kthread+0xfd/0x130
[ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10
[ 1022.725066][ T2556] ret_from_fork+0x2d/0x50
[ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10
[ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30
[ 1022.726201][ T2556] </TASK>
To fix we add an skb_get() before passing the skb to be enqueued in the
engress queue. This bumps the skb->users refcnt so that consume_skb()
and kfree_skb will not immediately free the sk_buff. With this we can
be sure the skb is still around when we do the dequeue. Then we just
need to decrement the refcnt or free the skb in the backlog case which
we do by calling kfree_skb() on the ingress case as well as the sendmsg
case.
Before locking change from fixes tag we had the sock locked so we
couldn't race with user and there was no issue here.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < 65ad600b9bde68d2d28709943ab00b51ca8f0a1d
(git)
Affected: 799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < 923877254f002ae87d441382bb1096d9e773d56d (git) Affected: 799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < e6b5e47adb9166e732cdf7e6e034946e3f89f36d (git) Affected: 799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < a454d84ee20baf7bd7be90721b9821f73c7d23d9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65ad600b9bde68d2d28709943ab00b51ca8f0a1d",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
},
{
"lessThan": "923877254f002ae87d441382bb1096d9e773d56d",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
},
{
"lessThan": "e6b5e47adb9166e732cdf7e6e034946e3f89f36d",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
},
{
"lessThan": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix skb refcnt race after locking changes\n\nThere is a race where skb\u0027s from the sk_psock_backlog can be referenced\nafter userspace side has already skb_consumed() the sk_buff and its refcnt\ndropped to zer0 causing use after free.\n\nThe flow is the following:\n\n while ((skb = skb_peek(\u0026psock-\u003eingress_skb))\n sk_psock_handle_Skb(psock, skb, ..., ingress)\n if (!ingress) ...\n sk_psock_skb_ingress\n sk_psock_skb_ingress_enqueue(skb)\n msg-\u003eskb = skb\n sk_psock_queue_msg(psock, msg)\n skb_dequeue(\u0026psock-\u003eingress_skb)\n\nThe sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is\nwhat the application reads when recvmsg() is called. An application can\nread this anytime after the msg is placed on the queue. The recvmsg hook\nwill also read msg-\u003eskb and then after user space reads the msg will call\nconsume_skb(skb) on it effectively free\u0027ing it.\n\nBut, the race is in above where backlog queue still has a reference to\nthe skb and calls skb_dequeue(). If the skb_dequeue happens after the\nuser reads and free\u0027s the skb we have a use after free.\n\nThe !ingress case does not suffer from this problem because it uses\nsendmsg_*(sk, msg) which does not pass the sk_buff further down the\nstack.\n\nThe following splat was observed with \u0027test_progs -t sockmap_listen\u0027:\n\n [ 1022.710250][ T2556] general protection fault, ...\n [...]\n [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog\n [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80\n [ 1022.713653][ T2556] Code: ...\n [...]\n [ 1022.720699][ T2556] Call Trace:\n [ 1022.720984][ T2556] \u003cTASK\u003e\n [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M\n [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0\n [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30\n [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80\n [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300\n [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0\n [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0\n [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10\n [ 1022.724386][ T2556] kthread+0xfd/0x130\n [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10\n [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50\n [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10\n [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30\n [ 1022.726201][ T2556] \u003c/TASK\u003e\n\nTo fix we add an skb_get() before passing the skb to be enqueued in the\nengress queue. This bumps the skb-\u003eusers refcnt so that consume_skb()\nand kfree_skb will not immediately free the sk_buff. With this we can\nbe sure the skb is still around when we do the dequeue. Then we just\nneed to decrement the refcnt or free the skb in the backlog case which\nwe do by calling kfree_skb() on the ingress case as well as the sendmsg\ncase.\n\nBefore locking change from fixes tag we had the sock locked so we\ncouldn\u0027t race with user and there was no issue here."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:52.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ad600b9bde68d2d28709943ab00b51ca8f0a1d"
},
{
"url": "https://git.kernel.org/stable/c/923877254f002ae87d441382bb1096d9e773d56d"
},
{
"url": "https://git.kernel.org/stable/c/e6b5e47adb9166e732cdf7e6e034946e3f89f36d"
},
{
"url": "https://git.kernel.org/stable/c/a454d84ee20baf7bd7be90721b9821f73c7d23d9"
}
],
"title": "bpf, sockmap: Fix skb refcnt race after locking changes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53836",
"datePublished": "2025-12-09T01:29:52.004Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:52.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53798 (GCVE-0-2023-53798)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
ethtool: Fix uninitialized number of lanes
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: Fix uninitialized number of lanes
It is not possible to set the number of lanes when setting link modes
using the legacy IOCTL ethtool interface. Since 'struct
ethtool_link_ksettings' is not initialized in this path, drivers receive
an uninitialized number of lanes in 'struct
ethtool_link_ksettings::lanes'.
When this information is later queried from drivers, it results in the
ethtool code making decisions based on uninitialized memory, leading to
the following KMSAN splat [1]. In practice, this most likely only
happens with the tun driver that simply returns whatever it got in the
set operation.
As far as I can tell, this uninitialized memory is not leaked to user
space thanks to the 'ethtool_ops->cap_link_lanes_supported' check in
linkmodes_prepare_data().
Fix by initializing the structure in the IOCTL path. Did not find any
more call sites that pass an uninitialized structure when calling
'ethtool_ops::set_link_ksettings()'.
[1]
BUG: KMSAN: uninit-value in ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]
BUG: KMSAN: uninit-value in ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333
ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]
ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333
ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640
genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmsg net/socket.c:2584 [inline]
__do_sys_sendmsg net/socket.c:2593 [inline]
__se_sys_sendmsg net/socket.c:2591 [inline]
__x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was stored to memory at:
tun_get_link_ksettings+0x37/0x60 drivers/net/tun.c:3544
__ethtool_get_link_ksettings+0x17b/0x260 net/ethtool/ioctl.c:441
ethnl_set_linkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327
ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640
genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmsg net/socket.c:2584 [inline]
__do_sys_sendmsg net/socket.c:2593 [inline]
__se_sys_sendmsg net/socket.c:2591 [inline]
__x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was stored to memory at:
tun_set_link_ksettings+0x37/0x60 drivers/net/tun.c:3553
ethtool_set_link_ksettings+0x600/0x690 net/ethtool/ioctl.c:609
__dev_ethtool net/ethtool/ioctl.c:3024 [inline]
dev_ethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078
dev_ioctl+0xb07/0x1270 net/core/dev_ioctl.c:524
sock_do_ioctl+0x295/0x540 net/socket.c:1213
sock_i
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
012ce4dd3102a0f4d80167de343e9d44b257c1b8 , < da81af0ef8092ecacd87fac3229c29e2e0ce39fd
(git)
Affected: 012ce4dd3102a0f4d80167de343e9d44b257c1b8 , < 942a2a0184f7bb1c1ae4bbc556559c86c054b0d2 (git) Affected: 012ce4dd3102a0f4d80167de343e9d44b257c1b8 , < 6456d80045d6de47734b1a3879c91f72af186529 (git) Affected: 012ce4dd3102a0f4d80167de343e9d44b257c1b8 , < 72808c4ab5fd01bf1214195005e15b434bf55cef (git) Affected: 012ce4dd3102a0f4d80167de343e9d44b257c1b8 , < 9ad685dbfe7e856bbf17a7177b64676d324d6ed7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da81af0ef8092ecacd87fac3229c29e2e0ce39fd",
"status": "affected",
"version": "012ce4dd3102a0f4d80167de343e9d44b257c1b8",
"versionType": "git"
},
{
"lessThan": "942a2a0184f7bb1c1ae4bbc556559c86c054b0d2",
"status": "affected",
"version": "012ce4dd3102a0f4d80167de343e9d44b257c1b8",
"versionType": "git"
},
{
"lessThan": "6456d80045d6de47734b1a3879c91f72af186529",
"status": "affected",
"version": "012ce4dd3102a0f4d80167de343e9d44b257c1b8",
"versionType": "git"
},
{
"lessThan": "72808c4ab5fd01bf1214195005e15b434bf55cef",
"status": "affected",
"version": "012ce4dd3102a0f4d80167de343e9d44b257c1b8",
"versionType": "git"
},
{
"lessThan": "9ad685dbfe7e856bbf17a7177b64676d324d6ed7",
"status": "affected",
"version": "012ce4dd3102a0f4d80167de343e9d44b257c1b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Fix uninitialized number of lanes\n\nIt is not possible to set the number of lanes when setting link modes\nusing the legacy IOCTL ethtool interface. Since \u0027struct\nethtool_link_ksettings\u0027 is not initialized in this path, drivers receive\nan uninitialized number of lanes in \u0027struct\nethtool_link_ksettings::lanes\u0027.\n\nWhen this information is later queried from drivers, it results in the\nethtool code making decisions based on uninitialized memory, leading to\nthe following KMSAN splat [1]. In practice, this most likely only\nhappens with the tun driver that simply returns whatever it got in the\nset operation.\n\nAs far as I can tell, this uninitialized memory is not leaked to user\nspace thanks to the \u0027ethtool_ops-\u003ecap_link_lanes_supported\u0027 check in\nlinkmodes_prepare_data().\n\nFix by initializing the structure in the IOCTL path. Did not find any\nmore call sites that pass an uninitialized structure when calling\n\u0027ethtool_ops::set_link_ksettings()\u0027.\n\n[1]\nBUG: KMSAN: uninit-value in ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]\nBUG: KMSAN: uninit-value in ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333\n ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]\n ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333\n ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640\n genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\n genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065\n netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg net/socket.c:747 [inline]\n ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555\n __sys_sendmsg net/socket.c:2584 [inline]\n __do_sys_sendmsg net/socket.c:2593 [inline]\n __se_sys_sendmsg net/socket.c:2591 [inline]\n __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n tun_get_link_ksettings+0x37/0x60 drivers/net/tun.c:3544\n __ethtool_get_link_ksettings+0x17b/0x260 net/ethtool/ioctl.c:441\n ethnl_set_linkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327\n ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640\n genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\n genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065\n netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg net/socket.c:747 [inline]\n ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555\n __sys_sendmsg net/socket.c:2584 [inline]\n __do_sys_sendmsg net/socket.c:2593 [inline]\n __se_sys_sendmsg net/socket.c:2591 [inline]\n __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n tun_set_link_ksettings+0x37/0x60 drivers/net/tun.c:3553\n ethtool_set_link_ksettings+0x600/0x690 net/ethtool/ioctl.c:609\n __dev_ethtool net/ethtool/ioctl.c:3024 [inline]\n dev_ethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078\n dev_ioctl+0xb07/0x1270 net/core/dev_ioctl.c:524\n sock_do_ioctl+0x295/0x540 net/socket.c:1213\n sock_i\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:54.769Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da81af0ef8092ecacd87fac3229c29e2e0ce39fd"
},
{
"url": "https://git.kernel.org/stable/c/942a2a0184f7bb1c1ae4bbc556559c86c054b0d2"
},
{
"url": "https://git.kernel.org/stable/c/6456d80045d6de47734b1a3879c91f72af186529"
},
{
"url": "https://git.kernel.org/stable/c/72808c4ab5fd01bf1214195005e15b434bf55cef"
},
{
"url": "https://git.kernel.org/stable/c/9ad685dbfe7e856bbf17a7177b64676d324d6ed7"
}
],
"title": "ethtool: Fix uninitialized number of lanes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53798",
"datePublished": "2025-12-09T00:00:54.769Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:54.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53787 (GCVE-0-2023-53787)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
regulator: da9063: fix null pointer deref with partial DT config
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: da9063: fix null pointer deref with partial DT config
When some of the da9063 regulators do not have corresponding DT nodes
a null pointer dereference occurs on boot because such regulators have
no init_data causing the pointers calculated in
da9063_check_xvp_constraints() to be invalid.
Do not dereference them in this case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9063-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04a025b17d83d07924e5e32508c72536ab8f42d9",
"status": "affected",
"version": "b8717a80e6ee6500ae396d21aac2a00947bba993",
"versionType": "git"
},
{
"lessThan": "98e2dd5f7a8be5cb2501a897e96910393a49f0ff",
"status": "affected",
"version": "b8717a80e6ee6500ae396d21aac2a00947bba993",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9063-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9063: fix null pointer deref with partial DT config\n\nWhen some of the da9063 regulators do not have corresponding DT nodes\na null pointer dereference occurs on boot because such regulators have\nno init_data causing the pointers calculated in\nda9063_check_xvp_constraints() to be invalid.\n\nDo not dereference them in this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:42.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04a025b17d83d07924e5e32508c72536ab8f42d9"
},
{
"url": "https://git.kernel.org/stable/c/98e2dd5f7a8be5cb2501a897e96910393a49f0ff"
}
],
"title": "regulator: da9063: fix null pointer deref with partial DT config",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53787",
"datePublished": "2025-12-09T00:00:42.334Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2025-12-09T00:00:42.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53828 (GCVE-0-2023-53828)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
KSAN reports use-after-free in hci_add_adv_monitor().
While adding an adv monitor,
hci_add_adv_monitor() calls ->
msft_add_monitor_pattern() calls ->
msft_add_monitor_sync() calls ->
msft_le_monitor_advertisement_cb() calls in an error case ->
hci_free_adv_monitor() which frees the *moniter.
This is referenced by bt_dev_dbg() in hci_add_adv_monitor().
Fix the bt_dev_dbg() by using handle instead of monitor->handle.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b747a83690c8f53bc7a3f75899415c699b2c51aa , < 81d8e9f59df63b8358751c1ffed9f1cf5c796909
(git)
Affected: b747a83690c8f53bc7a3f75899415c699b2c51aa , < aafda69d4807f5edf3558c9534be9b911774e63a (git) Affected: b747a83690c8f53bc7a3f75899415c699b2c51aa , < 8d66f7ced51cb924bc90278d6a0a26a52877271a (git) Affected: b747a83690c8f53bc7a3f75899415c699b2c51aa , < a2bcd2b63271a93a695fabbfbf459c603d956d48 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81d8e9f59df63b8358751c1ffed9f1cf5c796909",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
},
{
"lessThan": "aafda69d4807f5edf3558c9534be9b911774e63a",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
},
{
"lessThan": "8d66f7ced51cb924bc90278d6a0a26a52877271a",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
},
{
"lessThan": "a2bcd2b63271a93a695fabbfbf459c603d956d48",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()\n\nKSAN reports use-after-free in hci_add_adv_monitor().\n\nWhile adding an adv monitor,\n hci_add_adv_monitor() calls -\u003e\n msft_add_monitor_pattern() calls -\u003e\n msft_add_monitor_sync() calls -\u003e\n msft_le_monitor_advertisement_cb() calls in an error case -\u003e\n hci_free_adv_monitor() which frees the *moniter.\n\nThis is referenced by bt_dev_dbg() in hci_add_adv_monitor().\n\nFix the bt_dev_dbg() by using handle instead of monitor-\u003ehandle."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:42.166Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81d8e9f59df63b8358751c1ffed9f1cf5c796909"
},
{
"url": "https://git.kernel.org/stable/c/aafda69d4807f5edf3558c9534be9b911774e63a"
},
{
"url": "https://git.kernel.org/stable/c/8d66f7ced51cb924bc90278d6a0a26a52877271a"
},
{
"url": "https://git.kernel.org/stable/c/a2bcd2b63271a93a695fabbfbf459c603d956d48"
}
],
"title": "Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53828",
"datePublished": "2025-12-09T01:29:42.166Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:42.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53807 (GCVE-0-2023-53807)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
Smatch detected this potential error pointer dereference
clk_wzrd_register_divider(). If devm_clk_hw_register() fails then
it sets "hw" to an error pointer and then dereferences it on the
next line. Return the error directly instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5a853722eb32188647a541802d51d0db423b9baf , < 2f276dd9c0f835242836d9f6823035158ce2585c
(git)
Affected: 5a853722eb32188647a541802d51d0db423b9baf , < b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7 (git) Affected: 5a853722eb32188647a541802d51d0db423b9baf , < 25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5 (git) Affected: 5a853722eb32188647a541802d51d0db423b9baf , < f078a65ebf930f4305e3c415a8338d22391642c9 (git) Affected: 5a853722eb32188647a541802d51d0db423b9baf , < 9c632a6396505a019ea6d12b5ab45e659a542a93 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/clk-xlnx-clock-wizard.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f276dd9c0f835242836d9f6823035158ce2585c",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "f078a65ebf930f4305e3c415a8338d22391642c9",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "9c632a6396505a019ea6d12b5ab45e659a542a93",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/clk-xlnx-clock-wizard.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()\n\nSmatch detected this potential error pointer dereference\nclk_wzrd_register_divider(). If devm_clk_hw_register() fails then\nit sets \"hw\" to an error pointer and then dereferences it on the\nnext line. Return the error directly instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:05.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f276dd9c0f835242836d9f6823035158ce2585c"
},
{
"url": "https://git.kernel.org/stable/c/b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7"
},
{
"url": "https://git.kernel.org/stable/c/25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5"
},
{
"url": "https://git.kernel.org/stable/c/f078a65ebf930f4305e3c415a8338d22391642c9"
},
{
"url": "https://git.kernel.org/stable/c/9c632a6396505a019ea6d12b5ab45e659a542a93"
}
],
"title": "clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53807",
"datePublished": "2025-12-09T00:01:05.301Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:05.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53811 (GCVE-0-2023-53811)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
RDMA/irdma: Cap MSIX used to online CPUs + 1
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Cap MSIX used to online CPUs + 1
The irdma driver can use a maximum number of msix vectors equal
to num_online_cpus() + 1 and the kernel warning stack below is shown
if that number is exceeded.
The kernel throws a warning as the driver tries to update the affinity
hint with a CPU mask greater than the max CPU IDs. Fix this by capping
the MSIX vectors to num_online_cpus() + 1.
WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]
RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]
Call Trace:
irdma_rt_init_hw+0xa62/0x1290 [irdma]
? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma]
? __is_kernel_percpu_address+0x63/0x310
? rcu_read_lock_held_common+0xe/0xb0
? irdma_lan_unregister_qset+0x280/0x280 [irdma]
? irdma_request_reset+0x80/0x80 [irdma]
? ice_get_qos_params+0x84/0x390 [ice]
irdma_probe+0xa40/0xfc0 [irdma]
? rcu_read_lock_bh_held+0xd0/0xd0
? irdma_remove+0x140/0x140 [irdma]
? rcu_read_lock_sched_held+0x62/0xe0
? down_write+0x187/0x3d0
? auxiliary_match_id+0xf0/0x1a0
? irdma_remove+0x140/0x140 [irdma]
auxiliary_bus_probe+0xa6/0x100
__driver_probe_device+0x4a4/0xd50
? __device_attach_driver+0x2c0/0x2c0
driver_probe_device+0x4a/0x110
__driver_attach+0x1aa/0x350
bus_for_each_dev+0x11d/0x1b0
? subsys_dev_iter_init+0xe0/0xe0
bus_add_driver+0x3b1/0x610
driver_register+0x18e/0x410
? 0xffffffffc0b88000
irdma_init_module+0x50/0xaa [irdma]
do_one_initcall+0x103/0x5f0
? perf_trace_initcall_level+0x420/0x420
? do_init_module+0x4e/0x700
? __kasan_kmalloc+0x7d/0xa0
? kmem_cache_alloc_trace+0x188/0x2b0
? kasan_unpoison+0x21/0x50
do_init_module+0x1d1/0x700
load_module+0x3867/0x5260
? layout_and_allocate+0x3990/0x3990
? rcu_read_lock_held_common+0xe/0xb0
? rcu_read_lock_sched_held+0x62/0xe0
? rcu_read_lock_bh_held+0xd0/0xd0
? __vmalloc_node_range+0x46b/0x890
? lock_release+0x5c8/0xba0
? alloc_vm_area+0x120/0x120
? selinux_kernel_module_from_file+0x2a5/0x300
? __inode_security_revalidate+0xf0/0xf0
? __do_sys_init_module+0x1db/0x260
__do_sys_init_module+0x1db/0x260
? load_module+0x5260/0x5260
? do_syscall_64+0x22/0x450
do_syscall_64+0xa5/0x450
entry_SYSCALL_64_after_hwframe+0x66/0xdb
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 87674a359ad173a3b8cd484e92e4f1901666da4c
(git)
Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < b3bd44bf20cb3a6a47aa4373e1817147efb4be04 (git) Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f (git) Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 9cd9842c46996ef62173c36619c746f57416bcb0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87674a359ad173a3b8cd484e92e4f1901666da4c",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "b3bd44bf20cb3a6a47aa4373e1817147efb4be04",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "9cd9842c46996ef62173c36619c746f57416bcb0",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Cap MSIX used to online CPUs + 1\n\nThe irdma driver can use a maximum number of msix vectors equal\nto num_online_cpus() + 1 and the kernel warning stack below is shown\nif that number is exceeded.\n\nThe kernel throws a warning as the driver tries to update the affinity\nhint with a CPU mask greater than the max CPU IDs. Fix this by capping\nthe MSIX vectors to num_online_cpus() + 1.\n\n WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]\n RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]\n Call Trace:\n irdma_rt_init_hw+0xa62/0x1290 [irdma]\n ? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma]\n ? __is_kernel_percpu_address+0x63/0x310\n ? rcu_read_lock_held_common+0xe/0xb0\n ? irdma_lan_unregister_qset+0x280/0x280 [irdma]\n ? irdma_request_reset+0x80/0x80 [irdma]\n ? ice_get_qos_params+0x84/0x390 [ice]\n irdma_probe+0xa40/0xfc0 [irdma]\n ? rcu_read_lock_bh_held+0xd0/0xd0\n ? irdma_remove+0x140/0x140 [irdma]\n ? rcu_read_lock_sched_held+0x62/0xe0\n ? down_write+0x187/0x3d0\n ? auxiliary_match_id+0xf0/0x1a0\n ? irdma_remove+0x140/0x140 [irdma]\n auxiliary_bus_probe+0xa6/0x100\n __driver_probe_device+0x4a4/0xd50\n ? __device_attach_driver+0x2c0/0x2c0\n driver_probe_device+0x4a/0x110\n __driver_attach+0x1aa/0x350\n bus_for_each_dev+0x11d/0x1b0\n ? subsys_dev_iter_init+0xe0/0xe0\n bus_add_driver+0x3b1/0x610\n driver_register+0x18e/0x410\n ? 0xffffffffc0b88000\n irdma_init_module+0x50/0xaa [irdma]\n do_one_initcall+0x103/0x5f0\n ? perf_trace_initcall_level+0x420/0x420\n ? do_init_module+0x4e/0x700\n ? __kasan_kmalloc+0x7d/0xa0\n ? kmem_cache_alloc_trace+0x188/0x2b0\n ? kasan_unpoison+0x21/0x50\n do_init_module+0x1d1/0x700\n load_module+0x3867/0x5260\n ? layout_and_allocate+0x3990/0x3990\n ? rcu_read_lock_held_common+0xe/0xb0\n ? rcu_read_lock_sched_held+0x62/0xe0\n ? rcu_read_lock_bh_held+0xd0/0xd0\n ? __vmalloc_node_range+0x46b/0x890\n ? lock_release+0x5c8/0xba0\n ? alloc_vm_area+0x120/0x120\n ? selinux_kernel_module_from_file+0x2a5/0x300\n ? __inode_security_revalidate+0xf0/0xf0\n ? __do_sys_init_module+0x1db/0x260\n __do_sys_init_module+0x1db/0x260\n ? load_module+0x5260/0x5260\n ? do_syscall_64+0x22/0x450\n do_syscall_64+0xa5/0x450\n entry_SYSCALL_64_after_hwframe+0x66/0xdb"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:09.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87674a359ad173a3b8cd484e92e4f1901666da4c"
},
{
"url": "https://git.kernel.org/stable/c/b3bd44bf20cb3a6a47aa4373e1817147efb4be04"
},
{
"url": "https://git.kernel.org/stable/c/209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f"
},
{
"url": "https://git.kernel.org/stable/c/9cd9842c46996ef62173c36619c746f57416bcb0"
}
],
"title": "RDMA/irdma: Cap MSIX used to online CPUs + 1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53811",
"datePublished": "2025-12-09T00:01:09.005Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:09.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53839 (GCVE-0-2023-53839)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
dccp: fix data-race around dp->dccps_mss_cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp: fix data-race around dp->dccps_mss_cache
dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
Same thing in do_dccp_getsockopt().
Add READ_ONCE()/WRITE_ONCE() annotations,
and change dccp_sendmsg() to check again dccps_mss_cache
after socket is locked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1
(git)
Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 67eebc7a9217f999b779d46fba5312a716f0dc1d (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 6d701c95ee6463abcbb6da543060d6e444554135 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < f239c9e1d98b313435481b4926e8bdd06197e4d8 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < a6ddc1c774874dc704f96a99d015dc759627bba7 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < a47e598fbd8617967e49d85c49c22f9fc642704c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dccp/output.c",
"net/dccp/proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "67eebc7a9217f999b779d46fba5312a716f0dc1d",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "6d701c95ee6463abcbb6da543060d6e444554135",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "f239c9e1d98b313435481b4926e8bdd06197e4d8",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "a6ddc1c774874dc704f96a99d015dc759627bba7",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "a47e598fbd8617967e49d85c49c22f9fc642704c",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dccp/output.c",
"net/dccp/proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix data-race around dp-\u003edccps_mss_cache\n\ndccp_sendmsg() reads dp-\u003edccps_mss_cache before locking the socket.\nSame thing in do_dccp_getsockopt().\n\nAdd READ_ONCE()/WRITE_ONCE() annotations,\nand change dccp_sendmsg() to check again dccps_mss_cache\nafter socket is locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:55.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1"
},
{
"url": "https://git.kernel.org/stable/c/2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817"
},
{
"url": "https://git.kernel.org/stable/c/67eebc7a9217f999b779d46fba5312a716f0dc1d"
},
{
"url": "https://git.kernel.org/stable/c/6d701c95ee6463abcbb6da543060d6e444554135"
},
{
"url": "https://git.kernel.org/stable/c/f239c9e1d98b313435481b4926e8bdd06197e4d8"
},
{
"url": "https://git.kernel.org/stable/c/a6ddc1c774874dc704f96a99d015dc759627bba7"
},
{
"url": "https://git.kernel.org/stable/c/d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384"
},
{
"url": "https://git.kernel.org/stable/c/a47e598fbd8617967e49d85c49c22f9fc642704c"
}
],
"title": "dccp: fix data-race around dp-\u003edccps_mss_cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53839",
"datePublished": "2025-12-09T01:29:55.540Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:55.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53857 (GCVE-0-2023-53857)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
bpf: bpf_sk_storage: Fix invalid wait context lockdep report
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: bpf_sk_storage: Fix invalid wait context lockdep report
'./test_progs -t test_local_storage' reported a splat:
[ 27.137569] =============================
[ 27.138122] [ BUG: Invalid wait context ]
[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O
[ 27.139542] -----------------------------
[ 27.140106] test_progs/1729 is trying to lock:
[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130
[ 27.141834] other info that might help us debug this:
[ 27.142437] context-{5:5}
[ 27.142856] 2 locks held by test_progs/1729:
[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40
[ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0
[ 27.145855] stack backtrace:
[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247
[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 27.149127] Call Trace:
[ 27.149490] <TASK>
[ 27.149867] dump_stack_lvl+0x130/0x1d0
[ 27.152609] dump_stack+0x14/0x20
[ 27.153131] __lock_acquire+0x1657/0x2220
[ 27.153677] lock_acquire+0x1b8/0x510
[ 27.157908] local_lock_acquire+0x29/0x130
[ 27.159048] obj_cgroup_charge+0xf4/0x3c0
[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0
[ 27.161931] __kmem_cache_alloc_node+0x51/0x210
[ 27.163557] __kmalloc+0xaa/0x210
[ 27.164593] bpf_map_kzalloc+0xbc/0x170
[ 27.165147] bpf_selem_alloc+0x130/0x510
[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0
[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0
[ 27.169199] bpf_map_update_value+0x415/0x4f0
[ 27.169871] map_update_elem+0x413/0x550
[ 27.170330] __sys_bpf+0x5e9/0x640
[ 27.174065] __x64_sys_bpf+0x80/0x90
[ 27.174568] do_syscall_64+0x48/0xa0
[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 27.175932] RIP: 0033:0x7effb40e41ad
[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8
[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141
[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad
[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002
[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788
[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000
[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000
[ 27.184958] </TASK>
It complains about acquiring a local_lock while holding a raw_spin_lock.
It means it should not allocate memory while holding a raw_spin_lock
since it is not safe for RT.
raw_spin_lock is needed because bpf_local_storage supports tracing
context. In particular for task local storage, it is easy to
get a "current" task PTR_TO_BTF_ID in tracing bpf prog.
However, task (and cgroup) local storage has already been moved to
bpf mem allocator which can be used after raw_spin_lock.
The splat is for the sk storage. For sk (and inode) storage,
it has not been moved to bpf mem allocator. Using raw_spin_lock or not,
kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.
However, the local storage helper requires a verifier accepted
sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running
a bpf prog in a kzalloc unsafe context and also able to hold a verifier
accepted sk pointer) could happen.
This patch avoids kzalloc after raw_spin_lock to silent the splat.
There is an existing kzalloc before the raw_spin_lock. At that point,
a kzalloc is very likely required because a lookup has just been done
before. Thus, this patch always does the kzalloc before acq
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "300415caa373a07782fcbc2f8d9429bc2dc27a47",
"status": "affected",
"version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
"versionType": "git"
},
{
"lessThan": "a96a44aba556c42b432929d37d60158aca21ad4c",
"status": "affected",
"version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\n\n\u0027./test_progs -t test_local_storage\u0027 reported a splat:\n\n[ 27.137569] =============================\n[ 27.138122] [ BUG: Invalid wait context ]\n[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O\n[ 27.139542] -----------------------------\n[ 27.140106] test_progs/1729 is trying to lock:\n[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\n[ 27.141834] other info that might help us debug this:\n[ 27.142437] context-{5:5}\n[ 27.142856] 2 locks held by test_progs/1729:\n[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\n[ 27.144492] #1: ffff888107deb2c0 (\u0026storage-\u003elock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\n[ 27.145855] stack backtrace:\n[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247\n[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 27.149127] Call Trace:\n[ 27.149490] \u003cTASK\u003e\n[ 27.149867] dump_stack_lvl+0x130/0x1d0\n[ 27.152609] dump_stack+0x14/0x20\n[ 27.153131] __lock_acquire+0x1657/0x2220\n[ 27.153677] lock_acquire+0x1b8/0x510\n[ 27.157908] local_lock_acquire+0x29/0x130\n[ 27.159048] obj_cgroup_charge+0xf4/0x3c0\n[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0\n[ 27.161931] __kmem_cache_alloc_node+0x51/0x210\n[ 27.163557] __kmalloc+0xaa/0x210\n[ 27.164593] bpf_map_kzalloc+0xbc/0x170\n[ 27.165147] bpf_selem_alloc+0x130/0x510\n[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0\n[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0\n[ 27.169199] bpf_map_update_value+0x415/0x4f0\n[ 27.169871] map_update_elem+0x413/0x550\n[ 27.170330] __sys_bpf+0x5e9/0x640\n[ 27.174065] __x64_sys_bpf+0x80/0x90\n[ 27.174568] do_syscall_64+0x48/0xa0\n[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 27.175932] RIP: 0033:0x7effb40e41ad\n[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\n[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\n[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\n[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\n[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\n[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\n[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\n[ 27.184958] \u003c/TASK\u003e\n\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\nIt means it should not allocate memory while holding a raw_spin_lock\nsince it is not safe for RT.\n\nraw_spin_lock is needed because bpf_local_storage supports tracing\ncontext. In particular for task local storage, it is easy to\nget a \"current\" task PTR_TO_BTF_ID in tracing bpf prog.\nHowever, task (and cgroup) local storage has already been moved to\nbpf mem allocator which can be used after raw_spin_lock.\n\nThe splat is for the sk storage. For sk (and inode) storage,\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\nHowever, the local storage helper requires a verifier accepted\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\naccepted sk pointer) could happen.\n\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\nThere is an existing kzalloc before the raw_spin_lock. At that point,\na kzalloc is very likely required because a lookup has just been done\nbefore. Thus, this patch always does the kzalloc before acq\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:23.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47"
},
{
"url": "https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c"
}
],
"title": "bpf: bpf_sk_storage: Fix invalid wait context lockdep report",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53857",
"datePublished": "2025-12-09T01:30:23.593Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:23.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53826 (GCVE-0-2023-53826)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
Wear-leveling entry could be freed in error path, which may be accessed
again in eraseblk_count_seq_show(), for example:
__erase_worker eraseblk_count_seq_show
wl = ubi->lookuptbl[*block_number]
if (wl)
wl_entry_destroy
ubi->lookuptbl[e->pnum] = NULL
kmem_cache_free(ubi_wl_entry_slab, e)
erase_count = wl->ec // UAF!
Wear-leveling entry updating/accessing in ubi->lookuptbl should be
protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
wl entry accessing between wl_entry_destroy() and
eraseblk_count_seq_show().
Fetch a reproducer in [Link].
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
801c135ce73d5df1caf3eca35b66a10824ae0707 , < 3f9b63dfce44a7c3c095dd93d910408e07ab1845
(git)
Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 84250da1c63cb7d421a3b4812b5c2ce2e47d31a1 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 1cb14c06d6035539ef4215c4ba0871aea71d7c38 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 9d448dd6bcb61a508204b57ea1f454ba9bac2f24 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 79548ccdd992707879b4b683b7251c58ddf26f12 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 84253f3c2dad6be10d30c92626c763d9a9f512ad (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < a100de2974d208cfca032179b02ed4d1a0a7f143 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < a240bc5c43130c6aa50831d7caaa02a1d84e1bce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/wl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f9b63dfce44a7c3c095dd93d910408e07ab1845",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "84250da1c63cb7d421a3b4812b5c2ce2e47d31a1",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "1cb14c06d6035539ef4215c4ba0871aea71d7c38",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "9d448dd6bcb61a508204b57ea1f454ba9bac2f24",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "79548ccdd992707879b4b683b7251c58ddf26f12",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "84253f3c2dad6be10d30c92626c763d9a9f512ad",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "a100de2974d208cfca032179b02ed4d1a0a7f143",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "a240bc5c43130c6aa50831d7caaa02a1d84e1bce",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/wl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()\n\nWear-leveling entry could be freed in error path, which may be accessed\nagain in eraseblk_count_seq_show(), for example:\n\n__erase_worker eraseblk_count_seq_show\n wl = ubi-\u003elookuptbl[*block_number]\n\t\t\t\tif (wl)\n wl_entry_destroy\n ubi-\u003elookuptbl[e-\u003epnum] = NULL\n kmem_cache_free(ubi_wl_entry_slab, e)\n\t\t erase_count = wl-\u003eec // UAF!\n\nWear-leveling entry updating/accessing in ubi-\u003elookuptbl should be\nprotected by ubi-\u003ewl_lock, fix it by adding ubi-\u003ewl_lock to serialize\nwl entry accessing between wl_entry_destroy() and\neraseblk_count_seq_show().\n\nFetch a reproducer in [Link]."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:39.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f9b63dfce44a7c3c095dd93d910408e07ab1845"
},
{
"url": "https://git.kernel.org/stable/c/84250da1c63cb7d421a3b4812b5c2ce2e47d31a1"
},
{
"url": "https://git.kernel.org/stable/c/1cb14c06d6035539ef4215c4ba0871aea71d7c38"
},
{
"url": "https://git.kernel.org/stable/c/9d448dd6bcb61a508204b57ea1f454ba9bac2f24"
},
{
"url": "https://git.kernel.org/stable/c/79548ccdd992707879b4b683b7251c58ddf26f12"
},
{
"url": "https://git.kernel.org/stable/c/84253f3c2dad6be10d30c92626c763d9a9f512ad"
},
{
"url": "https://git.kernel.org/stable/c/a100de2974d208cfca032179b02ed4d1a0a7f143"
},
{
"url": "https://git.kernel.org/stable/c/a240bc5c43130c6aa50831d7caaa02a1d84e1bce"
}
],
"title": "ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53826",
"datePublished": "2025-12-09T01:29:39.679Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:39.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40328 (GCVE-0-2025-40328)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
smb: client: fix potential UAF in smb2_close_cached_fid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in smb2_close_cached_fid()
find_or_create_cached_dir() could grab a new reference after kref_put()
had seen the refcount drop to zero but before cfid_list_lock is acquired
in smb2_close_cached_fid(), leading to use-after-free.
Switch to kref_put_lock() so cfid_release() is called with
cfid_list_lock held, closing that gap.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < cb52d9c86d70298de0ab7c7953653898cbc0efd6
(git)
Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 065bd62412271a2d734810dd50336cae88c54427 (git) Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < bdb596ceb4b7c3f28786a33840263728217fbcf5 (git) Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb52d9c86d70298de0ab7c7953653898cbc0efd6",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "065bd62412271a2d734810dd50336cae88c54427",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "bdb596ceb4b7c3f28786a33840263728217fbcf5",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "734e99623c5b65bf2c03e35978a0b980ebc3c2f8",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_close_cached_fid()\n\nfind_or_create_cached_dir() could grab a new reference after kref_put()\nhad seen the refcount drop to zero but before cfid_list_lock is acquired\nin smb2_close_cached_fid(), leading to use-after-free.\n\nSwitch to kref_put_lock() so cfid_release() is called with\ncfid_list_lock held, closing that gap."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:44.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6"
},
{
"url": "https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427"
},
{
"url": "https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5"
},
{
"url": "https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8"
}
],
"title": "smb: client: fix potential UAF in smb2_close_cached_fid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40328",
"datePublished": "2025-12-09T04:09:44.876Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:44.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53856 (GCVE-0-2023-53856)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
of: overlay: Call of_changeset_init() early
Summary
In the Linux kernel, the following vulnerability has been resolved:
of: overlay: Call of_changeset_init() early
When of_overlay_fdt_apply() fails, the changeset may be partially
applied, and the caller is still expected to call of_overlay_remove() to
clean up this partial state.
However, of_overlay_apply() calls of_resolve_phandles() before
init_overlay_changeset(). Hence if the overlay fails to apply due to an
unresolved symbol, the overlay_changeset.cset.entries list is still
uninitialized, and cleanup will crash with a NULL-pointer dereference in
overlay_removal_is_ok().
Fix this by moving the call to of_changeset_init() from
init_overlay_changeset() to of_overlay_fdt_apply(), where all other
early initialization is done.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f948d6d8b792bb90041edc12eac35faf83030994 , < 01bb96ad38089f5cc6de7746dac13437d35eb1dc
(git)
Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < 3fb210cd521c9efcb211e9f5ce40fc907200bf13 (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < be86241bf5d1efd16d8a7231c13b33459c5d755d (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < c403c81b577a67fe9ec6a2e89d143256487be50f (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < a9515ff4fb142b690a0d2b58782b15903b990dba (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01bb96ad38089f5cc6de7746dac13437d35eb1dc",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "3fb210cd521c9efcb211e9f5ce40fc907200bf13",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "be86241bf5d1efd16d8a7231c13b33459c5d755d",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "c403c81b577a67fe9ec6a2e89d143256487be50f",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "a9515ff4fb142b690a0d2b58782b15903b990dba",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: overlay: Call of_changeset_init() early\n\nWhen of_overlay_fdt_apply() fails, the changeset may be partially\napplied, and the caller is still expected to call of_overlay_remove() to\nclean up this partial state.\n\nHowever, of_overlay_apply() calls of_resolve_phandles() before\ninit_overlay_changeset(). Hence if the overlay fails to apply due to an\nunresolved symbol, the overlay_changeset.cset.entries list is still\nuninitialized, and cleanup will crash with a NULL-pointer dereference in\noverlay_removal_is_ok().\n\nFix this by moving the call to of_changeset_init() from\ninit_overlay_changeset() to of_overlay_fdt_apply(), where all other\nearly initialization is done."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:22.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01bb96ad38089f5cc6de7746dac13437d35eb1dc"
},
{
"url": "https://git.kernel.org/stable/c/3fb210cd521c9efcb211e9f5ce40fc907200bf13"
},
{
"url": "https://git.kernel.org/stable/c/be86241bf5d1efd16d8a7231c13b33459c5d755d"
},
{
"url": "https://git.kernel.org/stable/c/c403c81b577a67fe9ec6a2e89d143256487be50f"
},
{
"url": "https://git.kernel.org/stable/c/a9515ff4fb142b690a0d2b58782b15903b990dba"
}
],
"title": "of: overlay: Call of_changeset_init() early",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53856",
"datePublished": "2025-12-09T01:30:22.012Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:22.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50633 (GCVE-0-2022-50633)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
of_icc_get() alloc resources for path handle, we should release it when not
need anymore. Like the release in dwc3_qcom_interconnect_exit() function.
Add icc_put() in error handling to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bea46b9815154ac47baf16b64022d791a4471375 , < f9089b95548f0272e02a89989c511e235561d051
(git)
Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 56f6de394f0f57928cd401255a5c7866b68a77e3 (git) Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 8c39c8d23ff9fb1beb6e16cf0ae929c764538625 (git) Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 2f3b51189f7a7be5d822fb8c537d778c57eb9821 (git) Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 97a48da1619ba6bd42a0e5da0a03aa490a9496b1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9089b95548f0272e02a89989c511e235561d051",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "56f6de394f0f57928cd401255a5c7866b68a77e3",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "8c39c8d23ff9fb1beb6e16cf0ae929c764538625",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "2f3b51189f7a7be5d822fb8c537d778c57eb9821",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "97a48da1619ba6bd42a0e5da0a03aa490a9496b1",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init\n\nof_icc_get() alloc resources for path handle, we should release it when not\nneed anymore. Like the release in dwc3_qcom_interconnect_exit() function.\nAdd icc_put() in error handling to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:00.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9089b95548f0272e02a89989c511e235561d051"
},
{
"url": "https://git.kernel.org/stable/c/56f6de394f0f57928cd401255a5c7866b68a77e3"
},
{
"url": "https://git.kernel.org/stable/c/8c39c8d23ff9fb1beb6e16cf0ae929c764538625"
},
{
"url": "https://git.kernel.org/stable/c/2f3b51189f7a7be5d822fb8c537d778c57eb9821"
},
{
"url": "https://git.kernel.org/stable/c/97a48da1619ba6bd42a0e5da0a03aa490a9496b1"
}
],
"title": "usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50633",
"datePublished": "2025-12-09T00:00:00.771Z",
"dateReserved": "2025-12-08T23:57:43.369Z",
"dateUpdated": "2025-12-09T00:00:00.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40333 (GCVE-0-2025-40333)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
f2fs: fix infinite loop in __insert_extent_tree()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix infinite loop in __insert_extent_tree()
When we get wrong extent info data, and look up extent_node in rb tree,
it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by
return NULL and print some kernel messages in that case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 765f8816d3959ef1f3f7f85e2af748594d091f40
(git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < c0b9951bb2668d67eb4817bb23fc109abc08c075 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < f4c31adcb2a0556f43776d4e51a67de88d7fb9ee (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 23361bd54966b437e1ed3eb1a704572f4b279e58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/extent_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "765f8816d3959ef1f3f7f85e2af748594d091f40",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "c0b9951bb2668d67eb4817bb23fc109abc08c075",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "f4c31adcb2a0556f43776d4e51a67de88d7fb9ee",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "23361bd54966b437e1ed3eb1a704572f4b279e58",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/extent_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix infinite loop in __insert_extent_tree()\n\nWhen we get wrong extent info data, and look up extent_node in rb tree,\nit will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by\nreturn NULL and print some kernel messages in that case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:06.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/765f8816d3959ef1f3f7f85e2af748594d091f40"
},
{
"url": "https://git.kernel.org/stable/c/c0b9951bb2668d67eb4817bb23fc109abc08c075"
},
{
"url": "https://git.kernel.org/stable/c/f4c31adcb2a0556f43776d4e51a67de88d7fb9ee"
},
{
"url": "https://git.kernel.org/stable/c/23361bd54966b437e1ed3eb1a704572f4b279e58"
}
],
"title": "f2fs: fix infinite loop in __insert_extent_tree()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40333",
"datePublished": "2025-12-09T04:09:50.051Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-20T08:52:06.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53833 (GCVE-0-2023-53833)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
drm/i915: Fix NULL ptr deref by checking new_crtc_state
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix NULL ptr deref by checking new_crtc_state
intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't
obtained previously with intel_atomic_get_crtc_state, so we must check it
for NULLness here, just as in many other places, where we can't guarantee
that intel_atomic_get_crtc_state was called.
We are currently getting NULL ptr deref because of that, so this fix was
confirmed to help.
(cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
74a75dc908692dd0548209004e53832c02433c0c , < dbf25cc21beff4fd2e730573845a266504b21bb2
(git)
Affected: 74a75dc908692dd0548209004e53832c02433c0c , < 8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88 (git) Affected: 74a75dc908692dd0548209004e53832c02433c0c , < a41d985902c153c31c616fe183cf2ee331e95ecb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_atomic_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf25cc21beff4fd2e730573845a266504b21bb2",
"status": "affected",
"version": "74a75dc908692dd0548209004e53832c02433c0c",
"versionType": "git"
},
{
"lessThan": "8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88",
"status": "affected",
"version": "74a75dc908692dd0548209004e53832c02433c0c",
"versionType": "git"
},
{
"lessThan": "a41d985902c153c31c616fe183cf2ee331e95ecb",
"status": "affected",
"version": "74a75dc908692dd0548209004e53832c02433c0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_atomic_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix NULL ptr deref by checking new_crtc_state\n\nintel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn\u0027t\nobtained previously with intel_atomic_get_crtc_state, so we must check it\nfor NULLness here, just as in many other places, where we can\u0027t guarantee\nthat intel_atomic_get_crtc_state was called.\nWe are currently getting NULL ptr deref because of that, so this fix was\nconfirmed to help.\n\n(cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:48.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf25cc21beff4fd2e730573845a266504b21bb2"
},
{
"url": "https://git.kernel.org/stable/c/8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88"
},
{
"url": "https://git.kernel.org/stable/c/a41d985902c153c31c616fe183cf2ee331e95ecb"
}
],
"title": "drm/i915: Fix NULL ptr deref by checking new_crtc_state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53833",
"datePublished": "2025-12-09T01:29:48.637Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:48.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50678 (GCVE-0-2022-50678)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
wifi: brcmfmac: fix invalid address access when enabling SCAN log level
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix invalid address access when enabling SCAN log level
The variable i is changed when setting random MAC address and causes
invalid address access when printing the value of pi->reqs[i]->reqid.
We replace reqs index with ri to fix the issue.
[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ 136.737365] Mem abort info:
[ 136.740172] ESR = 0x96000004
[ 136.743359] Exception class = DABT (current EL), IL = 32 bits
[ 136.749294] SET = 0, FnV = 0
[ 136.752481] EA = 0, S1PTW = 0
[ 136.755635] Data abort info:
[ 136.758514] ISV = 0, ISS = 0x00000004
[ 136.762487] CM = 0, WnR = 0
[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
[ 136.772265] [0000000000000000] pgd=0000000000000000
[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1
[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
[ 136.828162] sp : ffff00000e9a3880
[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400
[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
[ 136.863343] x17: 0000000000000000 x16: 0000000000000000
[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
[ 136.873966] x13: 0000000000003135 x12: 0000000000000000
[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888
[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008
[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
[ 136.911146] Call trace:
[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]
[ 136.937298] genl_rcv_msg+0x358/0x3f4
[ 136.940960] netlink_rcv_skb+0xb4/0x118
[ 136.944795] genl_rcv+0x34/0x48
[ 136.947935] netlink_unicast+0x264/0x300
[ 136.951856] netlink_sendmsg+0x2e4/0x33c
[ 136.955781] __sys_sendto+0x120/0x19c
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 7ccb0529446ae68a8581916bfc95c353306d76ba
(git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 1c12d47a9017a7745585b57b9b0fdc0d8c50978e (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 56a0ac48634155d2b866b99fba7e1dd8df4e2804 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 50e45034c5802cedbf5b707364ea76ace29ad984 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 75995ce1c926ee87bf93d58977c766b4e7744715 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 826405a911473b6ee8bd2aa891cb2f03a13efa17 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < aa666b68e73fc06d83c070d96180b9010cf5a960 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ccb0529446ae68a8581916bfc95c353306d76ba",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "1c12d47a9017a7745585b57b9b0fdc0d8c50978e",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "56a0ac48634155d2b866b99fba7e1dd8df4e2804",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "50e45034c5802cedbf5b707364ea76ace29ad984",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "75995ce1c926ee87bf93d58977c766b4e7744715",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "826405a911473b6ee8bd2aa891cb2f03a13efa17",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "aa666b68e73fc06d83c070d96180b9010cf5a960",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix invalid address access when enabling SCAN log level\n\nThe variable i is changed when setting random MAC address and causes\ninvalid address access when printing the value of pi-\u003ereqs[i]-\u003ereqid.\n\nWe replace reqs index with ri to fix the issue.\n\n[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[ 136.737365] Mem abort info:\n[ 136.740172] ESR = 0x96000004\n[ 136.743359] Exception class = DABT (current EL), IL = 32 bits\n[ 136.749294] SET = 0, FnV = 0\n[ 136.752481] EA = 0, S1PTW = 0\n[ 136.755635] Data abort info:\n[ 136.758514] ISV = 0, ISS = 0x00000004\n[ 136.762487] CM = 0, WnR = 0\n[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577\n[ 136.772265] [0000000000000000] pgd=0000000000000000\n[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)\n[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)\n[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1\n[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)\n[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)\n[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]\n[ 136.828162] sp : ffff00000e9a3880\n[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400\n[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0\n[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400\n[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8\n[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400\n[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000\n[ 136.863343] x17: 0000000000000000 x16: 0000000000000000\n[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050\n[ 136.873966] x13: 0000000000003135 x12: 0000000000000000\n[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888\n[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008\n[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d\n[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942\n[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8\n[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000\n[ 136.911146] Call trace:\n[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]\n[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]\n[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]\n[ 136.937298] genl_rcv_msg+0x358/0x3f4\n[ 136.940960] netlink_rcv_skb+0xb4/0x118\n[ 136.944795] genl_rcv+0x34/0x48\n[ 136.947935] netlink_unicast+0x264/0x300\n[ 136.951856] netlink_sendmsg+0x2e4/0x33c\n[ 136.955781] __sys_sendto+0x120/0x19c"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:31.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba"
},
{
"url": "https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e"
},
{
"url": "https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804"
},
{
"url": "https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984"
},
{
"url": "https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715"
},
{
"url": "https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4"
},
{
"url": "https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17"
},
{
"url": "https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960"
}
],
"title": "wifi: brcmfmac: fix invalid address access when enabling SCAN log level",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50678",
"datePublished": "2025-12-09T01:29:31.739Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-23T13:30:31.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50640 (GCVE-0-2022-50640)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
mmc: core: Fix kernel panic when remove non-standard SDIO card
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: core: Fix kernel panic when remove non-standard SDIO card
SDIO tuple is only allocated for standard SDIO card, especially it causes
memory corruption issues when the non-standard SDIO card has removed, which
is because the card device's reference counter does not increase for it at
sdio_init_func(), but all SDIO card device reference counter gets decreased
at sdio_release_func().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < b8b2965932e702b21e335ff30e1bb550f5a23b6f
(git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < b3275dde570b6420106a715bb58a0af041b94d95 (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 1fb79478695d92bab1c120ad3dad05252b02a29d (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 7a09c64b7da0abdec3919812e3d93ecc44069ed0 (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 8bf037279b5869ae9331c42bb1527d2680ebba96 (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 1e8cd93ae536581562bab4e1d8c5315bbc2548bf (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 66d461a92f32b6995b630625d350259b6b1f961b (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 9972e6b404884adae9eec7463e30d9b3c9a70b18 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/core/sdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8b2965932e702b21e335ff30e1bb550f5a23b6f",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "b3275dde570b6420106a715bb58a0af041b94d95",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "1fb79478695d92bab1c120ad3dad05252b02a29d",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "7a09c64b7da0abdec3919812e3d93ecc44069ed0",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "8bf037279b5869ae9331c42bb1527d2680ebba96",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "1e8cd93ae536581562bab4e1d8c5315bbc2548bf",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "66d461a92f32b6995b630625d350259b6b1f961b",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "9972e6b404884adae9eec7463e30d9b3c9a70b18",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/core/sdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Fix kernel panic when remove non-standard SDIO card\n\nSDIO tuple is only allocated for standard SDIO card, especially it causes\nmemory corruption issues when the non-standard SDIO card has removed, which\nis because the card device\u0027s reference counter does not increase for it at\nsdio_init_func(), but all SDIO card device reference counter gets decreased\nat sdio_release_func()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:13.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8b2965932e702b21e335ff30e1bb550f5a23b6f"
},
{
"url": "https://git.kernel.org/stable/c/b3275dde570b6420106a715bb58a0af041b94d95"
},
{
"url": "https://git.kernel.org/stable/c/1fb79478695d92bab1c120ad3dad05252b02a29d"
},
{
"url": "https://git.kernel.org/stable/c/7a09c64b7da0abdec3919812e3d93ecc44069ed0"
},
{
"url": "https://git.kernel.org/stable/c/8bf037279b5869ae9331c42bb1527d2680ebba96"
},
{
"url": "https://git.kernel.org/stable/c/1e8cd93ae536581562bab4e1d8c5315bbc2548bf"
},
{
"url": "https://git.kernel.org/stable/c/66d461a92f32b6995b630625d350259b6b1f961b"
},
{
"url": "https://git.kernel.org/stable/c/9972e6b404884adae9eec7463e30d9b3c9a70b18"
}
],
"title": "mmc: core: Fix kernel panic when remove non-standard SDIO card",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50640",
"datePublished": "2025-12-09T00:00:13.871Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:13.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53780 (GCVE-0-2023-53780)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amd/display: fix FCLK pstate change underflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix FCLK pstate change underflow
[Why]
Currently we set FCLK p-state change
watermark calculated based on dummy
p-state latency when UCLK p-state is
not supported
[How]
Calculate FCLK p-state change watermark
based on on FCLK pstate change latency
in case UCLK p-state is not supported
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 4bdfa48d74649898468a0bf5c8b8a48dded77b4a
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 6853d56dba56d1c24db403ff3885c71e18d572c4 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 972243f973eb0821084e5833d5f7f4ed025f42da (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bdfa48d74649898468a0bf5c8b8a48dded77b4a",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "6853d56dba56d1c24db403ff3885c71e18d572c4",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "972243f973eb0821084e5833d5f7f4ed025f42da",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix FCLK pstate change underflow\n\n[Why]\nCurrently we set FCLK p-state change\nwatermark calculated based on dummy\np-state latency when UCLK p-state is\nnot supported\n\n[How]\nCalculate FCLK p-state change watermark\nbased on on FCLK pstate change latency\nin case UCLK p-state is not supported"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:18.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bdfa48d74649898468a0bf5c8b8a48dded77b4a"
},
{
"url": "https://git.kernel.org/stable/c/6853d56dba56d1c24db403ff3885c71e18d572c4"
},
{
"url": "https://git.kernel.org/stable/c/972243f973eb0821084e5833d5f7f4ed025f42da"
}
],
"title": "drm/amd/display: fix FCLK pstate change underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53780",
"datePublished": "2025-12-09T00:00:35.925Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-20T08:51:18.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50665 (GCVE-0-2022-50665)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected
It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(),
as below, it will not print when debug_mask is not set ATH11K_DBG_DATA.
ath11k_dbg(ab, ATH11K_DBG_DATA,
"failed to find the peer with peer_id %d\n",
ppdu_info.peer_id);
When run scan with station disconnected, the peer_id is 0 for case
HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called
from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is
reset to 0 in the while loop, so it does not match condition of the
check "if (ppdu_info->peer_id == HAL_INVALID_PEERID" in the loop, and
then the log "failed to find the peer with peer_id 0" print after the
check in the loop, it is below call stack when debug_mask is set
ATH11K_DBG_DATA.
The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv")
add "memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))" in
ath11k_dp_rx_process_mon_status(), but the commit does not initialize
the peer_id to HAL_INVALID_PEERID, then lead the check mis-match.
Callstack of the failed log:
[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k]
[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd
[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246
[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000
[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18
[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000
[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40
[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000
[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000
[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0
[12335.689360] Call Trace:
[12335.689377] <IRQ>
[12335.689418] ? rcu_read_lock_held_common+0x12/0x50
[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80
[12335.689471] ? rcu_read_lock_held_common+0x12/0x50
[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]
[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]
[12335.689653] ? lock_acquire+0xef/0x360
[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80
[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k]
[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]
[12335.689860] call_timer_fn+0xb2/0x2f0
[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]
[12335.689970] run_timer_softirq+0x21f/0x540
[12335.689999] ? ktime_get+0xad/0x160
[12335.690025] ? lapic_next_deadline+0x2c/0x40
[12335.690053] ? clockevents_program_event+0x82/0x100
[12335.690093] __do_softirq+0x151/0x4a8
[12335.690135] irq_exit_rcu+0xc9/0x100
[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0
[12335.690189] </IRQ>
[12335.690204] <TASK>
[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20
Reset the default value to HAL_INVALID_PEERID each time after memset
of ppdu_info as well as others memset which existed in function
ath11k_dp_rx_process_mon_status(), then the failed log disappeared.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01d2f285e3e5b629df9c61514e7ee07a54d0eed9 , < c0bb97a90b133416b50b3ffbdb7efca9253cc687
(git)
Affected: 01d2f285e3e5b629df9c61514e7ee07a54d0eed9 , < a5b03df19041e5ce35c7f048fa84bf1b0ceb1311 (git) Affected: 01d2f285e3e5b629df9c61514e7ee07a54d0eed9 , < a20ed60bb357776301c2dad7b4a4f0db97e143e9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0bb97a90b133416b50b3ffbdb7efca9253cc687",
"status": "affected",
"version": "01d2f285e3e5b629df9c61514e7ee07a54d0eed9",
"versionType": "git"
},
{
"lessThan": "a5b03df19041e5ce35c7f048fa84bf1b0ceb1311",
"status": "affected",
"version": "01d2f285e3e5b629df9c61514e7ee07a54d0eed9",
"versionType": "git"
},
{
"lessThan": "a20ed60bb357776301c2dad7b4a4f0db97e143e9",
"status": "affected",
"version": "01d2f285e3e5b629df9c61514e7ee07a54d0eed9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected\n\nIt has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(),\nas below, it will not print when debug_mask is not set ATH11K_DBG_DATA.\n\tath11k_dbg(ab, ATH11K_DBG_DATA,\n\t\t \"failed to find the peer with peer_id %d\\n\",\n\t\t ppdu_info.peer_id);\n\nWhen run scan with station disconnected, the peer_id is 0 for case\nHAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called\nfrom ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is\nreset to 0 in the while loop, so it does not match condition of the\ncheck \"if (ppdu_info-\u003epeer_id == HAL_INVALID_PEERID\" in the loop, and\nthen the log \"failed to find the peer with peer_id 0\" print after the\ncheck in the loop, it is below call stack when debug_mask is set\nATH11K_DBG_DATA.\n\nThe reason is this commit 01d2f285e3e5 (\"ath11k: decode HE status tlv\")\nadd \"memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))\" in\nath11k_dp_rx_process_mon_status(), but the commit does not initialize\nthe peer_id to HAL_INVALID_PEERID, then lead the check mis-match.\n\nCallstack of the failed log:\n[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k]\n[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff \u003c0f\u003e 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd\n[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246\n[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000\n[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18\n[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000\n[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40\n[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000\n[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000\n[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0\n[12335.689360] Call Trace:\n[12335.689377] \u003cIRQ\u003e\n[12335.689418] ? rcu_read_lock_held_common+0x12/0x50\n[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80\n[12335.689471] ? rcu_read_lock_held_common+0x12/0x50\n[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]\n[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]\n[12335.689653] ? lock_acquire+0xef/0x360\n[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80\n[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k]\n[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]\n[12335.689860] call_timer_fn+0xb2/0x2f0\n[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]\n[12335.689970] run_timer_softirq+0x21f/0x540\n[12335.689999] ? ktime_get+0xad/0x160\n[12335.690025] ? lapic_next_deadline+0x2c/0x40\n[12335.690053] ? clockevents_program_event+0x82/0x100\n[12335.690093] __do_softirq+0x151/0x4a8\n[12335.690135] irq_exit_rcu+0xc9/0x100\n[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0\n[12335.690189] \u003c/IRQ\u003e\n[12335.690204] \u003cTASK\u003e\n[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20\n\nReset the default value to HAL_INVALID_PEERID each time after memset\nof ppdu_info as well as others memset which existed in function\nath11k_dp_rx_process_mon_status(), then the failed log disappeared.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:15.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0bb97a90b133416b50b3ffbdb7efca9253cc687"
},
{
"url": "https://git.kernel.org/stable/c/a5b03df19041e5ce35c7f048fa84bf1b0ceb1311"
},
{
"url": "https://git.kernel.org/stable/c/a20ed60bb357776301c2dad7b4a4f0db97e143e9"
}
],
"title": "wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50665",
"datePublished": "2025-12-09T01:29:15.255Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:15.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53831 (GCVE-0-2023-53831)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
net: read sk->sk_family once in sk_mc_loop()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: read sk->sk_family once in sk_mc_loop()
syzbot is playing with IPV6_ADDRFORM quite a lot these days,
and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()
We have many more similar issues to fix.
WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260
Modules linked in:
CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events_power_efficient gc_worker
RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782
Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48
RSP: 0018:ffffc90000388530 EFLAGS: 00010246
RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980
RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011
RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65
R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000
R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000
FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
[<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83
[<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline]
[<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
[<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
[<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline]
[<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline]
[<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342
[<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline]
[<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415
[<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
[<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247
[<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599
[<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline]
[<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683
[<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ad6848c7e81a603605fad3f3575841aab004eea , < 7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b
(git)
Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < e918d0211ffbaf039447334c3460cafee1ce0157 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < 41f10a4d78fe69d685a3172e6884297f233dcf95 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < 895dc4c47171a20035cdaa8d74c1c1e97f2fc974 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < ed4e0adfa407ab65dd73b8862ebf2f308a0349d2 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < 9036b6342fcdab190d6edce3dd447859c1de90fc (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < b1f5b890b89cb38a6c0bac91984d56cd69808e8c (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < a3e0fdf71bbe031de845e8e08ed7fba49f9c702c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "e918d0211ffbaf039447334c3460cafee1ce0157",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "41f10a4d78fe69d685a3172e6884297f233dcf95",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "895dc4c47171a20035cdaa8d74c1c1e97f2fc974",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "ed4e0adfa407ab65dd73b8862ebf2f308a0349d2",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "9036b6342fcdab190d6edce3dd447859c1de90fc",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "b1f5b890b89cb38a6c0bac91984d56cd69808e8c",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "a3e0fdf71bbe031de845e8e08ed7fba49f9c702c",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: read sk-\u003esk_family once in sk_mc_loop()\n\nsyzbot is playing with IPV6_ADDRFORM quite a lot these days,\nand managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()\n\nWe have many more similar issues to fix.\n\nWARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260\nModules linked in:\nCPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nWorkqueue: events_power_efficient gc_worker\nRIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782\nCode: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd \u003c0f\u003e 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48\nRSP: 0018:ffffc90000388530 EFLAGS: 00010246\nRAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980\nRDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011\nRBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65\nR10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000\nR13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000\nFS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cIRQ\u003e\n[\u003cffffffff8507734f\u003e] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83\n[\u003cffffffff85062766\u003e] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]\n[\u003cffffffff85062766\u003e] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211\n[\u003cffffffff85061f8c\u003e] NF_HOOK_COND include/linux/netfilter.h:298 [inline]\n[\u003cffffffff85061f8c\u003e] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232\n[\u003cffffffff852071cf\u003e] dst_output include/net/dst.h:444 [inline]\n[\u003cffffffff852071cf\u003e] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161\n[\u003cffffffff83618fb4\u003e] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]\n[\u003cffffffff83618fb4\u003e] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[\u003cffffffff83618fb4\u003e] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[\u003cffffffff83618fb4\u003e] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[\u003cffffffff8361ddd9\u003e] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[\u003cffffffff84763fc0\u003e] netdev_start_xmit include/linux/netdevice.h:4925 [inline]\n[\u003cffffffff84763fc0\u003e] xmit_one net/core/dev.c:3644 [inline]\n[\u003cffffffff84763fc0\u003e] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[\u003cffffffff8494c650\u003e] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342\n[\u003cffffffff8494d883\u003e] qdisc_restart net/sched/sch_generic.c:407 [inline]\n[\u003cffffffff8494d883\u003e] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415\n[\u003cffffffff8478c426\u003e] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n[\u003cffffffff84796eac\u003e] net_tx_action+0x7ac/0x940 net/core/dev.c:5247\n[\u003cffffffff858002bd\u003e] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599\n[\u003cffffffff814c3fe8\u003e] invoke_softirq kernel/softirq.c:430 [inline]\n[\u003cffffffff814c3fe8\u003e] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683\n[\u003cffffffff814c3f09\u003e] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:46.374Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b"
},
{
"url": "https://git.kernel.org/stable/c/e918d0211ffbaf039447334c3460cafee1ce0157"
},
{
"url": "https://git.kernel.org/stable/c/41f10a4d78fe69d685a3172e6884297f233dcf95"
},
{
"url": "https://git.kernel.org/stable/c/895dc4c47171a20035cdaa8d74c1c1e97f2fc974"
},
{
"url": "https://git.kernel.org/stable/c/ed4e0adfa407ab65dd73b8862ebf2f308a0349d2"
},
{
"url": "https://git.kernel.org/stable/c/9036b6342fcdab190d6edce3dd447859c1de90fc"
},
{
"url": "https://git.kernel.org/stable/c/b1f5b890b89cb38a6c0bac91984d56cd69808e8c"
},
{
"url": "https://git.kernel.org/stable/c/a3e0fdf71bbe031de845e8e08ed7fba49f9c702c"
}
],
"title": "net: read sk-\u003esk_family once in sk_mc_loop()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53831",
"datePublished": "2025-12-09T01:29:46.374Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:46.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50668 (GCVE-0-2022-50668)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ext4: fix deadlock due to mbcache entry corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix deadlock due to mbcache entry corruption
When manipulating xattr blocks, we can deadlock infinitely looping
inside ext4_xattr_block_set() where we constantly keep finding xattr
block for reuse in mbcache but we are unable to reuse it because its
reference count is too big. This happens because cache entry for the
xattr block is marked as reusable (e_reusable set) although its
reference count is too big. When this inconsistency happens, this
inconsistent state is kept indefinitely and so ext4_xattr_block_set()
keeps retrying indefinitely.
The inconsistent state is caused by non-atomic update of e_reusable bit.
e_reusable is part of a bitfield and e_reusable update can race with
update of e_referenced bit in the same bitfield resulting in loss of one
of the updates. Fix the problem by using atomic bitops instead.
This bug has been around for many years, but it became *much* easier
to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr
blocks").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6048c64b26097a0ffbd966866b599f990e674e9b , < efaa0ca678f56d47316a08030b2515678cebbc50
(git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < af53065276376750dfac35a7248af18806404c5d (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 1be16a0c2f10186df505e28b0cc92d7f3366e2a8 (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 5bc0b2fda4b47c86278f7c6d30c211f425bf51cf (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 127b80cefb941a81255c72f11081123f3a705369 (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < cc1538c693d25e282bed8c54b65c914a04023a78 (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c",
"fs/mbcache.c",
"include/linux/mbcache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efaa0ca678f56d47316a08030b2515678cebbc50",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "af53065276376750dfac35a7248af18806404c5d",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "1be16a0c2f10186df505e28b0cc92d7f3366e2a8",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "5bc0b2fda4b47c86278f7c6d30c211f425bf51cf",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "127b80cefb941a81255c72f11081123f3a705369",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "cc1538c693d25e282bed8c54b65c914a04023a78",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c",
"fs/mbcache.c",
"include/linux/mbcache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix deadlock due to mbcache entry corruption\n\nWhen manipulating xattr blocks, we can deadlock infinitely looping\ninside ext4_xattr_block_set() where we constantly keep finding xattr\nblock for reuse in mbcache but we are unable to reuse it because its\nreference count is too big. This happens because cache entry for the\nxattr block is marked as reusable (e_reusable set) although its\nreference count is too big. When this inconsistency happens, this\ninconsistent state is kept indefinitely and so ext4_xattr_block_set()\nkeeps retrying indefinitely.\n\nThe inconsistent state is caused by non-atomic update of e_reusable bit.\ne_reusable is part of a bitfield and e_reusable update can race with\nupdate of e_referenced bit in the same bitfield resulting in loss of one\nof the updates. Fix the problem by using atomic bitops instead.\n\nThis bug has been around for many years, but it became *much* easier\nto hit after commit 65f8b80053a1 (\"ext4: fix race when reusing xattr\nblocks\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:19.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efaa0ca678f56d47316a08030b2515678cebbc50"
},
{
"url": "https://git.kernel.org/stable/c/af53065276376750dfac35a7248af18806404c5d"
},
{
"url": "https://git.kernel.org/stable/c/1be16a0c2f10186df505e28b0cc92d7f3366e2a8"
},
{
"url": "https://git.kernel.org/stable/c/5bc0b2fda4b47c86278f7c6d30c211f425bf51cf"
},
{
"url": "https://git.kernel.org/stable/c/127b80cefb941a81255c72f11081123f3a705369"
},
{
"url": "https://git.kernel.org/stable/c/cc1538c693d25e282bed8c54b65c914a04023a78"
},
{
"url": "https://git.kernel.org/stable/c/a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd"
}
],
"title": "ext4: fix deadlock due to mbcache entry corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50668",
"datePublished": "2025-12-09T01:29:19.526Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:19.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50636 (GCVE-0-2022-50636)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
PCI: Fix pci_device_is_present() for VFs by checking PF
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix pci_device_is_present() for VFs by checking PF
pci_device_is_present() previously didn't work for VFs because it reads the
Vendor and Device ID, which are 0xffff for VFs, which looks like they
aren't present. Check the PF instead.
Wei Gong reported that if virtio I/O is in progress when the driver is
unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O
operation hangs, which may result in output like this:
task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002
Call Trace:
schedule+0x4f/0xc0
blk_mq_freeze_queue_wait+0x69/0xa0
blk_mq_freeze_queue+0x1b/0x20
blk_cleanup_queue+0x3d/0xd0
virtblk_remove+0x3c/0xb0 [virtio_blk]
virtio_dev_remove+0x4b/0x80
...
device_unregister+0x1b/0x60
unregister_virtio_device+0x18/0x30
virtio_pci_remove+0x41/0x80
pci_device_remove+0x3e/0xb0
This happened because pci_device_is_present(VF) returned "false" in
virtio_pci_remove(), so it called virtio_break_device(). The broken vq
meant that vring_interrupt() skipped the vq.callback() that would have
completed the virtio I/O operation via virtblk_done().
[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8496e85c20e7836b3dec97780e40f420a3ae2801 , < f4b44c7766dae2b8681f621941cabe9f14066d59
(git)
Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 643d77fda08d06f863af35e80a7e517ea61d9629 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 65bd0962992abd42e77a05e68c7b40e7c73726d1 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 99ef6cc791584495987dd11b14769b450dfa5820 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 81565e51ccaf6fff8910e997ee22e16b5e1dabc3 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 518573988a2f14f517403db2ece5ddaefba21e94 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 98b04dd0b4577894520493d96bc4623387767445 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4b44c7766dae2b8681f621941cabe9f14066d59",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "643d77fda08d06f863af35e80a7e517ea61d9629",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "65bd0962992abd42e77a05e68c7b40e7c73726d1",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "99ef6cc791584495987dd11b14769b450dfa5820",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "81565e51ccaf6fff8910e997ee22e16b5e1dabc3",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "518573988a2f14f517403db2ece5ddaefba21e94",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "98b04dd0b4577894520493d96bc4623387767445",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix pci_device_is_present() for VFs by checking PF\n\npci_device_is_present() previously didn\u0027t work for VFs because it reads the\nVendor and Device ID, which are 0xffff for VFs, which looks like they\naren\u0027t present. Check the PF instead.\n\nWei Gong reported that if virtio I/O is in progress when the driver is\nunbound or \"0\" is written to /sys/.../sriov_numvfs, the virtio I/O\noperation hangs, which may result in output like this:\n\n task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002\n Call Trace:\n schedule+0x4f/0xc0\n blk_mq_freeze_queue_wait+0x69/0xa0\n blk_mq_freeze_queue+0x1b/0x20\n blk_cleanup_queue+0x3d/0xd0\n virtblk_remove+0x3c/0xb0 [virtio_blk]\n virtio_dev_remove+0x4b/0x80\n ...\n device_unregister+0x1b/0x60\n unregister_virtio_device+0x18/0x30\n virtio_pci_remove+0x41/0x80\n pci_device_remove+0x3e/0xb0\n\nThis happened because pci_device_is_present(VF) returned \"false\" in\nvirtio_pci_remove(), so it called virtio_break_device(). The broken vq\nmeant that vring_interrupt() skipped the vq.callback() that would have\ncompleted the virtio I/O operation via virtblk_done().\n\n[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:23.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4b44c7766dae2b8681f621941cabe9f14066d59"
},
{
"url": "https://git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629"
},
{
"url": "https://git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1"
},
{
"url": "https://git.kernel.org/stable/c/99ef6cc791584495987dd11b14769b450dfa5820"
},
{
"url": "https://git.kernel.org/stable/c/67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34"
},
{
"url": "https://git.kernel.org/stable/c/81565e51ccaf6fff8910e997ee22e16b5e1dabc3"
},
{
"url": "https://git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94"
},
{
"url": "https://git.kernel.org/stable/c/98b04dd0b4577894520493d96bc4623387767445"
}
],
"title": "PCI: Fix pci_device_is_present() for VFs by checking PF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50636",
"datePublished": "2025-12-09T00:00:09.737Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-23T13:30:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53859 (GCVE-0-2023-53859)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
s390/idle: mark arch_cpu_idle() noinstr
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/idle: mark arch_cpu_idle() noinstr
linux-next commit ("cpuidle: tracing: Warn about !rcu_is_watching()")
adds a new warning which hits on s390's arch_cpu_idle() function:
RCU not on for: arch_cpu_idle+0x0/0x28
WARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258
Modules linked in:
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4
Hardware name: IBM 8561 T01 703 (z/VM 7.3.0)
Krnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258)
R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3
Krnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000
0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000
0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0
0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8
Krnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652
00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58
#00000000002b55bc: af000000 mc 0,0
>00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e
00000000002b55c4: 0707 bcr 0,%r7
00000000002b55c6: 0707 bcr 0,%r7
00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15)
00000000002b55ce: b90400ef lgr %r14,%r15
Call Trace:
[<00000000002b55c0>] arch_ftrace_ops_list_func+0x250/0x258
([<00000000002b55bc>] arch_ftrace_ops_list_func+0x24c/0x258)
[<0000000000f5f0fc>] ftrace_common+0x1c/0x20
[<00000000001044f6>] arch_cpu_idle+0x6/0x28
[<0000000000f4acf6>] default_idle_call+0x76/0x128
[<00000000001cc374>] do_idle+0xf4/0x1b0
[<00000000001cc6ce>] cpu_startup_entry+0x36/0x40
[<0000000000119d00>] smp_start_secondary+0x140/0x150
[<0000000000f5d2ae>] restart_int_handler+0x6e/0x90
Mark arch_cpu_idle() noinstr like all other architectures with
CONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1098582a0f6c4e8fd28da0a6305f9233d02c9c1d , < 49aa49952116b8fd56bfb1e8c69bce179f49bece
(git)
Affected: 1098582a0f6c4e8fd28da0a6305f9233d02c9c1d , < 611c390217106c46e24e1af3db83187339d447ea (git) Affected: 1098582a0f6c4e8fd28da0a6305f9233d02c9c1d , < fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc (git) Affected: 1098582a0f6c4e8fd28da0a6305f9233d02c9c1d , < a9cbc1b471d291c865907542394f1c483b93a811 (git) Affected: 788621afda4101ca0fae48de424040cda78193fe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49aa49952116b8fd56bfb1e8c69bce179f49bece",
"status": "affected",
"version": "1098582a0f6c4e8fd28da0a6305f9233d02c9c1d",
"versionType": "git"
},
{
"lessThan": "611c390217106c46e24e1af3db83187339d447ea",
"status": "affected",
"version": "1098582a0f6c4e8fd28da0a6305f9233d02c9c1d",
"versionType": "git"
},
{
"lessThan": "fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc",
"status": "affected",
"version": "1098582a0f6c4e8fd28da0a6305f9233d02c9c1d",
"versionType": "git"
},
{
"lessThan": "a9cbc1b471d291c865907542394f1c483b93a811",
"status": "affected",
"version": "1098582a0f6c4e8fd28da0a6305f9233d02c9c1d",
"versionType": "git"
},
{
"status": "affected",
"version": "788621afda4101ca0fae48de424040cda78193fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.297",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/idle: mark arch_cpu_idle() noinstr\n\nlinux-next commit (\"cpuidle: tracing: Warn about !rcu_is_watching()\")\nadds a new warning which hits on s390\u0027s arch_cpu_idle() function:\n\nRCU not on for: arch_cpu_idle+0x0/0x28\nWARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258\nModules linked in:\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4\nHardware name: IBM 8561 T01 703 (z/VM 7.3.0)\nKrnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3\nKrnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000\n 0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000\n 0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0\n 0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8\nKrnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652\n 00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58\n #00000000002b55bc: af000000 mc 0,0\n \u003e00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e\n 00000000002b55c4: 0707 bcr 0,%r7\n 00000000002b55c6: 0707 bcr 0,%r7\n 00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15)\n 00000000002b55ce: b90400ef lgr %r14,%r15\nCall Trace:\n [\u003c00000000002b55c0\u003e] arch_ftrace_ops_list_func+0x250/0x258\n([\u003c00000000002b55bc\u003e] arch_ftrace_ops_list_func+0x24c/0x258)\n [\u003c0000000000f5f0fc\u003e] ftrace_common+0x1c/0x20\n [\u003c00000000001044f6\u003e] arch_cpu_idle+0x6/0x28\n [\u003c0000000000f4acf6\u003e] default_idle_call+0x76/0x128\n [\u003c00000000001cc374\u003e] do_idle+0xf4/0x1b0\n [\u003c00000000001cc6ce\u003e] cpu_startup_entry+0x36/0x40\n [\u003c0000000000119d00\u003e] smp_start_secondary+0x140/0x150\n [\u003c0000000000f5d2ae\u003e] restart_int_handler+0x6e/0x90\n\nMark arch_cpu_idle() noinstr like all other architectures with\nCONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:05.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49aa49952116b8fd56bfb1e8c69bce179f49bece"
},
{
"url": "https://git.kernel.org/stable/c/611c390217106c46e24e1af3db83187339d447ea"
},
{
"url": "https://git.kernel.org/stable/c/fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc"
},
{
"url": "https://git.kernel.org/stable/c/a9cbc1b471d291c865907542394f1c483b93a811"
}
],
"title": "s390/idle: mark arch_cpu_idle() noinstr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53859",
"datePublished": "2025-12-09T01:30:26.351Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2026-01-05T10:33:05.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53860 (GCVE-0-2023-53860)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
dm: don't attempt to queue IO under RCU protection
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: don't attempt to queue IO under RCU protection
dm looks up the table for IO based on the request type, with an
assumption that if the request is marked REQ_NOWAIT, it's fine to
attempt to submit that IO while under RCU read lock protection. This
is not OK, as REQ_NOWAIT just means that we should not be sleeping
waiting on other IO, it does not mean that we can't potentially
schedule.
A simple test case demonstrates this quite nicely:
int main(int argc, char *argv[])
{
struct iovec iov;
int fd;
fd = open("/dev/dm-0", O_RDONLY | O_DIRECT);
posix_memalign(&iov.iov_base, 4096, 4096);
iov.iov_len = 4096;
preadv2(fd, &iov, 1, 0, RWF_NOWAIT);
return 0;
}
which will instantly spew:
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x11d/0x1b0
__might_resched+0x3c3/0x5e0
? preempt_count_sub+0x150/0x150
mempool_alloc+0x1e2/0x390
? mempool_resize+0x7d0/0x7d0
? lock_sync+0x190/0x190
? lock_release+0x4b7/0x670
? internal_get_user_pages_fast+0x868/0x2d40
bio_alloc_bioset+0x417/0x8c0
? bvec_alloc+0x200/0x200
? internal_get_user_pages_fast+0xb8c/0x2d40
bio_alloc_clone+0x53/0x100
dm_submit_bio+0x27f/0x1a20
? lock_release+0x4b7/0x670
? blk_try_enter_queue+0x1a0/0x4d0
? dm_dax_direct_access+0x260/0x260
? rcu_is_watching+0x12/0xb0
? blk_try_enter_queue+0x1cc/0x4d0
__submit_bio+0x239/0x310
? __bio_queue_enter+0x700/0x700
? kvm_clock_get_cycles+0x40/0x60
? ktime_get+0x285/0x470
submit_bio_noacct_nocheck+0x4d9/0xb80
? should_fail_request+0x80/0x80
? preempt_count_sub+0x150/0x150
? lock_release+0x4b7/0x670
? __bio_add_page+0x143/0x2d0
? iov_iter_revert+0x27/0x360
submit_bio_noacct+0x53e/0x1b30
submit_bio_wait+0x10a/0x230
? submit_bio_wait_endio+0x40/0x40
__blkdev_direct_IO_simple+0x4f8/0x780
? blkdev_bio_end_io+0x4c0/0x4c0
? stack_trace_save+0x90/0xc0
? __bio_clone+0x3c0/0x3c0
? lock_release+0x4b7/0x670
? lock_sync+0x190/0x190
? atime_needs_update+0x3bf/0x7e0
? timestamp_truncate+0x21b/0x2d0
? inode_owner_or_capable+0x240/0x240
blkdev_direct_IO.part.0+0x84a/0x1810
? rcu_is_watching+0x12/0xb0
? lock_release+0x4b7/0x670
? blkdev_read_iter+0x40d/0x530
? reacquire_held_locks+0x4e0/0x4e0
? __blkdev_direct_IO_simple+0x780/0x780
? rcu_is_watching+0x12/0xb0
? __mark_inode_dirty+0x297/0xd50
? preempt_count_add+0x72/0x140
blkdev_read_iter+0x2a4/0x530
do_iter_readv_writev+0x2f2/0x3c0
? generic_copy_file_range+0x1d0/0x1d0
? fsnotify_perm.part.0+0x25d/0x630
? security_file_permission+0xd8/0x100
do_iter_read+0x31b/0x880
? import_iovec+0x10b/0x140
vfs_readv+0x12d/0x1a0
? vfs_iter_read+0xb0/0xb0
? rcu_is_watching+0x12/0xb0
? rcu_is_watching+0x12/0xb0
? lock_release+0x4b7/0x670
do_preadv+0x1b3/0x260
? do_readv+0x370/0x370
__x64_sys_preadv2+0xef/0x150
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f5af41ad806
Code: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55
RSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806
RDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001
</TASK>
where in fact it is
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
563a225c9fd207326c2a2af9d59b4097cb31ce70 , < d7b2abd87d1fcdb47811f90090a363e7ca15cb14
(git)
Affected: 563a225c9fd207326c2a2af9d59b4097cb31ce70 , < 699775e9338adcd4eaedea000d32c60250c3114d (git) Affected: 563a225c9fd207326c2a2af9d59b4097cb31ce70 , < a9ce385344f916cd1c36a33905e564f5581beae9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7b2abd87d1fcdb47811f90090a363e7ca15cb14",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
},
{
"lessThan": "699775e9338adcd4eaedea000d32c60250c3114d",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
},
{
"lessThan": "a9ce385344f916cd1c36a33905e564f5581beae9",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: don\u0027t attempt to queue IO under RCU protection\n\ndm looks up the table for IO based on the request type, with an\nassumption that if the request is marked REQ_NOWAIT, it\u0027s fine to\nattempt to submit that IO while under RCU read lock protection. This\nis not OK, as REQ_NOWAIT just means that we should not be sleeping\nwaiting on other IO, it does not mean that we can\u0027t potentially\nschedule.\n\nA simple test case demonstrates this quite nicely:\n\nint main(int argc, char *argv[])\n{\n struct iovec iov;\n int fd;\n\n fd = open(\"/dev/dm-0\", O_RDONLY | O_DIRECT);\n posix_memalign(\u0026iov.iov_base, 4096, 4096);\n iov.iov_len = 4096;\n preadv2(fd, \u0026iov, 1, 0, RWF_NOWAIT);\n return 0;\n}\n\nwhich will instantly spew:\n\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:306\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x11d/0x1b0\n __might_resched+0x3c3/0x5e0\n ? preempt_count_sub+0x150/0x150\n mempool_alloc+0x1e2/0x390\n ? mempool_resize+0x7d0/0x7d0\n ? lock_sync+0x190/0x190\n ? lock_release+0x4b7/0x670\n ? internal_get_user_pages_fast+0x868/0x2d40\n bio_alloc_bioset+0x417/0x8c0\n ? bvec_alloc+0x200/0x200\n ? internal_get_user_pages_fast+0xb8c/0x2d40\n bio_alloc_clone+0x53/0x100\n dm_submit_bio+0x27f/0x1a20\n ? lock_release+0x4b7/0x670\n ? blk_try_enter_queue+0x1a0/0x4d0\n ? dm_dax_direct_access+0x260/0x260\n ? rcu_is_watching+0x12/0xb0\n ? blk_try_enter_queue+0x1cc/0x4d0\n __submit_bio+0x239/0x310\n ? __bio_queue_enter+0x700/0x700\n ? kvm_clock_get_cycles+0x40/0x60\n ? ktime_get+0x285/0x470\n submit_bio_noacct_nocheck+0x4d9/0xb80\n ? should_fail_request+0x80/0x80\n ? preempt_count_sub+0x150/0x150\n ? lock_release+0x4b7/0x670\n ? __bio_add_page+0x143/0x2d0\n ? iov_iter_revert+0x27/0x360\n submit_bio_noacct+0x53e/0x1b30\n submit_bio_wait+0x10a/0x230\n ? submit_bio_wait_endio+0x40/0x40\n __blkdev_direct_IO_simple+0x4f8/0x780\n ? blkdev_bio_end_io+0x4c0/0x4c0\n ? stack_trace_save+0x90/0xc0\n ? __bio_clone+0x3c0/0x3c0\n ? lock_release+0x4b7/0x670\n ? lock_sync+0x190/0x190\n ? atime_needs_update+0x3bf/0x7e0\n ? timestamp_truncate+0x21b/0x2d0\n ? inode_owner_or_capable+0x240/0x240\n blkdev_direct_IO.part.0+0x84a/0x1810\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n ? blkdev_read_iter+0x40d/0x530\n ? reacquire_held_locks+0x4e0/0x4e0\n ? __blkdev_direct_IO_simple+0x780/0x780\n ? rcu_is_watching+0x12/0xb0\n ? __mark_inode_dirty+0x297/0xd50\n ? preempt_count_add+0x72/0x140\n blkdev_read_iter+0x2a4/0x530\n do_iter_readv_writev+0x2f2/0x3c0\n ? generic_copy_file_range+0x1d0/0x1d0\n ? fsnotify_perm.part.0+0x25d/0x630\n ? security_file_permission+0xd8/0x100\n do_iter_read+0x31b/0x880\n ? import_iovec+0x10b/0x140\n vfs_readv+0x12d/0x1a0\n ? vfs_iter_read+0xb0/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n do_preadv+0x1b3/0x260\n ? do_readv+0x370/0x370\n __x64_sys_preadv2+0xef/0x150\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f5af41ad806\nCode: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55\nRSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806\nRDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003\nRBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003\nR13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001\n \u003c/TASK\u003e\n\nwhere in fact it is\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:27.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7b2abd87d1fcdb47811f90090a363e7ca15cb14"
},
{
"url": "https://git.kernel.org/stable/c/699775e9338adcd4eaedea000d32c60250c3114d"
},
{
"url": "https://git.kernel.org/stable/c/a9ce385344f916cd1c36a33905e564f5581beae9"
}
],
"title": "dm: don\u0027t attempt to queue IO under RCU protection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53860",
"datePublished": "2025-12-09T01:30:27.903Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:27.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40332 (GCVE-0-2025-40332)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amdkfd: Fix mmap write lock not release
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix mmap write lock not release
If mmap write lock is taken while draining retry fault, mmap write lock
is not released because svm_range_restore_pages calls mmap_read_unlock
then returns. This causes deadlock and system hangs later because mmap
read or write lock cannot be taken.
Downgrade mmap write lock to read lock if draining retry fault fix this
bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a488a7ad71401169cecee75dc94bcce642e2c53 , < e2105ba1c262dcaa9573f11844b6e1e1ca762c3f
(git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < f7569ef1cf978aa87aa81b5e9bf40a77497f3685 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 7574f30337e19045f03126b4c51f525b84e5049e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2105ba1c262dcaa9573f11844b6e1e1ca762c3f",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "f7569ef1cf978aa87aa81b5e9bf40a77497f3685",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "7574f30337e19045f03126b4c51f525b84e5049e",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix mmap write lock not release\n\nIf mmap write lock is taken while draining retry fault, mmap write lock\nis not released because svm_range_restore_pages calls mmap_read_unlock\nthen returns. This causes deadlock and system hangs later because mmap\nread or write lock cannot be taken.\n\nDowngrade mmap write lock to read lock if draining retry fault fix this\nbug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:05.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2105ba1c262dcaa9573f11844b6e1e1ca762c3f"
},
{
"url": "https://git.kernel.org/stable/c/f7569ef1cf978aa87aa81b5e9bf40a77497f3685"
},
{
"url": "https://git.kernel.org/stable/c/7574f30337e19045f03126b4c51f525b84e5049e"
}
],
"title": "drm/amdkfd: Fix mmap write lock not release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40332",
"datePublished": "2025-12-09T04:09:49.164Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-20T08:52:05.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50632 (GCVE-0-2022-50632)
Vulnerability from cvelistv5 – Published: 2025-12-08 23:59 – Updated: 2025-12-08 23:59
VLAI?
EPSS
Title
drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init()
tad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi()
when platform_driver_register() failed. Remove the callback by
cpuhp_remove_multi_state() in fail path.
Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
arm-ccn: Prevent hotplug callback leak")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
036a7584bede317d0df6b854e4f531b7a2dd8b33 , < 367404bfd1aa87b2a50059cd8edc6c12c367cd15
(git)
Affected: 036a7584bede317d0df6b854e4f531b7a2dd8b33 , < 7772f4de934123ccd7c7cdc1dc4e46fdd5d767fb (git) Affected: 036a7584bede317d0df6b854e4f531b7a2dd8b33 , < 973ae93d80d9d262f695eb485a1902b74c4b9098 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/marvell_cn10k_tad_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "367404bfd1aa87b2a50059cd8edc6c12c367cd15",
"status": "affected",
"version": "036a7584bede317d0df6b854e4f531b7a2dd8b33",
"versionType": "git"
},
{
"lessThan": "7772f4de934123ccd7c7cdc1dc4e46fdd5d767fb",
"status": "affected",
"version": "036a7584bede317d0df6b854e4f531b7a2dd8b33",
"versionType": "git"
},
{
"lessThan": "973ae93d80d9d262f695eb485a1902b74c4b9098",
"status": "affected",
"version": "036a7584bede317d0df6b854e4f531b7a2dd8b33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/marvell_cn10k_tad_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init()\n\ntad_pmu_init() won\u0027t remove the callback added by cpuhp_setup_state_multi()\nwhen platform_driver_register() failed. Remove the callback by\ncpuhp_remove_multi_state() in fail path.\n\nSimilar to the handling of arm_ccn_init() in commit 26242b330093 (\"bus:\narm-ccn: Prevent hotplug callback leak\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T23:59:58.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/367404bfd1aa87b2a50059cd8edc6c12c367cd15"
},
{
"url": "https://git.kernel.org/stable/c/7772f4de934123ccd7c7cdc1dc4e46fdd5d767fb"
},
{
"url": "https://git.kernel.org/stable/c/973ae93d80d9d262f695eb485a1902b74c4b9098"
}
],
"title": "drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50632",
"datePublished": "2025-12-08T23:59:58.587Z",
"dateReserved": "2025-12-08T23:57:43.369Z",
"dateUpdated": "2025-12-08T23:59:58.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40339 (GCVE-0-2025-40339)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amdgpu: fix nullptr err of vm_handle_moved
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix nullptr err of vm_handle_moved
If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL.
So, such kind of amdgpu_bo_va should be updated separately before
amdgpu_vm_handle_moved.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 47281febebe337586569aa4c5694a7511063a42e
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 273d1ea12e42e9babb9783837906f3c466f213d3 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 859958a7faefe5b7742b7b8cdbc170713d4bf158 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47281febebe337586569aa4c5694a7511063a42e",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "273d1ea12e42e9babb9783837906f3c466f213d3",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "859958a7faefe5b7742b7b8cdbc170713d4bf158",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix nullptr err of vm_handle_moved\n\nIf a amdgpu_bo_va is fpriv-\u003eprt_va, the bo of this one is always NULL.\nSo, such kind of amdgpu_bo_va should be updated separately before\namdgpu_vm_handle_moved."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:10.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47281febebe337586569aa4c5694a7511063a42e"
},
{
"url": "https://git.kernel.org/stable/c/273d1ea12e42e9babb9783837906f3c466f213d3"
},
{
"url": "https://git.kernel.org/stable/c/859958a7faefe5b7742b7b8cdbc170713d4bf158"
}
],
"title": "drm/amdgpu: fix nullptr err of vm_handle_moved",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40339",
"datePublished": "2025-12-09T04:09:55.697Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:10.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53812 (GCVE-0-2023-53812)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
media: mediatek: vcodec: fix decoder disable pm crash
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: fix decoder disable pm crash
Can't call pm_runtime_disable when the architecture support sub device for
'dev->pm.dev' is NUll, or will get below crash log.
[ 10.771551] pc : _raw_spin_lock_irq+0x4c/0xa0
[ 10.771556] lr : __pm_runtime_disable+0x30/0x130
[ 10.771558] sp : ffffffc01e4cb800
[ 10.771559] x29: ffffffc01e4cb800 x28: ffffffdf082108a8
[ 10.771563] x27: ffffffc01e4cbd70 x26: ffffff8605df55f0
[ 10.771567] x25: 0000000000000002 x24: 0000000000000002
[ 10.771570] x23: ffffff85c0dc9c00 x22: 0000000000000001
[ 10.771573] x21: 0000000000000001 x20: 0000000000000000
[ 10.771577] x19: 00000000000000f4 x18: ffffffdf2e9fbe18
[ 10.771580] x17: 0000000000000000 x16: ffffffdf2df13c74
[ 10.771583] x15: 00000000000002ea x14: 0000000000000058
[ 10.771587] x13: ffffffdf2de1b62c x12: ffffffdf2e9e30e4
[ 10.771590] x11: 0000000000000000 x10: 0000000000000001
[ 10.771593] x9 : 0000000000000000 x8 : 00000000000000f4
[ 10.771596] x7 : 6bff6264632c6264 x6 : 0000000000008000
[ 10.771600] x5 : 0080000000000000 x4 : 0000000000000001
[ 10.771603] x3 : 0000000000000008 x2 : 0000000000000001
[ 10.771608] x1 : 0000000000000000 x0 : 00000000000000f4
[ 10.771613] Call trace:
[ 10.771617] _raw_spin_lock_irq+0x4c/0xa0
[ 10.771620] __pm_runtime_disable+0x30/0x130
[ 10.771657] mtk_vcodec_probe+0x69c/0x728 [mtk_vcodec_dec 800cc929d6631f79f9b273254c8db94d0d3500dc]
[ 10.771662] platform_drv_probe+0x9c/0xbc
[ 10.771665] really_probe+0x13c/0x3a0
[ 10.771668] driver_probe_device+0x84/0xc0
[ 10.771671] device_driver_attach+0x54/0x78
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ba31a5b39400a7b500b3f022a351218b179038dc , < c692a44bc5146eb487f40798a1ea8dd57fd2607d
(git)
Affected: ba31a5b39400a7b500b3f022a351218b179038dc , < 03e9773388a27242e6139f3d5b5fd00112adb5c3 (git) Affected: ba31a5b39400a7b500b3f022a351218b179038dc , < 34fe290090ecfcf405cad9d0e0ddc8b8246ffaa2 (git) Affected: ba31a5b39400a7b500b3f022a351218b179038dc , < 9d2f13fb47dcab6d094f34ecfd6a879a409722b3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c692a44bc5146eb487f40798a1ea8dd57fd2607d",
"status": "affected",
"version": "ba31a5b39400a7b500b3f022a351218b179038dc",
"versionType": "git"
},
{
"lessThan": "03e9773388a27242e6139f3d5b5fd00112adb5c3",
"status": "affected",
"version": "ba31a5b39400a7b500b3f022a351218b179038dc",
"versionType": "git"
},
{
"lessThan": "34fe290090ecfcf405cad9d0e0ddc8b8246ffaa2",
"status": "affected",
"version": "ba31a5b39400a7b500b3f022a351218b179038dc",
"versionType": "git"
},
{
"lessThan": "9d2f13fb47dcab6d094f34ecfd6a879a409722b3",
"status": "affected",
"version": "ba31a5b39400a7b500b3f022a351218b179038dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix decoder disable pm crash\n\nCan\u0027t call pm_runtime_disable when the architecture support sub device for\n\u0027dev-\u003epm.dev\u0027 is NUll, or will get below crash log.\n\n[ 10.771551] pc : _raw_spin_lock_irq+0x4c/0xa0\n[ 10.771556] lr : __pm_runtime_disable+0x30/0x130\n[ 10.771558] sp : ffffffc01e4cb800\n[ 10.771559] x29: ffffffc01e4cb800 x28: ffffffdf082108a8\n[ 10.771563] x27: ffffffc01e4cbd70 x26: ffffff8605df55f0\n[ 10.771567] x25: 0000000000000002 x24: 0000000000000002\n[ 10.771570] x23: ffffff85c0dc9c00 x22: 0000000000000001\n[ 10.771573] x21: 0000000000000001 x20: 0000000000000000\n[ 10.771577] x19: 00000000000000f4 x18: ffffffdf2e9fbe18\n[ 10.771580] x17: 0000000000000000 x16: ffffffdf2df13c74\n[ 10.771583] x15: 00000000000002ea x14: 0000000000000058\n[ 10.771587] x13: ffffffdf2de1b62c x12: ffffffdf2e9e30e4\n[ 10.771590] x11: 0000000000000000 x10: 0000000000000001\n[ 10.771593] x9 : 0000000000000000 x8 : 00000000000000f4\n[ 10.771596] x7 : 6bff6264632c6264 x6 : 0000000000008000\n[ 10.771600] x5 : 0080000000000000 x4 : 0000000000000001\n[ 10.771603] x3 : 0000000000000008 x2 : 0000000000000001\n[ 10.771608] x1 : 0000000000000000 x0 : 00000000000000f4\n[ 10.771613] Call trace:\n[ 10.771617] _raw_spin_lock_irq+0x4c/0xa0\n[ 10.771620] __pm_runtime_disable+0x30/0x130\n[ 10.771657] mtk_vcodec_probe+0x69c/0x728 [mtk_vcodec_dec 800cc929d6631f79f9b273254c8db94d0d3500dc]\n[ 10.771662] platform_drv_probe+0x9c/0xbc\n[ 10.771665] really_probe+0x13c/0x3a0\n[ 10.771668] driver_probe_device+0x84/0xc0\n[ 10.771671] device_driver_attach+0x54/0x78"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:09.906Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c692a44bc5146eb487f40798a1ea8dd57fd2607d"
},
{
"url": "https://git.kernel.org/stable/c/03e9773388a27242e6139f3d5b5fd00112adb5c3"
},
{
"url": "https://git.kernel.org/stable/c/34fe290090ecfcf405cad9d0e0ddc8b8246ffaa2"
},
{
"url": "https://git.kernel.org/stable/c/9d2f13fb47dcab6d094f34ecfd6a879a409722b3"
}
],
"title": "media: mediatek: vcodec: fix decoder disable pm crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53812",
"datePublished": "2025-12-09T00:01:09.906Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:09.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53806 (GCVE-0-2023-53806)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amd/display: populate subvp cmd info only for the top pipe
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: populate subvp cmd info only for the top pipe
[Why]
System restart observed while changing the display resolution
to 8k with extended mode. Sytem restart was caused by a page fault.
[How]
When the driver populates subvp info it did it for both the pipes using
vblank which caused an outof bounds array access causing the page fault.
added checks to allow the top pipe only to fix this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 92e6c79acad4b96efeff261d27bdbd8089a7dd24
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 375d192eb1f1d9229a6d994da7ba31f3582b106b (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92e6c79acad4b96efeff261d27bdbd8089a7dd24",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "375d192eb1f1d9229a6d994da7ba31f3582b106b",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: populate subvp cmd info only for the top pipe\n\n[Why]\nSystem restart observed while changing the display resolution\nto 8k with extended mode. Sytem restart was caused by a page fault.\n\n[How]\nWhen the driver populates subvp info it did it for both the pipes using\nvblank which caused an outof bounds array access causing the page fault.\nadded checks to allow the top pipe only to fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:24.296Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92e6c79acad4b96efeff261d27bdbd8089a7dd24"
},
{
"url": "https://git.kernel.org/stable/c/375d192eb1f1d9229a6d994da7ba31f3582b106b"
},
{
"url": "https://git.kernel.org/stable/c/9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0"
}
],
"title": "drm/amd/display: populate subvp cmd info only for the top pipe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53806",
"datePublished": "2025-12-09T00:01:04.413Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-20T08:51:24.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53850 (GCVE-0-2023-53850)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
iavf: use internal state to free traffic IRQs
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: use internal state to free traffic IRQs
If the system tries to close the netdev while iavf_reset_task() is
running, __LINK_STATE_START will be cleared and netif_running() will
return false in iavf_reinit_interrupt_scheme(). This will result in
iavf_free_traffic_irqs() not being called and a leak as follows:
[7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0'
[7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0
is shown when pci_disable_msix() is later called. Fix by using the
internal adapter state. The traffic IRQs will always exist if
state == __IAVF_RUNNING.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < 6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff
(git)
Affected: 5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < 5e9db32eec628481f5da97a5b1aedb84a5240d18 (git) Affected: 5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < a77ed5c5b768e9649be240a2d864e5cd9c6a2015 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
},
{
"lessThan": "5e9db32eec628481f5da97a5b1aedb84a5240d18",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
},
{
"lessThan": "a77ed5c5b768e9649be240a2d864e5cd9c6a2015",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: use internal state to free traffic IRQs\n\nIf the system tries to close the netdev while iavf_reset_task() is\nrunning, __LINK_STATE_START will be cleared and netif_running() will\nreturn false in iavf_reinit_interrupt_scheme(). This will result in\niavf_free_traffic_irqs() not being called and a leak as follows:\n\n [7632.489326] remove_proc_entry: removing non-empty directory \u0027irq/999\u0027, leaking at least \u0027iavf-enp24s0f0v0-TxRx-0\u0027\n [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0\n\nis shown when pci_disable_msix() is later called. Fix by using the\ninternal adapter state. The traffic IRQs will always exist if\nstate == __IAVF_RUNNING."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:14.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff"
},
{
"url": "https://git.kernel.org/stable/c/5e9db32eec628481f5da97a5b1aedb84a5240d18"
},
{
"url": "https://git.kernel.org/stable/c/a77ed5c5b768e9649be240a2d864e5cd9c6a2015"
}
],
"title": "iavf: use internal state to free traffic IRQs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53850",
"datePublished": "2025-12-09T01:30:14.740Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:14.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50646 (GCVE-0-2022-50646)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in
hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to
clean1 directly, which frees h and leaks the h->reply_map.
Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead
free h directly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < f4d1c14e8b404766ff2bb8644bb19443d73965de
(git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < c808edbf580bfc454671cbe66e9d7c2e938e7601 (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < bfe10a1d9fbccdf39f8449d62509f070d8aaaac1 (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507 (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < 0aa7be66168b1e84b2581ffff3ccb54a6c804a1e (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < 9c9ff300e0de07475796495d86f449340d454a0c (git) Affected: 1edd825c11f8ed2c409d6fb6b3d90a042cbf738d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hpsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4d1c14e8b404766ff2bb8644bb19443d73965de",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "c808edbf580bfc454671cbe66e9d7c2e938e7601",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "bfe10a1d9fbccdf39f8449d62509f070d8aaaac1",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "0aa7be66168b1e84b2581ffff3ccb54a6c804a1e",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "9c9ff300e0de07475796495d86f449340d454a0c",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"status": "affected",
"version": "1edd825c11f8ed2c409d6fb6b3d90a042cbf738d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hpsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.63",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hpsa: Fix possible memory leak in hpsa_init_one()\n\nThe hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in\nhpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to\nclean1 directly, which frees h and leaks the h-\u003ereply_map.\n\nFix by calling hpda_free_ctlr_info() to release h-\u003ereplay_map and h instead\nfree h directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:20.596Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4d1c14e8b404766ff2bb8644bb19443d73965de"
},
{
"url": "https://git.kernel.org/stable/c/f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e"
},
{
"url": "https://git.kernel.org/stable/c/c808edbf580bfc454671cbe66e9d7c2e938e7601"
},
{
"url": "https://git.kernel.org/stable/c/bfe10a1d9fbccdf39f8449d62509f070d8aaaac1"
},
{
"url": "https://git.kernel.org/stable/c/fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507"
},
{
"url": "https://git.kernel.org/stable/c/0aa7be66168b1e84b2581ffff3ccb54a6c804a1e"
},
{
"url": "https://git.kernel.org/stable/c/9c9ff300e0de07475796495d86f449340d454a0c"
}
],
"title": "scsi: hpsa: Fix possible memory leak in hpsa_init_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50646",
"datePublished": "2025-12-09T00:00:20.596Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:20.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53818 (GCVE-0-2023-53818)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
of_find_compatible_node() returns a node pointer with refcount incremented,
we should use of_node_put() on error path.
Add missing of_node_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3329659df0300d1d0aa22f5e7063f83a88ef92aa , < f00bc6727adf840eb208700ea27cda4f3742629d
(git)
Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 351b7e93d02b50b2faae2d4bda28e16a8389cbb7 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < ede0334bf4df360f4f9446075cffbbb3bc54d0b6 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 227f8c1c5c4b3d131b66e57e58d38054f441b915 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < e43a06c73be4b93d308f0df809ee0023b7c37b54 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 4c22ee805202087c2553c9175968e9e922d75bc1 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 9eedb910a3be0005b88c696a8552c0d4c9937cd4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-zynq/slcr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f00bc6727adf840eb208700ea27cda4f3742629d",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "351b7e93d02b50b2faae2d4bda28e16a8389cbb7",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "ede0334bf4df360f4f9446075cffbbb3bc54d0b6",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "227f8c1c5c4b3d131b66e57e58d38054f441b915",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "e43a06c73be4b93d308f0df809ee0023b7c37b54",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "4c22ee805202087c2553c9175968e9e922d75bc1",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "9eedb910a3be0005b88c696a8552c0d4c9937cd4",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-zynq/slcr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: zynq: Fix refcount leak in zynq_early_slcr_init\n\nof_find_compatible_node() returns a node pointer with refcount incremented,\nwe should use of_node_put() on error path.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:16.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f00bc6727adf840eb208700ea27cda4f3742629d"
},
{
"url": "https://git.kernel.org/stable/c/351b7e93d02b50b2faae2d4bda28e16a8389cbb7"
},
{
"url": "https://git.kernel.org/stable/c/ede0334bf4df360f4f9446075cffbbb3bc54d0b6"
},
{
"url": "https://git.kernel.org/stable/c/227f8c1c5c4b3d131b66e57e58d38054f441b915"
},
{
"url": "https://git.kernel.org/stable/c/1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b"
},
{
"url": "https://git.kernel.org/stable/c/e43a06c73be4b93d308f0df809ee0023b7c37b54"
},
{
"url": "https://git.kernel.org/stable/c/4c22ee805202087c2553c9175968e9e922d75bc1"
},
{
"url": "https://git.kernel.org/stable/c/9eedb910a3be0005b88c696a8552c0d4c9937cd4"
}
],
"title": "ARM: zynq: Fix refcount leak in zynq_early_slcr_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53818",
"datePublished": "2025-12-09T00:01:16.630Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:16.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53808 (GCVE-0-2023-53808)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
Always free the zeroed page on return from 'mwifiex_histogram_read()'.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < d3b53ac2b60283f84bcc650aaa8af98500f37b56
(git)
Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 7be90670b967d11f53a9d45bc88fa8ac9daf9709 (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 8f717752f94efae84853e17f2589665c330a0cf5 (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 0c4240d23db525208fd40dd6371ca3254fa1b93d (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 308eb3a609ac39ca9c3e466b35e8825007c8d826 (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 84081b4baafb49211193c6a056d5aee9c0e6ab8e (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < f76e1da838377777557d78dfeb6d8c532f7118be (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 9c8fd72a5c2a031cbc680a2990107ecd958ffcdb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3b53ac2b60283f84bcc650aaa8af98500f37b56",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "7be90670b967d11f53a9d45bc88fa8ac9daf9709",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "8f717752f94efae84853e17f2589665c330a0cf5",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "0c4240d23db525208fd40dd6371ca3254fa1b93d",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "308eb3a609ac39ca9c3e466b35e8825007c8d826",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "84081b4baafb49211193c6a056d5aee9c0e6ab8e",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "f76e1da838377777557d78dfeb6d8c532f7118be",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "9c8fd72a5c2a031cbc680a2990107ecd958ffcdb",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: fix memory leak in mwifiex_histogram_read()\n\nAlways free the zeroed page on return from \u0027mwifiex_histogram_read()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:06.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3b53ac2b60283f84bcc650aaa8af98500f37b56"
},
{
"url": "https://git.kernel.org/stable/c/7be90670b967d11f53a9d45bc88fa8ac9daf9709"
},
{
"url": "https://git.kernel.org/stable/c/8f717752f94efae84853e17f2589665c330a0cf5"
},
{
"url": "https://git.kernel.org/stable/c/0c4240d23db525208fd40dd6371ca3254fa1b93d"
},
{
"url": "https://git.kernel.org/stable/c/308eb3a609ac39ca9c3e466b35e8825007c8d826"
},
{
"url": "https://git.kernel.org/stable/c/84081b4baafb49211193c6a056d5aee9c0e6ab8e"
},
{
"url": "https://git.kernel.org/stable/c/5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c"
},
{
"url": "https://git.kernel.org/stable/c/f76e1da838377777557d78dfeb6d8c532f7118be"
},
{
"url": "https://git.kernel.org/stable/c/9c8fd72a5c2a031cbc680a2990107ecd958ffcdb"
}
],
"title": "wifi: mwifiex: fix memory leak in mwifiex_histogram_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53808",
"datePublished": "2025-12-09T00:01:06.210Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:06.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53853 (GCVE-0-2023-53853)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
netlink: annotate accesses to nlk->cb_running
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: annotate accesses to nlk->cb_running
Both netlink_recvmsg() and netlink_native_seq_show() read
nlk->cb_running locklessly. Use READ_ONCE() there.
Add corresponding WRITE_ONCE() to netlink_dump() and
__netlink_dump_start()
syzbot reported:
BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg
write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:
__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399
netlink_dump_start include/linux/netlink.h:308 [inline]
rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130
netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
sock_write_iter+0x1aa/0x230 net/socket.c:1138
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x463/0x760 fs/read_write.c:584
ksys_write+0xeb/0x1a0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x42/0x50 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:
netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022
sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017
____sys_recvmsg+0x2db/0x310 net/socket.c:2718
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00 -> 0x01
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < e25e9d8a210ed78bdf0f364576dbee13aefadbf8
(git)
Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < 840a647499b093621167de56ffa8756dfc69f242 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < a507022c862e10744a92c4bf5709775450a110ad (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < f92557f79a60cb142258f5fa7194f327573fadd8 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < 1d5c8b01f1df0461256a6d75854ed806f50645a3 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < a115dadf8995b1730c36c474401d97355705cb88 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < 02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < a939d14919b799e6fff8a9c80296ca229ba2f8a4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e25e9d8a210ed78bdf0f364576dbee13aefadbf8",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "840a647499b093621167de56ffa8756dfc69f242",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "a507022c862e10744a92c4bf5709775450a110ad",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "f92557f79a60cb142258f5fa7194f327573fadd8",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "1d5c8b01f1df0461256a6d75854ed806f50645a3",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "a115dadf8995b1730c36c474401d97355705cb88",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "a939d14919b799e6fff8a9c80296ca229ba2f8a4",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: annotate accesses to nlk-\u003ecb_running\n\nBoth netlink_recvmsg() and netlink_native_seq_show() read\nnlk-\u003ecb_running locklessly. Use READ_ONCE() there.\n\nAdd corresponding WRITE_ONCE() to netlink_dump() and\n__netlink_dump_start()\n\nsyzbot reported:\nBUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg\n\nwrite to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:\n__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399\nnetlink_dump_start include/linux/netlink.h:308 [inline]\nrtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130\nnetlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577\nrtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942\nsock_sendmsg_nosec net/socket.c:724 [inline]\nsock_sendmsg net/socket.c:747 [inline]\nsock_write_iter+0x1aa/0x230 net/socket.c:1138\ncall_write_iter include/linux/fs.h:1851 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x463/0x760 fs/read_write.c:584\nksys_write+0xeb/0x1a0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x42/0x50 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:\nnetlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022\nsock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017\n____sys_recvmsg+0x2db/0x310 net/socket.c:2718\n___sys_recvmsg net/socket.c:2762 [inline]\ndo_recvmmsg+0x2e5/0x710 net/socket.c:2856\n__sys_recvmmsg net/socket.c:2935 [inline]\n__do_sys_recvmmsg net/socket.c:2958 [inline]\n__se_sys_recvmmsg net/socket.c:2951 [inline]\n__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x00 -\u003e 0x01"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:18.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e25e9d8a210ed78bdf0f364576dbee13aefadbf8"
},
{
"url": "https://git.kernel.org/stable/c/840a647499b093621167de56ffa8756dfc69f242"
},
{
"url": "https://git.kernel.org/stable/c/a507022c862e10744a92c4bf5709775450a110ad"
},
{
"url": "https://git.kernel.org/stable/c/f92557f79a60cb142258f5fa7194f327573fadd8"
},
{
"url": "https://git.kernel.org/stable/c/1d5c8b01f1df0461256a6d75854ed806f50645a3"
},
{
"url": "https://git.kernel.org/stable/c/a115dadf8995b1730c36c474401d97355705cb88"
},
{
"url": "https://git.kernel.org/stable/c/02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3"
},
{
"url": "https://git.kernel.org/stable/c/a939d14919b799e6fff8a9c80296ca229ba2f8a4"
}
],
"title": "netlink: annotate accesses to nlk-\u003ecb_running",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53853",
"datePublished": "2025-12-09T01:30:18.628Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:18.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50655 (GCVE-0-2022-50655)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
ppp: associate skb with a device at tx
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: associate skb with a device at tx
Syzkaller triggered flow dissector warning with the following:
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0)
ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0))
ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})
pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0)
[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0
[ 9.485929] skb_get_poff+0x53/0xa0
[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20
[ 9.485944] ? ppp_send_frame+0xc2/0x5b0
[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60
[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0
[ 9.485968] ? ppp_xmit_process+0x5b/0xb0
[ 9.485974] ? ppp_write+0x12a/0x190
[ 9.485981] ? do_iter_write+0x18e/0x2d0
[ 9.485987] ? __import_iovec+0x30/0x130
[ 9.485997] ? do_pwritev+0x1b6/0x240
[ 9.486016] ? trace_hardirqs_on+0x47/0x50
[ 9.486023] ? __x64_sys_pwritev+0x24/0x30
[ 9.486026] ? do_syscall_64+0x3d/0x80
[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
Flow dissector tries to find skb net namespace either via device
or via socket. Neigher is set in ppp_send_frame, so let's manually
use ppp->dev.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 , < 7da524781c531ebaf2f94c9dc4c541b82edecfed
(git)
Affected: d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 , < 148dcbd3af039ae39c3af697a3183008c7995805 (git) Affected: d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 , < 4b8f3b939266c90f03b7cc7e26a4c28c7b64137b (git) Affected: d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 , < 18dc946360bfe0de016a59e3cc3ee1f450fceb9d (git) Affected: d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 , < ee678b1f52f9439e930db2db3fd7e345d03e1a50 (git) Affected: d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 , < 9f225444467b98579cf28d94f4ad053460dfdb84 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7da524781c531ebaf2f94c9dc4c541b82edecfed",
"status": "affected",
"version": "d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9",
"versionType": "git"
},
{
"lessThan": "148dcbd3af039ae39c3af697a3183008c7995805",
"status": "affected",
"version": "d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9",
"versionType": "git"
},
{
"lessThan": "4b8f3b939266c90f03b7cc7e26a4c28c7b64137b",
"status": "affected",
"version": "d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9",
"versionType": "git"
},
{
"lessThan": "18dc946360bfe0de016a59e3cc3ee1f450fceb9d",
"status": "affected",
"version": "d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9",
"versionType": "git"
},
{
"lessThan": "ee678b1f52f9439e930db2db3fd7e345d03e1a50",
"status": "affected",
"version": "d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9",
"versionType": "git"
},
{
"lessThan": "9f225444467b98579cf28d94f4ad053460dfdb84",
"status": "affected",
"version": "d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: associate skb with a device at tx\n\nSyzkaller triggered flow dissector warning with the following:\n\nr0 = openat$ppp(0xffffffffffffff9c, \u0026(0x7f0000000000), 0xc0802, 0x0)\nioctl$PPPIOCNEWUNIT(r0, 0xc004743e, \u0026(0x7f00000000c0))\nioctl$PPPIOCSACTIVE(r0, 0x40107446, \u0026(0x7f0000000240)={0x2, \u0026(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})\npwritev(r0, \u0026(0x7f0000000040)=[{\u0026(0x7f0000000140)=\u0027\\x00!\u0027, 0x2}], 0x1, 0x0, 0x0)\n\n[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0\n[ 9.485929] skb_get_poff+0x53/0xa0\n[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20\n[ 9.485944] ? ppp_send_frame+0xc2/0x5b0\n[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60\n[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0\n[ 9.485968] ? ppp_xmit_process+0x5b/0xb0\n[ 9.485974] ? ppp_write+0x12a/0x190\n[ 9.485981] ? do_iter_write+0x18e/0x2d0\n[ 9.485987] ? __import_iovec+0x30/0x130\n[ 9.485997] ? do_pwritev+0x1b6/0x240\n[ 9.486016] ? trace_hardirqs_on+0x47/0x50\n[ 9.486023] ? __x64_sys_pwritev+0x24/0x30\n[ 9.486026] ? do_syscall_64+0x3d/0x80\n[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFlow dissector tries to find skb net namespace either via device\nor via socket. Neigher is set in ppp_send_frame, so let\u0027s manually\nuse ppp-\u003edev."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:27.480Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7da524781c531ebaf2f94c9dc4c541b82edecfed"
},
{
"url": "https://git.kernel.org/stable/c/148dcbd3af039ae39c3af697a3183008c7995805"
},
{
"url": "https://git.kernel.org/stable/c/4b8f3b939266c90f03b7cc7e26a4c28c7b64137b"
},
{
"url": "https://git.kernel.org/stable/c/18dc946360bfe0de016a59e3cc3ee1f450fceb9d"
},
{
"url": "https://git.kernel.org/stable/c/ee678b1f52f9439e930db2db3fd7e345d03e1a50"
},
{
"url": "https://git.kernel.org/stable/c/9f225444467b98579cf28d94f4ad053460dfdb84"
}
],
"title": "ppp: associate skb with a device at tx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50655",
"datePublished": "2025-12-09T00:00:30.337Z",
"dateReserved": "2025-12-08T23:57:43.372Z",
"dateUpdated": "2025-12-23T13:30:27.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53784 (GCVE-0-2023-53784)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
drm: bridge: dw_hdmi: fix connector access for scdc
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge: dw_hdmi: fix connector access for scdc
Commit 5d844091f237 ("drm/scdc-helper: Pimp SCDC debugs") changed the scdc
interface to pick up an i2c adapter from a connector instead. However, in
the case of dw-hdmi, the wrong connector was being used to pass i2c adapter
information, since dw-hdmi's embedded connector structure is only populated
when the bridge attachment callback explicitly asks for it.
drm-meson is handling connector creation, so this won't happen, leading to
a NULL pointer dereference.
Fix it by having scdc functions access dw-hdmi's current connector pointer
instead, which is assigned during the bridge enablement stage.
[narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/synopsys/dw-hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "552f79aa9e801ed4f74d6b3221af78042ba4f235",
"status": "affected",
"version": "5d844091f2370f01752c3129b147861b9dcd3d98",
"versionType": "git"
},
{
"lessThan": "98703e4e061fb8715c7613cd227e32cdfd136b23",
"status": "affected",
"version": "5d844091f2370f01752c3129b147861b9dcd3d98",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/synopsys/dw-hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: dw_hdmi: fix connector access for scdc\n\nCommit 5d844091f237 (\"drm/scdc-helper: Pimp SCDC debugs\") changed the scdc\ninterface to pick up an i2c adapter from a connector instead. However, in\nthe case of dw-hdmi, the wrong connector was being used to pass i2c adapter\ninformation, since dw-hdmi\u0027s embedded connector structure is only populated\nwhen the bridge attachment callback explicitly asks for it.\n\ndrm-meson is handling connector creation, so this won\u0027t happen, leading to\na NULL pointer dereference.\n\nFix it by having scdc functions access dw-hdmi\u0027s current connector pointer\ninstead, which is assigned during the bridge enablement stage.\n\n[narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:39.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/552f79aa9e801ed4f74d6b3221af78042ba4f235"
},
{
"url": "https://git.kernel.org/stable/c/98703e4e061fb8715c7613cd227e32cdfd136b23"
}
],
"title": "drm: bridge: dw_hdmi: fix connector access for scdc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53784",
"datePublished": "2025-12-09T00:00:39.591Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:39.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53854 (GCVE-0-2023-53854)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
ASoC: mediatek: mt8186: Fix use-after-free in driver remove path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8186: Fix use-after-free in driver remove path
When devm runs function in the "remove" path for a device it runs them
in the reverse order. That means that if you have parts of your driver
that aren't using devm or are using "roll your own" devm w/
devm_add_action_or_reset() you need to keep that in mind.
The mt8186 audio driver didn't quite get this right. Specifically, in
mt8186_init_clock() it called mt8186_audsys_clk_register() and then
went on to call a bunch of other devm function. The caller of
mt8186_init_clock() used devm_add_action_or_reset() to call
mt8186_deinit_clock() but, because of the intervening devm functions,
the order was wrong.
Specifically at probe time, the order was:
1. mt8186_audsys_clk_register()
2. afe_priv->clk = devm_kcalloc(...)
3. afe_priv->clk[i] = devm_clk_get(...)
At remove time, the order (which should have been 3, 2, 1) was:
1. mt8186_audsys_clk_unregister()
3. Free all of afe_priv->clk[i]
2. Free afe_priv->clk
The above seemed to be causing a use-after-free. Luckily, it's easy to
fix this by simply using devm more correctly. Let's move the
devm_add_action_or_reset() to the right place. In addition to fixing
the use-after-free, code inspection shows that this fixes a leak
(missing call to mt8186_audsys_clk_unregister()) that would have
happened if any of the syscon_regmap_lookup_by_phandle() calls in
mt8186_init_clock() had failed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
55b423d5623ccd6785429431c2cf5f3e073b73ba , < 3e56a1c04882852e3e7d6c59756a16211ebbc457
(git)
Affected: 55b423d5623ccd6785429431c2cf5f3e073b73ba , < dffd9e2b57cb845930fa885aa634a847ba2130dd (git) Affected: 55b423d5623ccd6785429431c2cf5f3e073b73ba , < a93d2afd3f77a7331271a0f25c6a11003db69b3c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8186/mt8186-afe-clk.c",
"sound/soc/mediatek/mt8186/mt8186-afe-clk.h",
"sound/soc/mediatek/mt8186/mt8186-afe-pcm.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e56a1c04882852e3e7d6c59756a16211ebbc457",
"status": "affected",
"version": "55b423d5623ccd6785429431c2cf5f3e073b73ba",
"versionType": "git"
},
{
"lessThan": "dffd9e2b57cb845930fa885aa634a847ba2130dd",
"status": "affected",
"version": "55b423d5623ccd6785429431c2cf5f3e073b73ba",
"versionType": "git"
},
{
"lessThan": "a93d2afd3f77a7331271a0f25c6a11003db69b3c",
"status": "affected",
"version": "55b423d5623ccd6785429431c2cf5f3e073b73ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8186/mt8186-afe-clk.c",
"sound/soc/mediatek/mt8186/mt8186-afe-clk.h",
"sound/soc/mediatek/mt8186/mt8186-afe-pcm.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8186: Fix use-after-free in driver remove path\n\nWhen devm runs function in the \"remove\" path for a device it runs them\nin the reverse order. That means that if you have parts of your driver\nthat aren\u0027t using devm or are using \"roll your own\" devm w/\ndevm_add_action_or_reset() you need to keep that in mind.\n\nThe mt8186 audio driver didn\u0027t quite get this right. Specifically, in\nmt8186_init_clock() it called mt8186_audsys_clk_register() and then\nwent on to call a bunch of other devm function. The caller of\nmt8186_init_clock() used devm_add_action_or_reset() to call\nmt8186_deinit_clock() but, because of the intervening devm functions,\nthe order was wrong.\n\nSpecifically at probe time, the order was:\n1. mt8186_audsys_clk_register()\n2. afe_priv-\u003eclk = devm_kcalloc(...)\n3. afe_priv-\u003eclk[i] = devm_clk_get(...)\n\nAt remove time, the order (which should have been 3, 2, 1) was:\n1. mt8186_audsys_clk_unregister()\n3. Free all of afe_priv-\u003eclk[i]\n2. Free afe_priv-\u003eclk\n\nThe above seemed to be causing a use-after-free. Luckily, it\u0027s easy to\nfix this by simply using devm more correctly. Let\u0027s move the\ndevm_add_action_or_reset() to the right place. In addition to fixing\nthe use-after-free, code inspection shows that this fixes a leak\n(missing call to mt8186_audsys_clk_unregister()) that would have\nhappened if any of the syscon_regmap_lookup_by_phandle() calls in\nmt8186_init_clock() had failed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:19.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e56a1c04882852e3e7d6c59756a16211ebbc457"
},
{
"url": "https://git.kernel.org/stable/c/dffd9e2b57cb845930fa885aa634a847ba2130dd"
},
{
"url": "https://git.kernel.org/stable/c/a93d2afd3f77a7331271a0f25c6a11003db69b3c"
}
],
"title": "ASoC: mediatek: mt8186: Fix use-after-free in driver remove path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53854",
"datePublished": "2025-12-09T01:30:19.746Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:19.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50649 (GCVE-0-2022-50649)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length
of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements
beyond the end of the adp5061_chg_type[] array.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe8e81b7e899968690e5e87c25727178921b5b9a , < 24a0be36e9a21f63de2e6088607e689e59ec15f4
(git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 3376a0cf138dfc90b449fde541ca228a33e1c143 (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 89f305a71418591cdda18180f712f91c9820f03b (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 7c8bc374659de19d846f7cab3eda9ebdb005c4cc (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 038e4aa71281d0cbc8aeb56ba05ff7fc5653a106 (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < dc52b73d3acd676ccbb440fcec617c547b903af2 (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 9d47e01b9d807808224347935562f7043a358054 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/adp5061.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24a0be36e9a21f63de2e6088607e689e59ec15f4",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "3376a0cf138dfc90b449fde541ca228a33e1c143",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "89f305a71418591cdda18180f712f91c9820f03b",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "7c8bc374659de19d846f7cab3eda9ebdb005c4cc",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "038e4aa71281d0cbc8aeb56ba05ff7fc5653a106",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "dc52b73d3acd676ccbb440fcec617c547b903af2",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "9d47e01b9d807808224347935562f7043a358054",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/adp5061.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()\n\nADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length\nof 8, but adp5061_chg_type array size is 4, may end up reading 4 elements\nbeyond the end of the adp5061_chg_type[] array."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:26.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24a0be36e9a21f63de2e6088607e689e59ec15f4"
},
{
"url": "https://git.kernel.org/stable/c/3376a0cf138dfc90b449fde541ca228a33e1c143"
},
{
"url": "https://git.kernel.org/stable/c/89f305a71418591cdda18180f712f91c9820f03b"
},
{
"url": "https://git.kernel.org/stable/c/7c8bc374659de19d846f7cab3eda9ebdb005c4cc"
},
{
"url": "https://git.kernel.org/stable/c/038e4aa71281d0cbc8aeb56ba05ff7fc5653a106"
},
{
"url": "https://git.kernel.org/stable/c/dc52b73d3acd676ccbb440fcec617c547b903af2"
},
{
"url": "https://git.kernel.org/stable/c/9d47e01b9d807808224347935562f7043a358054"
}
],
"title": "power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50649",
"datePublished": "2025-12-09T00:00:23.331Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-23T13:30:26.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50631 (GCVE-0-2022-50631)
Vulnerability from cvelistv5 – Published: 2025-12-08 23:59 – Updated: 2025-12-08 23:59
VLAI?
EPSS
Title
RISC-V: kexec: Fix memory leak of fdt buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
RISC-V: kexec: Fix memory leak of fdt buffer
This is reported by kmemleak detector:
unreferenced object 0xff60000082864000 (size 9588):
comm "kexec", pid 146, jiffies 4294900634 (age 64.788s)
hex dump (first 32 bytes):
d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@
00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............
backtrace:
[<00000000f95b17c4>] kmemleak_alloc+0x34/0x3e
[<00000000b9ec8e3e>] kmalloc_order+0x9c/0xc4
[<00000000a95cf02e>] kmalloc_order_trace+0x34/0xb6
[<00000000f01e68b4>] __kmalloc+0x5c2/0x62a
[<000000002bd497b2>] kvmalloc_node+0x66/0xd6
[<00000000906542fa>] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea
[<00000000e1166bde>] elf_kexec_load+0x206/0x4ec
[<0000000036548e09>] kexec_image_load_default+0x40/0x4c
[<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322
[<0000000040c62c03>] ret_from_syscall+0x0/0x2
In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt.
While it's not freed back to system when kexec kernel is reloaded or
unloaded. Then memory leak is caused. Fix it by introducing riscv
specific function arch_kimage_file_post_load_cleanup(), and freeing the
buffer there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6261586e0c91db14c34f894f4bc48f2300cff1d4 , < c66ad198b6497dee8f45d7ed5c03629c4525c7d0
(git)
Affected: 6261586e0c91db14c34f894f4bc48f2300cff1d4 , < dc387c34d8dd10b02a333df098f8fd9bba177a45 (git) Affected: 6261586e0c91db14c34f894f4bc48f2300cff1d4 , < 96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/kexec.h",
"arch/riscv/kernel/elf_kexec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c66ad198b6497dee8f45d7ed5c03629c4525c7d0",
"status": "affected",
"version": "6261586e0c91db14c34f894f4bc48f2300cff1d4",
"versionType": "git"
},
{
"lessThan": "dc387c34d8dd10b02a333df098f8fd9bba177a45",
"status": "affected",
"version": "6261586e0c91db14c34f894f4bc48f2300cff1d4",
"versionType": "git"
},
{
"lessThan": "96df59b1ae23f5c11698c3c2159aeb2ecd4944a4",
"status": "affected",
"version": "6261586e0c91db14c34f894f4bc48f2300cff1d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/kexec.h",
"arch/riscv/kernel/elf_kexec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: kexec: Fix memory leak of fdt buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xff60000082864000 (size 9588):\n comm \"kexec\", pid 146, jiffies 4294900634 (age 64.788s)\n hex dump (first 32 bytes):\n d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@\n 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............\n backtrace:\n [\u003c00000000f95b17c4\u003e] kmemleak_alloc+0x34/0x3e\n [\u003c00000000b9ec8e3e\u003e] kmalloc_order+0x9c/0xc4\n [\u003c00000000a95cf02e\u003e] kmalloc_order_trace+0x34/0xb6\n [\u003c00000000f01e68b4\u003e] __kmalloc+0x5c2/0x62a\n [\u003c000000002bd497b2\u003e] kvmalloc_node+0x66/0xd6\n [\u003c00000000906542fa\u003e] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea\n [\u003c00000000e1166bde\u003e] elf_kexec_load+0x206/0x4ec\n [\u003c0000000036548e09\u003e] kexec_image_load_default+0x40/0x4c\n [\u003c0000000079fbe1b4\u003e] sys_kexec_file_load+0x1c4/0x322\n [\u003c0000000040c62c03\u003e] ret_from_syscall+0x0/0x2\n\nIn elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt.\nWhile it\u0027s not freed back to system when kexec kernel is reloaded or\nunloaded. Then memory leak is caused. Fix it by introducing riscv\nspecific function arch_kimage_file_post_load_cleanup(), and freeing the\nbuffer there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T23:59:57.228Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c66ad198b6497dee8f45d7ed5c03629c4525c7d0"
},
{
"url": "https://git.kernel.org/stable/c/dc387c34d8dd10b02a333df098f8fd9bba177a45"
},
{
"url": "https://git.kernel.org/stable/c/96df59b1ae23f5c11698c3c2159aeb2ecd4944a4"
}
],
"title": "RISC-V: kexec: Fix memory leak of fdt buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50631",
"datePublished": "2025-12-08T23:59:57.228Z",
"dateReserved": "2025-12-08T23:57:43.369Z",
"dateUpdated": "2025-12-08T23:59:57.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50637 (GCVE-0-2022-50637)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(),
the program will return, resulting in "table" resource is not released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
51c843cf77bb52db6df947c4fedcfc62ae3b7b30 , < 3ef12a4a8ef5553af9c3fd2719a616637a102568
(git)
Affected: 51c843cf77bb52db6df947c4fedcfc62ae3b7b30 , < 4ea765b10624d67407817100d381c60f53593033 (git) Affected: 51c843cf77bb52db6df947c4fedcfc62ae3b7b30 , < 5d430076e66bddd08612911513b36f932b0d9d6c (git) Affected: 51c843cf77bb52db6df947c4fedcfc62ae3b7b30 , < 242e23be8f31ebd90525c57ee3244c28e99a1697 (git) Affected: 51c843cf77bb52db6df947c4fedcfc62ae3b7b30 , < 9901c21bcaf2f01fe5078f750d624f4ddfa8f81b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/qcom-cpufreq-hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ef12a4a8ef5553af9c3fd2719a616637a102568",
"status": "affected",
"version": "51c843cf77bb52db6df947c4fedcfc62ae3b7b30",
"versionType": "git"
},
{
"lessThan": "4ea765b10624d67407817100d381c60f53593033",
"status": "affected",
"version": "51c843cf77bb52db6df947c4fedcfc62ae3b7b30",
"versionType": "git"
},
{
"lessThan": "5d430076e66bddd08612911513b36f932b0d9d6c",
"status": "affected",
"version": "51c843cf77bb52db6df947c4fedcfc62ae3b7b30",
"versionType": "git"
},
{
"lessThan": "242e23be8f31ebd90525c57ee3244c28e99a1697",
"status": "affected",
"version": "51c843cf77bb52db6df947c4fedcfc62ae3b7b30",
"versionType": "git"
},
{
"lessThan": "9901c21bcaf2f01fe5078f750d624f4ddfa8f81b",
"status": "affected",
"version": "51c843cf77bb52db6df947c4fedcfc62ae3b7b30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/qcom-cpufreq-hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()\n\nIf \"cpu_dev\" fails to get opp table in qcom_cpufreq_hw_read_lut(),\nthe program will return, resulting in \"table\" resource is not released."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:10.726Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ef12a4a8ef5553af9c3fd2719a616637a102568"
},
{
"url": "https://git.kernel.org/stable/c/4ea765b10624d67407817100d381c60f53593033"
},
{
"url": "https://git.kernel.org/stable/c/5d430076e66bddd08612911513b36f932b0d9d6c"
},
{
"url": "https://git.kernel.org/stable/c/242e23be8f31ebd90525c57ee3244c28e99a1697"
},
{
"url": "https://git.kernel.org/stable/c/9901c21bcaf2f01fe5078f750d624f4ddfa8f81b"
}
],
"title": "cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50637",
"datePublished": "2025-12-09T00:00:10.726Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:10.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50645 (GCVE-0-2022-50645)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
As the comment of pci_get_domain_bus_and_slot() says, it returns
a PCI device with refcount incremented, so it doesn't need to
call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI
device needs to be put in the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d4dc89d069aab9074e2493a4c2f3969a0a0b91c1 , < e6e295a434d1c917a017980389aec88bf35cc81b
(git)
Affected: d4dc89d069aab9074e2493a4c2f3969a0a0b91c1 , < 2db53c7059167b63cc790366ef1a9e286e71980b (git) Affected: d4dc89d069aab9074e2493a4c2f3969a0a0b91c1 , < 3e255dc21031cc1f341584eb99a7f31598bf0be7 (git) Affected: d4dc89d069aab9074e2493a4c2f3969a0a0b91c1 , < 1adb2583cdbd75f379e3230a43a7412d373d499f (git) Affected: d4dc89d069aab9074e2493a4c2f3969a0a0b91c1 , < f29c2f57cdf7a57223dcd9fbaa2261faab5234b2 (git) Affected: d4dc89d069aab9074e2493a4c2f3969a0a0b91c1 , < 9c8921555907f4d723f01ed2d859b66f2d14f08e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/i10nm_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6e295a434d1c917a017980389aec88bf35cc81b",
"status": "affected",
"version": "d4dc89d069aab9074e2493a4c2f3969a0a0b91c1",
"versionType": "git"
},
{
"lessThan": "2db53c7059167b63cc790366ef1a9e286e71980b",
"status": "affected",
"version": "d4dc89d069aab9074e2493a4c2f3969a0a0b91c1",
"versionType": "git"
},
{
"lessThan": "3e255dc21031cc1f341584eb99a7f31598bf0be7",
"status": "affected",
"version": "d4dc89d069aab9074e2493a4c2f3969a0a0b91c1",
"versionType": "git"
},
{
"lessThan": "1adb2583cdbd75f379e3230a43a7412d373d499f",
"status": "affected",
"version": "d4dc89d069aab9074e2493a4c2f3969a0a0b91c1",
"versionType": "git"
},
{
"lessThan": "f29c2f57cdf7a57223dcd9fbaa2261faab5234b2",
"status": "affected",
"version": "d4dc89d069aab9074e2493a4c2f3969a0a0b91c1",
"versionType": "git"
},
{
"lessThan": "9c8921555907f4d723f01ed2d859b66f2d14f08e",
"status": "affected",
"version": "d4dc89d069aab9074e2493a4c2f3969a0a0b91c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/i10nm_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()\n\nAs the comment of pci_get_domain_bus_and_slot() says, it returns\na PCI device with refcount incremented, so it doesn\u0027t need to\ncall an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI\ndevice needs to be put in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:19.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6e295a434d1c917a017980389aec88bf35cc81b"
},
{
"url": "https://git.kernel.org/stable/c/2db53c7059167b63cc790366ef1a9e286e71980b"
},
{
"url": "https://git.kernel.org/stable/c/3e255dc21031cc1f341584eb99a7f31598bf0be7"
},
{
"url": "https://git.kernel.org/stable/c/1adb2583cdbd75f379e3230a43a7412d373d499f"
},
{
"url": "https://git.kernel.org/stable/c/f29c2f57cdf7a57223dcd9fbaa2261faab5234b2"
},
{
"url": "https://git.kernel.org/stable/c/9c8921555907f4d723f01ed2d859b66f2d14f08e"
}
],
"title": "EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50645",
"datePublished": "2025-12-09T00:00:19.652Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:19.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53819 (GCVE-0-2023-53819)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
Summary
In the Linux kernel, the following vulnerability has been resolved:
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
v2: keep the validations in amdgpu_vm_bo_map
v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map
rather than to amdgpu_gem_va_ioctl
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f7eb5367d0001536c361bd1400e14521f854ff1 , < 82aace80cfaab778245bd2f9e31b67953725e4d0
(git)
Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < d83c337e654d58d3edd15a2ae76e87dc601c07d9 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < 968e27fd037ec4732068820a9b9836eccc0e0a12 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < 4300a47e4017c9febb60ffa7d39723eeaed00f2b (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < b10db1d2137415e5e7f9706d96cfe77539c499d4 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < f015aadc0d973047f49526a127e900c488d4e425 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < bc6dbf34dc4fb639522f3e8e66ef05997c0441ee (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < 9f0bcf49e9895cb005d78b33a5eebfa11711b425 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82aace80cfaab778245bd2f9e31b67953725e4d0",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "d83c337e654d58d3edd15a2ae76e87dc601c07d9",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "968e27fd037ec4732068820a9b9836eccc0e0a12",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "4300a47e4017c9febb60ffa7d39723eeaed00f2b",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "b10db1d2137415e5e7f9706d96cfe77539c499d4",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "f015aadc0d973047f49526a127e900c488d4e425",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "bc6dbf34dc4fb639522f3e8e66ef05997c0441ee",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "9f0bcf49e9895cb005d78b33a5eebfa11711b425",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.313",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\namdgpu: validate offset_in_bo of drm_amdgpu_gem_va\n\nThis is motivated by OOB access in amdgpu_vm_update_range when\noffset_in_bo+map_size overflows.\n\nv2: keep the validations in amdgpu_vm_bo_map\nv3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map\n rather than to amdgpu_gem_va_ioctl"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:17.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82aace80cfaab778245bd2f9e31b67953725e4d0"
},
{
"url": "https://git.kernel.org/stable/c/d83c337e654d58d3edd15a2ae76e87dc601c07d9"
},
{
"url": "https://git.kernel.org/stable/c/968e27fd037ec4732068820a9b9836eccc0e0a12"
},
{
"url": "https://git.kernel.org/stable/c/4300a47e4017c9febb60ffa7d39723eeaed00f2b"
},
{
"url": "https://git.kernel.org/stable/c/b10db1d2137415e5e7f9706d96cfe77539c499d4"
},
{
"url": "https://git.kernel.org/stable/c/f015aadc0d973047f49526a127e900c488d4e425"
},
{
"url": "https://git.kernel.org/stable/c/bc6dbf34dc4fb639522f3e8e66ef05997c0441ee"
},
{
"url": "https://git.kernel.org/stable/c/9f0bcf49e9895cb005d78b33a5eebfa11711b425"
}
],
"title": "amdgpu: validate offset_in_bo of drm_amdgpu_gem_va",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53819",
"datePublished": "2025-12-09T00:01:17.936Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:17.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50641 (GCVE-0-2022-50641)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
HSI: omap_ssi: Fix refcount leak in ssi_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
HSI: omap_ssi: Fix refcount leak in ssi_probe
When returning or breaking early from a
for_each_available_child_of_node() loop, we need to explicitly call
of_node_put() on the child node to possibly release the node.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b209e047bc743247f74ce79e8827ae1ed556bae0 , < 20fbaff6699ea5553c67550e867d6f90b7085447
(git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 18e199a5541aad6dc5cf51bc3f712247b2d17894 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < e8a218c17d7c5c42d5609ef92d339b47f3d11d02 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < aa9c0598b10960ad1198044da1e277a89b4e3af6 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 962f22e7f7698f7718d95bd9b63e41fb8cca01a9 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 691f23a8475f04c988f7e98066b084e996b40fa0 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < e25f56f8bdf66126a54b5a88bc021c82bfb50b75 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 9a2ea132df860177b33c9fd421b26c4e9a0a9396 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hsi/controllers/omap_ssi_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20fbaff6699ea5553c67550e867d6f90b7085447",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "18e199a5541aad6dc5cf51bc3f712247b2d17894",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "e8a218c17d7c5c42d5609ef92d339b47f3d11d02",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "aa9c0598b10960ad1198044da1e277a89b4e3af6",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "962f22e7f7698f7718d95bd9b63e41fb8cca01a9",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "691f23a8475f04c988f7e98066b084e996b40fa0",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "e25f56f8bdf66126a54b5a88bc021c82bfb50b75",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "9a2ea132df860177b33c9fd421b26c4e9a0a9396",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hsi/controllers/omap_ssi_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: omap_ssi: Fix refcount leak in ssi_probe\n\nWhen returning or breaking early from a\nfor_each_available_child_of_node() loop, we need to explicitly call\nof_node_put() on the child node to possibly release the node."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:15.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20fbaff6699ea5553c67550e867d6f90b7085447"
},
{
"url": "https://git.kernel.org/stable/c/18e199a5541aad6dc5cf51bc3f712247b2d17894"
},
{
"url": "https://git.kernel.org/stable/c/e8a218c17d7c5c42d5609ef92d339b47f3d11d02"
},
{
"url": "https://git.kernel.org/stable/c/aa9c0598b10960ad1198044da1e277a89b4e3af6"
},
{
"url": "https://git.kernel.org/stable/c/962f22e7f7698f7718d95bd9b63e41fb8cca01a9"
},
{
"url": "https://git.kernel.org/stable/c/691f23a8475f04c988f7e98066b084e996b40fa0"
},
{
"url": "https://git.kernel.org/stable/c/e25f56f8bdf66126a54b5a88bc021c82bfb50b75"
},
{
"url": "https://git.kernel.org/stable/c/0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4"
},
{
"url": "https://git.kernel.org/stable/c/9a2ea132df860177b33c9fd421b26c4e9a0a9396"
}
],
"title": "HSI: omap_ssi: Fix refcount leak in ssi_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50641",
"datePublished": "2025-12-09T00:00:15.268Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:15.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53785 (GCVE-0-2023-53785)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
mt76: mt7921: don't assume adequate headroom for SDIO headers
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921: don't assume adequate headroom for SDIO headers
mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and
mt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that
adequate headroom will be available in the passed skb. This assumption
typically is satisfied when the skb was allocated in the net core for
transmission via the mt7921 netdev (although even that is only an
optimization and is not strictly guaranteed), but the assumption is
sometimes not satisfied when the skb originated in the receive path of
another netdev and was passed through to the mt7921, such as by the
bridge layer. Blindly prepending bytes to an skb is always wrong.
This commit introduces a call to skb_cow_head() before the call to
mt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to
ensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be
pushed onto the skb.
Without this fix, I can trivially cause kernel panics by bridging an
MT7921AU-based USB 802.11ax interface with an Ethernet interface on an
Intel Atom-based x86 system using its onboard RTL8169 PCI Ethernet
adapter and also on an ARM-based Raspberry Pi 1 using its onboard
SMSC9512 USB Ethernet adapter. Note that the panics do not occur in
every system configuration, as they occur only if the receiving netdev
leaves less headroom in its received skbs than the mt7921 needs for its
SDIO headers.
Here is an example stack trace of this panic on Raspberry Pi OS Lite
2023-02-21 running kernel 6.1.24+ [1]:
skb_panic from skb_push+0x44/0x48
skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common]
mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb]
mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76]
__mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76]
mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76]
mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common]
mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76]
__mt76_worker_fn [mt76] from kthread+0xbc/0xe0
kthread from ret_from_fork+0x14/0x34
After this fix, bridging the mt7921 interface works fine on both of my
previously problematic systems.
[1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e0f9fdda81bd32371ddac9222487e612027d8de2 , < 5c8bbb79c7cbca65534badf360f3b1145759c7bc
(git)
Affected: e0f9fdda81bd32371ddac9222487e612027d8de2 , < 414c0c04703423b78bc9dea1aa6493334dc61f6e (git) Affected: e0f9fdda81bd32371ddac9222487e612027d8de2 , < 98c4d0abf5c478db1ad126ff0c187dbb84c0803c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c8bbb79c7cbca65534badf360f3b1145759c7bc",
"status": "affected",
"version": "e0f9fdda81bd32371ddac9222487e612027d8de2",
"versionType": "git"
},
{
"lessThan": "414c0c04703423b78bc9dea1aa6493334dc61f6e",
"status": "affected",
"version": "e0f9fdda81bd32371ddac9222487e612027d8de2",
"versionType": "git"
},
{
"lessThan": "98c4d0abf5c478db1ad126ff0c187dbb84c0803c",
"status": "affected",
"version": "e0f9fdda81bd32371ddac9222487e612027d8de2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: don\u0027t assume adequate headroom for SDIO headers\n\nmt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and\nmt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that\nadequate headroom will be available in the passed skb. This assumption\ntypically is satisfied when the skb was allocated in the net core for\ntransmission via the mt7921 netdev (although even that is only an\noptimization and is not strictly guaranteed), but the assumption is\nsometimes not satisfied when the skb originated in the receive path of\nanother netdev and was passed through to the mt7921, such as by the\nbridge layer. Blindly prepending bytes to an skb is always wrong.\n\nThis commit introduces a call to skb_cow_head() before the call to\nmt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to\nensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be\npushed onto the skb.\n\nWithout this fix, I can trivially cause kernel panics by bridging an\nMT7921AU-based USB 802.11ax interface with an Ethernet interface on an\nIntel Atom-based x86 system using its onboard RTL8169 PCI Ethernet\nadapter and also on an ARM-based Raspberry Pi 1 using its onboard\nSMSC9512 USB Ethernet adapter. Note that the panics do not occur in\nevery system configuration, as they occur only if the receiving netdev\nleaves less headroom in its received skbs than the mt7921 needs for its\nSDIO headers.\n\nHere is an example stack trace of this panic on Raspberry Pi OS Lite\n2023-02-21 running kernel 6.1.24+ [1]:\n\n skb_panic from skb_push+0x44/0x48\n skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common]\n mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb]\n mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76]\n __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76]\n mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76]\n mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common]\n mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76]\n __mt76_worker_fn [mt76] from kthread+0xbc/0xe0\n kthread from ret_from_fork+0x14/0x34\n\nAfter this fix, bridging the mt7921 interface works fine on both of my\npreviously problematic systems.\n\n[1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:21.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c8bbb79c7cbca65534badf360f3b1145759c7bc"
},
{
"url": "https://git.kernel.org/stable/c/414c0c04703423b78bc9dea1aa6493334dc61f6e"
},
{
"url": "https://git.kernel.org/stable/c/98c4d0abf5c478db1ad126ff0c187dbb84c0803c"
}
],
"title": "mt76: mt7921: don\u0027t assume adequate headroom for SDIO headers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53785",
"datePublished": "2025-12-09T00:00:40.505Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2025-12-20T08:51:21.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53842 (GCVE-0-2023-53842)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
The MBHC resources must be released on component probe failure and
removal so can not be tied to the lifetime of the component device.
This is specifically needed to allow probe deferrals of the sound card
which otherwise fails when reprobing the codec component:
snd-sc8280xp sound: ASoC: failed to instantiate card -517
genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)
wcd938x_codec audio-codec: Failed to request mbhc interrupts -16
wcd938x_codec audio-codec: mbhc initialization failed
wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16
snd-sc8280xp sound: ASoC: failed to instantiate card -16
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < 90ab6446eb522e31421b77bf8f45714f5668f9a3
(git)
Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < 17feff71d06c96dea1fa72451c20d411e9d5ac8f (git) Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < ce4059e1c0aca972446e06c09ee09a0d2ba5df54 (git) Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd-mbhc-v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ab6446eb522e31421b77bf8f45714f5668f9a3",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "17feff71d06c96dea1fa72451c20d411e9d5ac8f",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "ce4059e1c0aca972446e06c09ee09a0d2ba5df54",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd-mbhc-v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove\n\nThe MBHC resources must be released on component probe failure and\nremoval so can not be tied to the lifetime of the component device.\n\nThis is specifically needed to allow probe deferrals of the sound card\nwhich otherwise fails when reprobing the codec component:\n\n snd-sc8280xp sound: ASoC: failed to instantiate card -517\n genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)\n wcd938x_codec audio-codec: Failed to request mbhc interrupts -16\n wcd938x_codec audio-codec: mbhc initialization failed\n wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16\n snd-sc8280xp sound: ASoC: failed to instantiate card -16"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:04.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ab6446eb522e31421b77bf8f45714f5668f9a3"
},
{
"url": "https://git.kernel.org/stable/c/17feff71d06c96dea1fa72451c20d411e9d5ac8f"
},
{
"url": "https://git.kernel.org/stable/c/ce4059e1c0aca972446e06c09ee09a0d2ba5df54"
},
{
"url": "https://git.kernel.org/stable/c/a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30"
}
],
"title": "ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53842",
"datePublished": "2025-12-09T01:30:04.183Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:30:04.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40331 (GCVE-0-2025-40331)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
sctp: Prevent TOCTOU out-of-bounds write
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Prevent TOCTOU out-of-bounds write
For the following path not holding the sock lock,
sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f840e47f190cbe61a96945c13e9551048d42cef , < b106a68df0650b694b254427cd9250c04500edd3
(git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 3006959371007fc2eae4a078f823c680fa52de1a (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 72e3fea68eac8d088e44c3dd954e843478e9240e (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 584307275b2048991b2e8984962189b6cc0a9b85 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 2fe08fcaacb7eb019fa9c81db39b2214de216677 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 89eac1e150dbd42963e13d23828cb8c4e0763196 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 95aef86ab231f047bb8085c70666059b58f53c09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b106a68df0650b694b254427cd9250c04500edd3",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "3006959371007fc2eae4a078f823c680fa52de1a",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "72e3fea68eac8d088e44c3dd954e843478e9240e",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "584307275b2048991b2e8984962189b6cc0a9b85",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "c9119f243d9c0da3c3b5f577a328de3e7ffd1b42",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "2fe08fcaacb7eb019fa9c81db39b2214de216677",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "89eac1e150dbd42963e13d23828cb8c4e0763196",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "95aef86ab231f047bb8085c70666059b58f53c09",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n sctp_diag_dump() -\u003e sctp_for_each_endpoint() -\u003e sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:48.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3"
},
{
"url": "https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a"
},
{
"url": "https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e"
},
{
"url": "https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85"
},
{
"url": "https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42"
},
{
"url": "https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677"
},
{
"url": "https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196"
},
{
"url": "https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09"
}
],
"title": "sctp: Prevent TOCTOU out-of-bounds write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40331",
"datePublished": "2025-12-09T04:09:48.196Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:48.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53805 (GCVE-0-2023-53805)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 07:14
VLAI?
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-12-09T07:14:14.898Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53805",
"datePublished": "2025-12-09T00:01:03.422Z",
"dateRejected": "2025-12-09T07:14:14.898Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T07:14:14.898Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53782 (GCVE-0-2023-53782)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
dccp: Fix out of bounds access in DCCP error handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp: Fix out of bounds access in DCCP error handler
There was a previous attempt to fix an out-of-bounds access in the DCCP
error handlers, but that fix assumed that the error handlers only want
to access the first 8 bytes of the DCCP header. Actually, they also look
at the DCCP sequence number, which is stored beyond 8 bytes, so an
explicit pskb_may_pull() is required.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 3533e10272555c422a7d51ebc0ce8c483429f7f2
(git)
Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 177212bf6dc1ff2d13d0409cddc5c9e81feec63d (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 7a7dd70cb954d3efa706a429687ded88c02496fa (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 4b8a938e329ae4eb54b73b0c87b5170607b038a8 (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 6ecf09699eb1554299aa1e7fd13e9e80f656c2f9 (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < f8a7f10a1dccf9868ff09342a73dce27501b86df (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < d8171411a661253e6271fa10b65b46daf1b6471c (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < ec620c34f5fa5d055f9f6136a387755db6157712 (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 977ad86c2a1bcaf58f01ab98df5cc145083c489c (git) Affected: 96106a207ae972d8f9e4815e84c159f29e4bbee7 (git) Affected: 261def571d19d3b4e2228643c5c0ac89f5e10d15 (git) Affected: dbf1719c65fb0368a94d15767c669e47e295a073 (git) Affected: 46b1ffd4738a3ee04b2e8f5a4b8cfc39e9c722a2 (git) Affected: a2df29ed840f90e459a3f8ff029b216be3912731 (git) Affected: ba93cf7d2118774c0b2dcfccc8ae999427815caa (git) Affected: 4ca7e66fcce02459fa6961979f9fe30ae1098cf0 (git) Affected: bd380617d5d161ea2bbe7a8073b3ca7bca0381e5 (git) Affected: bfe7d1dee859cad6802f8e21a0a863f408114612 (git) Affected: 968953df833c61fce5adcc0612efeaced24e5719 (git) Affected: 99131760a8851e6e5b2c9b24d0a68a3068923a08 (git) Affected: 84d9c612bb7a9e44c6bf286bedfbe72a6d2d71d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dccp/ipv4.c",
"net/dccp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3533e10272555c422a7d51ebc0ce8c483429f7f2",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "177212bf6dc1ff2d13d0409cddc5c9e81feec63d",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "7a7dd70cb954d3efa706a429687ded88c02496fa",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "4b8a938e329ae4eb54b73b0c87b5170607b038a8",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "6ecf09699eb1554299aa1e7fd13e9e80f656c2f9",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "f8a7f10a1dccf9868ff09342a73dce27501b86df",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "d8171411a661253e6271fa10b65b46daf1b6471c",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "ec620c34f5fa5d055f9f6136a387755db6157712",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "977ad86c2a1bcaf58f01ab98df5cc145083c489c",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"status": "affected",
"version": "96106a207ae972d8f9e4815e84c159f29e4bbee7",
"versionType": "git"
},
{
"status": "affected",
"version": "261def571d19d3b4e2228643c5c0ac89f5e10d15",
"versionType": "git"
},
{
"status": "affected",
"version": "dbf1719c65fb0368a94d15767c669e47e295a073",
"versionType": "git"
},
{
"status": "affected",
"version": "46b1ffd4738a3ee04b2e8f5a4b8cfc39e9c722a2",
"versionType": "git"
},
{
"status": "affected",
"version": "a2df29ed840f90e459a3f8ff029b216be3912731",
"versionType": "git"
},
{
"status": "affected",
"version": "ba93cf7d2118774c0b2dcfccc8ae999427815caa",
"versionType": "git"
},
{
"status": "affected",
"version": "4ca7e66fcce02459fa6961979f9fe30ae1098cf0",
"versionType": "git"
},
{
"status": "affected",
"version": "bd380617d5d161ea2bbe7a8073b3ca7bca0381e5",
"versionType": "git"
},
{
"status": "affected",
"version": "bfe7d1dee859cad6802f8e21a0a863f408114612",
"versionType": "git"
},
{
"status": "affected",
"version": "968953df833c61fce5adcc0612efeaced24e5719",
"versionType": "git"
},
{
"status": "affected",
"version": "99131760a8851e6e5b2c9b24d0a68a3068923a08",
"versionType": "git"
},
{
"status": "affected",
"version": "84d9c612bb7a9e44c6bf286bedfbe72a6d2d71d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dccp/ipv4.c",
"net/dccp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: Fix out of bounds access in DCCP error handler\n\nThere was a previous attempt to fix an out-of-bounds access in the DCCP\nerror handlers, but that fix assumed that the error handlers only want\nto access the first 8 bytes of the DCCP header. Actually, they also look\nat the DCCP sequence number, which is stored beyond 8 bytes, so an\nexplicit pskb_may_pull() is required."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:37.741Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3533e10272555c422a7d51ebc0ce8c483429f7f2"
},
{
"url": "https://git.kernel.org/stable/c/177212bf6dc1ff2d13d0409cddc5c9e81feec63d"
},
{
"url": "https://git.kernel.org/stable/c/7a7dd70cb954d3efa706a429687ded88c02496fa"
},
{
"url": "https://git.kernel.org/stable/c/4b8a938e329ae4eb54b73b0c87b5170607b038a8"
},
{
"url": "https://git.kernel.org/stable/c/6ecf09699eb1554299aa1e7fd13e9e80f656c2f9"
},
{
"url": "https://git.kernel.org/stable/c/f8a7f10a1dccf9868ff09342a73dce27501b86df"
},
{
"url": "https://git.kernel.org/stable/c/d8171411a661253e6271fa10b65b46daf1b6471c"
},
{
"url": "https://git.kernel.org/stable/c/ec620c34f5fa5d055f9f6136a387755db6157712"
},
{
"url": "https://git.kernel.org/stable/c/977ad86c2a1bcaf58f01ab98df5cc145083c489c"
}
],
"title": "dccp: Fix out of bounds access in DCCP error handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53782",
"datePublished": "2025-12-09T00:00:37.741Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:37.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53851 (GCVE-0-2023-53851)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/msm/dp: Drop aux devices together with DP controller
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: Drop aux devices together with DP controller
Using devres to depopulate the aux bus made sure that upon a probe
deferral the EDP panel device would be destroyed and recreated upon next
attempt.
But the struct device which the devres is tied to is the DPUs
(drm_dev->dev), which may be happen after the DP controller is torn
down.
Indications of this can be seen in the commonly seen EDID-hexdump full
of zeros in the log, or the occasional/rare KASAN fault where the
panel's attempt to read the EDID information causes a use after free on
DP resources.
It's tempting to move the devres to the DP controller's struct device,
but the resources used by the device(s) on the aux bus are explicitly
torn down in the error path. The KASAN-reported use-after-free also
remains, as the DP aux "module" explicitly frees its devres-allocated
memory in this code path.
As such, explicitly depopulate the aux bus in the error path, and in the
component unbind path, to avoid these issues.
Patchwork: https://patchwork.freedesktop.org/patch/542163/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b57f726611e294dc4297dd48eb8c98ef1938e82 , < e09ed06938807cb113cddd0708ed74bd8cdaff33
(git)
Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < 2fde37445807e6e6d7981402d0bf1be0e5d81291 (git) Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d (git) Affected: 8768663188e4169333f66583e4d2432e65c421df (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e09ed06938807cb113cddd0708ed74bd8cdaff33",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"lessThan": "2fde37445807e6e6d7981402d0bf1be0e5d81291",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"lessThan": "a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"status": "affected",
"version": "8768663188e4169333f66583e4d2432e65c421df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Drop aux devices together with DP controller\n\nUsing devres to depopulate the aux bus made sure that upon a probe\ndeferral the EDP panel device would be destroyed and recreated upon next\nattempt.\n\nBut the struct device which the devres is tied to is the DPUs\n(drm_dev-\u003edev), which may be happen after the DP controller is torn\ndown.\n\nIndications of this can be seen in the commonly seen EDID-hexdump full\nof zeros in the log, or the occasional/rare KASAN fault where the\npanel\u0027s attempt to read the EDID information causes a use after free on\nDP resources.\n\nIt\u0027s tempting to move the devres to the DP controller\u0027s struct device,\nbut the resources used by the device(s) on the aux bus are explicitly\ntorn down in the error path. The KASAN-reported use-after-free also\nremains, as the DP aux \"module\" explicitly frees its devres-allocated\nmemory in this code path.\n\nAs such, explicitly depopulate the aux bus in the error path, and in the\ncomponent unbind path, to avoid these issues.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542163/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:16.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33"
},
{
"url": "https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291"
},
{
"url": "https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d"
}
],
"title": "drm/msm/dp: Drop aux devices together with DP controller",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53851",
"datePublished": "2025-12-09T01:30:16.081Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:16.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53817 (GCVE-0-2023-53817)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
During NVMeTCP Authentication a controller can trigger a kernel
oops by specifying the 8192 bit Diffie Hellman group and passing
a correctly sized, but zeroed Diffie Hellamn value.
mpi_cmp_ui() was detecting this if the second parameter was 0,
but 1 is passed from dh_is_pubkey_valid(). This causes the null
pointer u->d to be dereferenced towards the end of mpi_cmp_ui()
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < fde791e8a96a64ea7b0ad2440e43586447a209c6
(git)
Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < ae63e84ffda74267bf7277c38415ba38389229a0 (git) Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < 61f5453e9706e99713825594e0c8f9031485fb5f (git) Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < 0fc7147c694394f8a8cbc19570c6bc918cac0906 (git) Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < 67589d247909043e94d2dd5fb590958e0f99d58d (git) Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < d3ad023a39f1127dcfd331c562673355dc078650 (git) Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < 12ac013ad7ff0df066451e825801d805095b3776 (git) Affected: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 , < 9e47a758b70167c9301d2b44d2569f86c7796f2d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/crypto/mpi/mpi-cmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fde791e8a96a64ea7b0ad2440e43586447a209c6",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "ae63e84ffda74267bf7277c38415ba38389229a0",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "61f5453e9706e99713825594e0c8f9031485fb5f",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "0fc7147c694394f8a8cbc19570c6bc918cac0906",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "67589d247909043e94d2dd5fb590958e0f99d58d",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "d3ad023a39f1127dcfd331c562673355dc078650",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "12ac013ad7ff0df066451e825801d805095b3776",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
},
{
"lessThan": "9e47a758b70167c9301d2b44d2569f86c7796f2d",
"status": "affected",
"version": "12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/crypto/mpi/mpi-cmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()\n\nDuring NVMeTCP Authentication a controller can trigger a kernel\noops by specifying the 8192 bit Diffie Hellman group and passing\na correctly sized, but zeroed Diffie Hellamn value.\nmpi_cmp_ui() was detecting this if the second parameter was 0,\nbut 1 is passed from dh_is_pubkey_valid(). This causes the null\npointer u-\u003ed to be dereferenced towards the end of mpi_cmp_ui()"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:58.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fde791e8a96a64ea7b0ad2440e43586447a209c6"
},
{
"url": "https://git.kernel.org/stable/c/ae63e84ffda74267bf7277c38415ba38389229a0"
},
{
"url": "https://git.kernel.org/stable/c/61f5453e9706e99713825594e0c8f9031485fb5f"
},
{
"url": "https://git.kernel.org/stable/c/0fc7147c694394f8a8cbc19570c6bc918cac0906"
},
{
"url": "https://git.kernel.org/stable/c/67589d247909043e94d2dd5fb590958e0f99d58d"
},
{
"url": "https://git.kernel.org/stable/c/d3ad023a39f1127dcfd331c562673355dc078650"
},
{
"url": "https://git.kernel.org/stable/c/12ac013ad7ff0df066451e825801d805095b3776"
},
{
"url": "https://git.kernel.org/stable/c/9e47a758b70167c9301d2b44d2569f86c7796f2d"
}
],
"title": "crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53817",
"datePublished": "2025-12-09T00:01:15.411Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2026-01-05T10:32:58.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53862 (GCVE-0-2023-53862)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
Syzbot found a kernel BUG in hfs_bnode_put():
kernel BUG at fs/hfs/bnode.c:466!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466
Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56
RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293
RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1
R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80
R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
hfs_write_inode+0x1bc/0xb40
write_inode fs/fs-writeback.c:1440 [inline]
__writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652
writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878
__writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949
wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054
wb_check_start_all fs/fs-writeback.c:2176 [inline]
wb_do_writeback fs/fs-writeback.c:2202 [inline]
wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235
process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The BUG_ON() is triggered at here:
/* Dispose of resources used by a node */
void hfs_bnode_put(struct hfs_bnode *node)
{
if (node) {
<skipped>
BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!!
<skipped>
}
}
By tracing the refcnt, I found the node is created by hfs_bmap_alloc()
with refcnt 1. Then the node is used by hfs_btree_write(). There is a
missing of hfs_bnode_get() after find the node. The issue happened in
following path:
<alloc>
hfs_bmap_alloc
hfs_bnode_find
__hfs_bnode_create <- allocate a new node with refcnt 1.
hfs_bnode_put <- decrease the refcnt
<write>
hfs_btree_write
hfs_bnode_find
__hfs_bnode_create
hfs_bnode_findhash <- find the node without refcnt increased.
hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 062af3e9930762d1fd22946748d34e0d859e4a8e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3a9065a33988c02789722be612f7c42fb8ebbb22 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eda6879272e4df5456afc36642052ea066f58410 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dc9f78b6d254427a06e568f2887b1011ef3143ef (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2cab8db14566cf6a516c1f103a60cf6b7f54b1e5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8140cdc57bc5844cd5e1392673ec2dbf8fdc6940 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38d72e6604b9f96dffcc0565090cc01622a37b2a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062af3e9930762d1fd22946748d34e0d859e4a8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3a9065a33988c02789722be612f7c42fb8ebbb22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eda6879272e4df5456afc36642052ea066f58410",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dc9f78b6d254427a06e568f2887b1011ef3143ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cab8db14566cf6a516c1f103a60cf6b7f54b1e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8140cdc57bc5844cd5e1392673ec2dbf8fdc6940",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38d72e6604b9f96dffcc0565090cc01622a37b2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9dc087fd3c484fd1ed18c5efb290efaaf44ce03",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nSyzbot found a kernel BUG in hfs_bnode_put():\n\n kernel BUG at fs/hfs/bnode.c:466!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: writeback wb_workfn (flush-7:0)\n RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466\n Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff \u003c0f\u003e 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56\n RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293\n RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1\n R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80\n R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00\n FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n hfs_write_inode+0x1bc/0xb40\n write_inode fs/fs-writeback.c:1440 [inline]\n __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652\n writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878\n __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949\n wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054\n wb_check_start_all fs/fs-writeback.c:2176 [inline]\n wb_do_writeback fs/fs-writeback.c:2202 [inline]\n wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \u003c/TASK\u003e\n\nThe BUG_ON() is triggered at here:\n\n/* Dispose of resources used by a node */\nvoid hfs_bnode_put(struct hfs_bnode *node)\n{\n\tif (node) {\n \t\t\u003cskipped\u003e\n \t\tBUG_ON(!atomic_read(\u0026node-\u003erefcnt)); \u003c- we have issue here!!!!\n \t\t\u003cskipped\u003e\n \t}\n}\n\nBy tracing the refcnt, I found the node is created by hfs_bmap_alloc()\nwith refcnt 1. Then the node is used by hfs_btree_write(). There is a\nmissing of hfs_bnode_get() after find the node. The issue happened in\nfollowing path:\n\n\u003calloc\u003e\n hfs_bmap_alloc\n hfs_bnode_find\n __hfs_bnode_create \u003c- allocate a new node with refcnt 1.\n hfs_bnode_put \u003c- decrease the refcnt\n\n\u003cwrite\u003e\n hfs_btree_write\n hfs_bnode_find\n __hfs_bnode_create\n hfs_bnode_findhash \u003c- find the node without refcnt increased.\n hfs_bnode_put\t \u003c- trigger the BUG_ON() since refcnt is 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:06.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062af3e9930762d1fd22946748d34e0d859e4a8e"
},
{
"url": "https://git.kernel.org/stable/c/3a9065a33988c02789722be612f7c42fb8ebbb22"
},
{
"url": "https://git.kernel.org/stable/c/eda6879272e4df5456afc36642052ea066f58410"
},
{
"url": "https://git.kernel.org/stable/c/dc9f78b6d254427a06e568f2887b1011ef3143ef"
},
{
"url": "https://git.kernel.org/stable/c/2cab8db14566cf6a516c1f103a60cf6b7f54b1e5"
},
{
"url": "https://git.kernel.org/stable/c/8140cdc57bc5844cd5e1392673ec2dbf8fdc6940"
},
{
"url": "https://git.kernel.org/stable/c/38d72e6604b9f96dffcc0565090cc01622a37b2a"
},
{
"url": "https://git.kernel.org/stable/c/a9dc087fd3c484fd1ed18c5efb290efaaf44ce03"
}
],
"title": "hfs: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53862",
"datePublished": "2025-12-09T01:30:30.902Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2026-01-05T10:33:06.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53795 (GCVE-0-2023-53795)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
iommufd: IOMMUFD_DESTROY should not increase the refcount
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: IOMMUFD_DESTROY should not increase the refcount
syzkaller found a race where IOMMUFD_DESTROY increments the refcount:
obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY);
if (IS_ERR(obj))
return PTR_ERR(obj);
iommufd_ref_to_users(obj);
/* See iommufd_ref_to_users() */
if (!iommufd_object_destroy_user(ucmd->ictx, obj))
As part of the sequence to join the two existing primitives together.
Allowing the refcount the be elevated without holding the destroy_rwsem
violates the assumption that all temporary refcount elevations are
protected by destroy_rwsem. Racing IOMMUFD_DESTROY with
iommufd_object_destroy_user() will cause spurious failures:
WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478
Modules linked in:
CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477
Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41
RSP: 0018:ffffc90003067e08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff
RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500
R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88
R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe
FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0
Call Trace:
<TASK>
iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]
iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813
iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The solution is to not increment the refcount on the IOMMUFD_DESTROY path
at all. Instead use the xa_lock to serialize everything. The refcount
check == 1 and xa_erase can be done under a single critical region. This
avoids the need for any refcount incrementing.
It has the downside that if userspace races destroy with other operations
it will get an EBUSY instead of waiting, but this is kind of racing is
already dangerous.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/device.c",
"drivers/iommu/iommufd/iommufd_private.h",
"drivers/iommu/iommufd/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "495b327435b0298e9b3b434f5834d459a93673ce",
"status": "affected",
"version": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2",
"versionType": "git"
},
{
"lessThan": "99f98a7c0d6985d5507c8130a981972e4b7b3bdc",
"status": "affected",
"version": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/device.c",
"drivers/iommu/iommufd/iommufd_private.h",
"drivers/iommu/iommufd/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: IOMMUFD_DESTROY should not increase the refcount\n\nsyzkaller found a race where IOMMUFD_DESTROY increments the refcount:\n\n obj = iommufd_get_object(ucmd-\u003eictx, cmd-\u003eid, IOMMUFD_OBJ_ANY);\n if (IS_ERR(obj))\n return PTR_ERR(obj);\n iommufd_ref_to_users(obj);\n /* See iommufd_ref_to_users() */\n if (!iommufd_object_destroy_user(ucmd-\u003eictx, obj))\n\nAs part of the sequence to join the two existing primitives together.\n\nAllowing the refcount the be elevated without holding the destroy_rwsem\nviolates the assumption that all temporary refcount elevations are\nprotected by destroy_rwsem. Racing IOMMUFD_DESTROY with\niommufd_object_destroy_user() will cause spurious failures:\n\n WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478\n Modules linked in:\n CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\n RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477\n Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 \u003c0f\u003e 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41\n RSP: 0018:ffffc90003067e08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff\n RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500\n R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88\n R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe\n FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]\n iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813\n iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe solution is to not increment the refcount on the IOMMUFD_DESTROY path\nat all. Instead use the xa_lock to serialize everything. The refcount\ncheck == 1 and xa_erase can be done under a single critical region. This\navoids the need for any refcount incrementing.\n\nIt has the downside that if userspace races destroy with other operations\nit will get an EBUSY instead of waiting, but this is kind of racing is\nalready dangerous."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:51.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/495b327435b0298e9b3b434f5834d459a93673ce"
},
{
"url": "https://git.kernel.org/stable/c/99f98a7c0d6985d5507c8130a981972e4b7b3bdc"
}
],
"title": "iommufd: IOMMUFD_DESTROY should not increase the refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53795",
"datePublished": "2025-12-09T00:00:51.992Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:51.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53845 (GCVE-0-2023-53845)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
nilfs2: fix infinite loop in nilfs_mdt_get_block()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix infinite loop in nilfs_mdt_get_block()
If the disk image that nilfs2 mounts is corrupted and a virtual block
address obtained by block lookup for a metadata file is invalid,
nilfs_bmap_lookup_at_level() may return the same internal return code as
-ENOENT, meaning the block does not exist in the metadata file.
This duplication of return codes confuses nilfs_mdt_get_block(), causing
it to read and create a metadata block indefinitely.
In particular, if this happens to the inode metadata file, ifile,
semaphore i_rwsem can be left held, causing task hangs in lock_mount.
Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block
address translation failures with -ENOENT as metadata corruption instead
of returning the error code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bdb265eae08db578e7cf5739be16f389d495fc75 , < cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2
(git)
Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < d536f9976bb04e9c84cf80045a9355975e418f41 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 8a89d36a07afe1ed4564df51fefa2bb556c85412 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 8d07d9119642ba43d21f8ba64d51d01931096b20 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 25457d07c8146e57d28906c663def033dc425af6 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 34c5f17222b50c79848bb03ec8811648813e6a45 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 5b29661669cb65b9750a3cf70ed3eaf947b92167 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < a6a491c048882e7e424d407d32cba0b52d9ef2bf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "d536f9976bb04e9c84cf80045a9355975e418f41",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "8a89d36a07afe1ed4564df51fefa2bb556c85412",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "8d07d9119642ba43d21f8ba64d51d01931096b20",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "25457d07c8146e57d28906c663def033dc425af6",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "34c5f17222b50c79848bb03ec8811648813e6a45",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "5b29661669cb65b9750a3cf70ed3eaf947b92167",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "a6a491c048882e7e424d407d32cba0b52d9ef2bf",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix infinite loop in nilfs_mdt_get_block()\n\nIf the disk image that nilfs2 mounts is corrupted and a virtual block\naddress obtained by block lookup for a metadata file is invalid,\nnilfs_bmap_lookup_at_level() may return the same internal return code as\n-ENOENT, meaning the block does not exist in the metadata file.\n\nThis duplication of return codes confuses nilfs_mdt_get_block(), causing\nit to read and create a metadata block indefinitely.\n\nIn particular, if this happens to the inode metadata file, ifile,\nsemaphore i_rwsem can be left held, causing task hangs in lock_mount.\n\nFix this issue by making nilfs_bmap_lookup_at_level() treat virtual block\naddress translation failures with -ENOENT as metadata corruption instead\nof returning the error code."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:03.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2"
},
{
"url": "https://git.kernel.org/stable/c/d536f9976bb04e9c84cf80045a9355975e418f41"
},
{
"url": "https://git.kernel.org/stable/c/fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0"
},
{
"url": "https://git.kernel.org/stable/c/8a89d36a07afe1ed4564df51fefa2bb556c85412"
},
{
"url": "https://git.kernel.org/stable/c/8d07d9119642ba43d21f8ba64d51d01931096b20"
},
{
"url": "https://git.kernel.org/stable/c/25457d07c8146e57d28906c663def033dc425af6"
},
{
"url": "https://git.kernel.org/stable/c/34c5f17222b50c79848bb03ec8811648813e6a45"
},
{
"url": "https://git.kernel.org/stable/c/5b29661669cb65b9750a3cf70ed3eaf947b92167"
},
{
"url": "https://git.kernel.org/stable/c/a6a491c048882e7e424d407d32cba0b52d9ef2bf"
}
],
"title": "nilfs2: fix infinite loop in nilfs_mdt_get_block()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53845",
"datePublished": "2025-12-09T01:30:08.016Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2026-01-05T10:33:03.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40338 (GCVE-0-2025-40338)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
ASoC: Intel: avs: Do not share the name pointer between components
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: avs: Do not share the name pointer between components
By sharing 'name' directly, tearing down components may lead to
use-after-free errors. Duplicate the name to avoid that.
At the same time, update the order of operations - since commit
cee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name via
config") the framework does not override component->name if set before
invoking the initializer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "128bf29c992988f8b4f3829227339908fde5ec86",
"status": "affected",
"version": "f1b3b320bd6519b16e3480f74f2926d106e3bcba",
"versionType": "git"
},
{
"lessThan": "4dee5c1cc439b0d5ef87f741518268ad6a95b23d",
"status": "affected",
"version": "f1b3b320bd6519b16e3480f74f2926d106e3bcba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Do not share the name pointer between components\n\nBy sharing \u0027name\u0027 directly, tearing down components may lead to\nuse-after-free errors. Duplicate the name to avoid that.\n\nAt the same time, update the order of operations - since commit\ncee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via\nconfig\") the framework does not override component-\u003ename if set before\ninvoking the initializer."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:40.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/128bf29c992988f8b4f3829227339908fde5ec86"
},
{
"url": "https://git.kernel.org/stable/c/4dee5c1cc439b0d5ef87f741518268ad6a95b23d"
}
],
"title": "ASoC: Intel: avs: Do not share the name pointer between components",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40338",
"datePublished": "2025-12-09T04:09:54.753Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:40.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53803 (GCVE-0-2023-53803)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
A fix for:
BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses]
Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271
Checking after (and before in next loop) addl_desc_ptr[1] is sufficient, we
expect the size to be sanitized before first access to addl_desc_ptr[1].
Make sure we don't walk beyond end of page.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
21fab1d0595eacf781705ec3509012a28f298245 , < da1a955c48a16e16e925d6544793914e52a6fa51
(git)
Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 9e5c7d52085b8c84bc82a261580f0eb170039325 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 467afb1dd630d8c6d172bd6cacc125199b5f4f2d (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < e4dd25da784b2e07dbfbf04509afa4c5a1375227 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 2b28a7d261cb309912596d6a2d383ca370483527 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 0dfe68394cbe1d4fe579fb325ecc813c50528c5a (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 799e8dd2022d2e13f0c5c1906b40ceca07a23349 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 9b4f5028e493cb353a5c8f5c45073eeea0303abd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da1a955c48a16e16e925d6544793914e52a6fa51",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "9e5c7d52085b8c84bc82a261580f0eb170039325",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "467afb1dd630d8c6d172bd6cacc125199b5f4f2d",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "e4dd25da784b2e07dbfbf04509afa4c5a1375227",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "2b28a7d261cb309912596d6a2d383ca370483527",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "0dfe68394cbe1d4fe579fb325ecc813c50528c5a",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "799e8dd2022d2e13f0c5c1906b40ceca07a23349",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "9b4f5028e493cb353a5c8f5c45073eeea0303abd",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()\n\nA fix for:\n\nBUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses]\nRead of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271\n\nChecking after (and before in next loop) addl_desc_ptr[1] is sufficient, we\nexpect the size to be sanitized before first access to addl_desc_ptr[1].\nMake sure we don\u0027t walk beyond end of page."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:56.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da1a955c48a16e16e925d6544793914e52a6fa51"
},
{
"url": "https://git.kernel.org/stable/c/9e5c7d52085b8c84bc82a261580f0eb170039325"
},
{
"url": "https://git.kernel.org/stable/c/467afb1dd630d8c6d172bd6cacc125199b5f4f2d"
},
{
"url": "https://git.kernel.org/stable/c/e4dd25da784b2e07dbfbf04509afa4c5a1375227"
},
{
"url": "https://git.kernel.org/stable/c/2b28a7d261cb309912596d6a2d383ca370483527"
},
{
"url": "https://git.kernel.org/stable/c/0dfe68394cbe1d4fe579fb325ecc813c50528c5a"
},
{
"url": "https://git.kernel.org/stable/c/799e8dd2022d2e13f0c5c1906b40ceca07a23349"
},
{
"url": "https://git.kernel.org/stable/c/9b4f5028e493cb353a5c8f5c45073eeea0303abd"
}
],
"title": "scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53803",
"datePublished": "2025-12-09T00:00:59.913Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2026-01-05T10:32:56.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50663 (GCVE-0-2022-50663)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
net: stmmac: fix possible memory leak in stmmac_dvr_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix possible memory leak in stmmac_dvr_probe()
The bitmap_free() should be called to free priv->af_xdp_zc_qps
when create_singlethread_workqueue() fails, otherwise there will
be a memory leak, so we add the err path error_wq_init to fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bba2556efad66e7eaa56fece13f7708caa1187f8 , < 96e50897029f65222ef76cfe9bc802321fcea33b
(git)
Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < b59253e32c203a20bce15dca80890b7d268bacd7 (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 446757787baf99b7db15cb347783c45a37bfe21f (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < a137f3f27f9290933fe7e40e6dc8a445781c31a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96e50897029f65222ef76cfe9bc802321fcea33b",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "b59253e32c203a20bce15dca80890b7d268bacd7",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "446757787baf99b7db15cb347783c45a37bfe21f",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "a137f3f27f9290933fe7e40e6dc8a445781c31a2",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix possible memory leak in stmmac_dvr_probe()\n\nThe bitmap_free() should be called to free priv-\u003eaf_xdp_zc_qps\nwhen create_singlethread_workqueue() fails, otherwise there will\nbe a memory leak, so we add the err path error_wq_init to fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:12.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96e50897029f65222ef76cfe9bc802321fcea33b"
},
{
"url": "https://git.kernel.org/stable/c/b59253e32c203a20bce15dca80890b7d268bacd7"
},
{
"url": "https://git.kernel.org/stable/c/446757787baf99b7db15cb347783c45a37bfe21f"
},
{
"url": "https://git.kernel.org/stable/c/a137f3f27f9290933fe7e40e6dc8a445781c31a2"
}
],
"title": "net: stmmac: fix possible memory leak in stmmac_dvr_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50663",
"datePublished": "2025-12-09T01:29:12.392Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:12.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50677 (GCVE-0-2022-50677)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ipmi: fix use after free in _ipmi_destroy_user()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi: fix use after free in _ipmi_destroy_user()
The intf_free() function frees the "intf" pointer so we cannot
dereference it again on the next line.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f9d405a4bd6090ffbf3bba5e2da6b44c0e013cb3 , < 35ad87bfe330f7ef6a19f772223c63296d643172
(git)
Affected: b642ced2cad496c32ae1f62b85fc395391190820 , < d23006f2a56e11a3103de0ca8b843bf7fd7d76fc (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < f29d127b372e1b7662397d92341d9f7de198ff99 (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < bfce073089cb81482521c65061835aaa6d1a6cc0 (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < f7fde441198a9ecb130c3ccec91ee2131d6998ee (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < 1fc9b20a7688000fcf4d7fbaa58e415a3cdda961 (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < a92ce570c81dc0feaeb12a429b4bc65686d17967 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35ad87bfe330f7ef6a19f772223c63296d643172",
"status": "affected",
"version": "f9d405a4bd6090ffbf3bba5e2da6b44c0e013cb3",
"versionType": "git"
},
{
"lessThan": "d23006f2a56e11a3103de0ca8b843bf7fd7d76fc",
"status": "affected",
"version": "b642ced2cad496c32ae1f62b85fc395391190820",
"versionType": "git"
},
{
"lessThan": "f29d127b372e1b7662397d92341d9f7de198ff99",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "bfce073089cb81482521c65061835aaa6d1a6cc0",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "f7fde441198a9ecb130c3ccec91ee2131d6998ee",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "1fc9b20a7688000fcf4d7fbaa58e415a3cdda961",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "a92ce570c81dc0feaeb12a429b4bc65686d17967",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: fix use after free in _ipmi_destroy_user()\n\nThe intf_free() function frees the \"intf\" pointer so we cannot\ndereference it again on the next line."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:30.418Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35ad87bfe330f7ef6a19f772223c63296d643172"
},
{
"url": "https://git.kernel.org/stable/c/d23006f2a56e11a3103de0ca8b843bf7fd7d76fc"
},
{
"url": "https://git.kernel.org/stable/c/f29d127b372e1b7662397d92341d9f7de198ff99"
},
{
"url": "https://git.kernel.org/stable/c/bfce073089cb81482521c65061835aaa6d1a6cc0"
},
{
"url": "https://git.kernel.org/stable/c/f7fde441198a9ecb130c3ccec91ee2131d6998ee"
},
{
"url": "https://git.kernel.org/stable/c/1fc9b20a7688000fcf4d7fbaa58e415a3cdda961"
},
{
"url": "https://git.kernel.org/stable/c/a92ce570c81dc0feaeb12a429b4bc65686d17967"
}
],
"title": "ipmi: fix use after free in _ipmi_destroy_user()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50677",
"datePublished": "2025-12-09T01:29:30.418Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:30.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50661 (GCVE-0-2022-50661)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
seccomp: Move copy_seccomp() to no failure path.
Summary
In the Linux kernel, the following vulnerability has been resolved:
seccomp: Move copy_seccomp() to no failure path.
Our syzbot instance reported memory leaks in do_seccomp() [0], similar
to the report [1]. It shows that we miss freeing struct seccomp_filter
and some objects included in it.
We can reproduce the issue with the program below [2] which calls one
seccomp() and two clone() syscalls.
The first clone()d child exits earlier than its parent and sends a
signal to kill it during the second clone(), more precisely before the
fatal_signal_pending() test in copy_process(). When the parent receives
the signal, it has to destroy the embryonic process and return -EINTR to
user space. In the failure path, we have to call seccomp_filter_release()
to decrement the filter's refcount.
Initially, we called it in free_task() called from the failure path, but
the commit 3a15fb6ed92c ("seccomp: release filter after task is fully
dead") moved it to release_task() to notify user space as early as possible
that the filter is no longer used.
To keep the change and current seccomp refcount semantics, let's move
copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in
free_task() for future debugging.
[0]:
unreferenced object 0xffff8880063add00 (size 256):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
backtrace:
do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffffc90000035000 (size 4096):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
__vmalloc_node_range (mm/vmalloc.c:3226)
__vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))
bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)
bpf_prog_alloc (kernel/bpf/core.c:129)
bpf_prog_create_from_user (net/core/filter.c:1414)
do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffff888003fa1000 (size 1024):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)
bpf_prog_alloc (kernel/bpf/core.c:129)
bpf_prog_create_from_user (net/core/filter.c:1414)
do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffff888006360240 (size 16):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
hex dump (first 16 bytes):
01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........
backtrace:
bpf_prog_store_orig_filter (net/core/filter.c:1137)
bpf_prog_create_from_user (net/core/filter.c:1428)
do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffff888
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < d4a895e924b486f2a38463114509e1088ef4d7f5
(git)
Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < a31a647a3d1073a642c5bbe3457731fb353cb980 (git) Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < 29a69fa075d0577eff1137426669de21187ec182 (git) Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < 5b81f0c6c60e35bf8153230ddfb03ebb14e17986 (git) Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < a1140cb215fa13dcec06d12ba0c3ee105633b7c4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4a895e924b486f2a38463114509e1088ef4d7f5",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "a31a647a3d1073a642c5bbe3457731fb353cb980",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "29a69fa075d0577eff1137426669de21187ec182",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "5b81f0c6c60e35bf8153230ddfb03ebb14e17986",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "a1140cb215fa13dcec06d12ba0c3ee105633b7c4",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: Move copy_seccomp() to no failure path.\n\nOur syzbot instance reported memory leaks in do_seccomp() [0], similar\nto the report [1]. It shows that we miss freeing struct seccomp_filter\nand some objects included in it.\n\nWe can reproduce the issue with the program below [2] which calls one\nseccomp() and two clone() syscalls.\n\nThe first clone()d child exits earlier than its parent and sends a\nsignal to kill it during the second clone(), more precisely before the\nfatal_signal_pending() test in copy_process(). When the parent receives\nthe signal, it has to destroy the embryonic process and return -EINTR to\nuser space. In the failure path, we have to call seccomp_filter_release()\nto decrement the filter\u0027s refcount.\n\nInitially, we called it in free_task() called from the failure path, but\nthe commit 3a15fb6ed92c (\"seccomp: release filter after task is fully\ndead\") moved it to release_task() to notify user space as early as possible\nthat the filter is no longer used.\n\nTo keep the change and current seccomp refcount semantics, let\u0027s move\ncopy_seccomp() just after the signal check and add a WARN_ON_ONCE() in\nfree_task() for future debugging.\n\n[0]:\nunreferenced object 0xffff8880063add00 (size 256):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.914s)\n hex dump (first 32 bytes):\n 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................\n ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\n backtrace:\n do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffffc90000035000 (size 4096):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n __vmalloc_node_range (mm/vmalloc.c:3226)\n __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))\n bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)\n bpf_prog_alloc (kernel/bpf/core.c:129)\n bpf_prog_create_from_user (net/core/filter.c:1414)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888003fa1000 (size 1024):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)\n bpf_prog_alloc (kernel/bpf/core.c:129)\n bpf_prog_create_from_user (net/core/filter.c:1414)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888006360240 (size 16):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 16 bytes):\n 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........\n backtrace:\n bpf_prog_store_orig_filter (net/core/filter.c:1137)\n bpf_prog_create_from_user (net/core/filter.c:1428)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:09.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5"
},
{
"url": "https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980"
},
{
"url": "https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182"
},
{
"url": "https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986"
},
{
"url": "https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4"
}
],
"title": "seccomp: Move copy_seccomp() to no failure path.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50661",
"datePublished": "2025-12-09T01:29:09.498Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:09.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50652 (GCVE-0-2022-50652)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in
uio_dmem_genirq_irqcontrol()") started calling disable_irq() without
holding the spinlock because it can sleep. However, that fix introduced
another bug: if interrupt is already disabled and a new disable request
comes in, then the spinlock is not unlocked:
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002
[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]
[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21
[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 14.855664] Call Trace:
[ 14.855861] <TASK>
[ 14.856025] dump_stack_lvl+0x4d/0x67
[ 14.856325] dump_stack+0x14/0x1a
[ 14.856583] __schedule_bug.cold+0x4b/0x5c
[ 14.856915] __schedule+0xe81/0x13d0
[ 14.857199] ? idr_find+0x13/0x20
[ 14.857456] ? get_work_pool+0x2d/0x50
[ 14.857756] ? __flush_work+0x233/0x280
[ 14.858068] ? __schedule+0xa95/0x13d0
[ 14.858307] ? idr_find+0x13/0x20
[ 14.858519] ? get_work_pool+0x2d/0x50
[ 14.858798] schedule+0x6c/0x100
[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110
[ 14.859335] ? tty_write_room+0x1f/0x30
[ 14.859598] ? n_tty_poll+0x1ec/0x220
[ 14.859830] ? tty_ldisc_deref+0x1a/0x20
[ 14.860090] schedule_hrtimeout_range+0x17/0x20
[ 14.860373] do_select+0x596/0x840
[ 14.860627] ? __kernel_text_address+0x16/0x50
[ 14.860954] ? poll_freewait+0xb0/0xb0
[ 14.861235] ? poll_freewait+0xb0/0xb0
[ 14.861517] ? rpm_resume+0x49d/0x780
[ 14.861798] ? common_interrupt+0x59/0xa0
[ 14.862127] ? asm_common_interrupt+0x2b/0x40
[ 14.862511] ? __uart_start.isra.0+0x61/0x70
[ 14.862902] ? __check_object_size+0x61/0x280
[ 14.863255] core_sys_select+0x1c6/0x400
[ 14.863575] ? vfs_write+0x1c9/0x3d0
[ 14.863853] ? vfs_write+0x1c9/0x3d0
[ 14.864121] ? _copy_from_user+0x45/0x70
[ 14.864526] do_pselect.constprop.0+0xb3/0xf0
[ 14.864893] ? do_syscall_64+0x6d/0x90
[ 14.865228] ? do_syscall_64+0x6d/0x90
[ 14.865556] __x64_sys_pselect6+0x76/0xa0
[ 14.865906] do_syscall_64+0x60/0x90
[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50
[ 14.866640] ? do_syscall_64+0x6d/0x90
[ 14.866972] ? do_syscall_64+0x6d/0x90
[ 14.867286] ? do_syscall_64+0x6d/0x90
[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...] stripped
[ 14.872959] </TASK>
('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)
The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
to interrupt configuration and handling. At the time "uio_dmem_genirq" was
introduced, both had the same implementation of the 'uio_info' handlers
irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency
issue"), which was only applied to "uio_pdrv_genirq", ended up making them
a little different. That commit, among other things, changed disable_irq()
to disable_irq_nosync() in the implementation of irqcontrol(). The
motivation there was to avoid a deadlock between irqcontrol() and
handler(), since it added a spinlock in the irq handler, and disable_irq()
waits for the completion of the irq handler.
By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also
avoid the sleeping-whil
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b77fa964ecb1d72a671234f5bea95b41f77c233a , < 9977cb7af5a8f4738198b020436e2e56c5cd721e
(git)
Affected: 0151b03f43f2d295a6949454434074b34a262e06 , < a323d24a0183be730d2398b11b3a91e5c2e222a0 (git) Affected: ea6b7b1d58790ffb36bace723f6e62a1c8595c77 , < ac5585bb06a2e82177269bee93e59887ce591106 (git) Affected: 750a95d63746458e86c6d92dfad48a05c64d0ecd , < eca77a25a7cb3201738f4b55b9b8fa1089d7d002 (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 9bf7a0b2b15cd12e15f7858072bd89933746de67 (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 79a4bdb6b9920134af1a4738a1fa36a0438cd905 (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < ee180e867ce4b2f744799247b81050b3e5dd62cd (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 9de255c461d1b3f0242b3ad1450c3323a3e00b34 (git) Affected: 4a117a1c581623d04bf09aa7455d8e7b66e8bb85 (git) Affected: 1d52cd8b52876145b0f6344be95fc750e30d9ecb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_dmem_genirq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9977cb7af5a8f4738198b020436e2e56c5cd721e",
"status": "affected",
"version": "b77fa964ecb1d72a671234f5bea95b41f77c233a",
"versionType": "git"
},
{
"lessThan": "a323d24a0183be730d2398b11b3a91e5c2e222a0",
"status": "affected",
"version": "0151b03f43f2d295a6949454434074b34a262e06",
"versionType": "git"
},
{
"lessThan": "ac5585bb06a2e82177269bee93e59887ce591106",
"status": "affected",
"version": "ea6b7b1d58790ffb36bace723f6e62a1c8595c77",
"versionType": "git"
},
{
"lessThan": "eca77a25a7cb3201738f4b55b9b8fa1089d7d002",
"status": "affected",
"version": "750a95d63746458e86c6d92dfad48a05c64d0ecd",
"versionType": "git"
},
{
"lessThan": "9bf7a0b2b15cd12e15f7858072bd89933746de67",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "79a4bdb6b9920134af1a4738a1fa36a0438cd905",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "ee180e867ce4b2f744799247b81050b3e5dd62cd",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "9de255c461d1b3f0242b3ad1450c3323a3e00b34",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"status": "affected",
"version": "4a117a1c581623d04bf09aa7455d8e7b66e8bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "1d52cd8b52876145b0f6344be95fc750e30d9ecb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_dmem_genirq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.215",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.215",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: uio_dmem_genirq: Fix missing unlock in irq configuration\n\nCommit b74351287d4b (\"uio: fix a sleep-in-atomic-context bug in\nuio_dmem_genirq_irqcontrol()\") started calling disable_irq() without\nholding the spinlock because it can sleep. However, that fix introduced\nanother bug: if interrupt is already disabled and a new disable request\ncomes in, then the spinlock is not unlocked:\n\nroot@localhost:~# printf \u0027\\x00\\x00\\x00\\x00\u0027 \u003e /dev/uio0\nroot@localhost:~# printf \u0027\\x00\\x00\\x00\\x00\u0027 \u003e /dev/uio0\nroot@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002\n[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]\n[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21\n[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 14.855664] Call Trace:\n[ 14.855861] \u003cTASK\u003e\n[ 14.856025] dump_stack_lvl+0x4d/0x67\n[ 14.856325] dump_stack+0x14/0x1a\n[ 14.856583] __schedule_bug.cold+0x4b/0x5c\n[ 14.856915] __schedule+0xe81/0x13d0\n[ 14.857199] ? idr_find+0x13/0x20\n[ 14.857456] ? get_work_pool+0x2d/0x50\n[ 14.857756] ? __flush_work+0x233/0x280\n[ 14.858068] ? __schedule+0xa95/0x13d0\n[ 14.858307] ? idr_find+0x13/0x20\n[ 14.858519] ? get_work_pool+0x2d/0x50\n[ 14.858798] schedule+0x6c/0x100\n[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110\n[ 14.859335] ? tty_write_room+0x1f/0x30\n[ 14.859598] ? n_tty_poll+0x1ec/0x220\n[ 14.859830] ? tty_ldisc_deref+0x1a/0x20\n[ 14.860090] schedule_hrtimeout_range+0x17/0x20\n[ 14.860373] do_select+0x596/0x840\n[ 14.860627] ? __kernel_text_address+0x16/0x50\n[ 14.860954] ? poll_freewait+0xb0/0xb0\n[ 14.861235] ? poll_freewait+0xb0/0xb0\n[ 14.861517] ? rpm_resume+0x49d/0x780\n[ 14.861798] ? common_interrupt+0x59/0xa0\n[ 14.862127] ? asm_common_interrupt+0x2b/0x40\n[ 14.862511] ? __uart_start.isra.0+0x61/0x70\n[ 14.862902] ? __check_object_size+0x61/0x280\n[ 14.863255] core_sys_select+0x1c6/0x400\n[ 14.863575] ? vfs_write+0x1c9/0x3d0\n[ 14.863853] ? vfs_write+0x1c9/0x3d0\n[ 14.864121] ? _copy_from_user+0x45/0x70\n[ 14.864526] do_pselect.constprop.0+0xb3/0xf0\n[ 14.864893] ? do_syscall_64+0x6d/0x90\n[ 14.865228] ? do_syscall_64+0x6d/0x90\n[ 14.865556] __x64_sys_pselect6+0x76/0xa0\n[ 14.865906] do_syscall_64+0x60/0x90\n[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50\n[ 14.866640] ? do_syscall_64+0x6d/0x90\n[ 14.866972] ? do_syscall_64+0x6d/0x90\n[ 14.867286] ? do_syscall_64+0x6d/0x90\n[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...] stripped\n[ 14.872959] \u003c/TASK\u003e\n\n(\u0027myfpga\u0027 is a simple \u0027uio_dmem_genirq\u0027 driver I wrote to test this)\n\nThe implementation of \"uio_dmem_genirq\" was based on \"uio_pdrv_genirq\" and\nit is used in a similar manner to the \"uio_pdrv_genirq\" driver with respect\nto interrupt configuration and handling. At the time \"uio_dmem_genirq\" was\nintroduced, both had the same implementation of the \u0027uio_info\u0027 handlers\nirqcontrol() and handler(). Then commit 34cb27528398 (\"UIO: Fix concurrency\nissue\"), which was only applied to \"uio_pdrv_genirq\", ended up making them\na little different. That commit, among other things, changed disable_irq()\nto disable_irq_nosync() in the implementation of irqcontrol(). The\nmotivation there was to avoid a deadlock between irqcontrol() and\nhandler(), since it added a spinlock in the irq handler, and disable_irq()\nwaits for the completion of the irq handler.\n\nBy changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also\navoid the sleeping-whil\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:26.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9977cb7af5a8f4738198b020436e2e56c5cd721e"
},
{
"url": "https://git.kernel.org/stable/c/a323d24a0183be730d2398b11b3a91e5c2e222a0"
},
{
"url": "https://git.kernel.org/stable/c/ac5585bb06a2e82177269bee93e59887ce591106"
},
{
"url": "https://git.kernel.org/stable/c/eca77a25a7cb3201738f4b55b9b8fa1089d7d002"
},
{
"url": "https://git.kernel.org/stable/c/9bf7a0b2b15cd12e15f7858072bd89933746de67"
},
{
"url": "https://git.kernel.org/stable/c/79a4bdb6b9920134af1a4738a1fa36a0438cd905"
},
{
"url": "https://git.kernel.org/stable/c/030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d"
},
{
"url": "https://git.kernel.org/stable/c/ee180e867ce4b2f744799247b81050b3e5dd62cd"
},
{
"url": "https://git.kernel.org/stable/c/9de255c461d1b3f0242b3ad1450c3323a3e00b34"
}
],
"title": "uio: uio_dmem_genirq: Fix missing unlock in irq configuration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50652",
"datePublished": "2025-12-09T00:00:26.593Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:26.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53800 (GCVE-0-2023-53800)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
ubi: Fix use-after-free when volume resizing failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubi: Fix use-after-free when volume resizing failed
There is an use-after-free problem reported by KASAN:
==================================================================
BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735
CPU: 2 PID: 4735 Comm: ubirsvol
Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report+0x171/0x472
kasan_report+0xad/0x130
ubi_eba_copy_table+0x11f/0x1c0 [ubi]
ubi_resize_volume+0x4f9/0xbc0 [ubi]
ubi_cdev_ioctl+0x701/0x1850 [ubi]
__x64_sys_ioctl+0x11d/0x170
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
"new_eba_tbl" will be freed on error handing path, but it is holded
by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
of "vol->eba_tbl" and "vol" are different, so when resizing volume in
next time, it causing an use-after-free fault.
Fix it by not freeing "new_eba_tbl" after it replaced in
ubi_eba_replace_table(), while will be freed in next volume resizing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
801c135ce73d5df1caf3eca35b66a10824ae0707 , < bf9875aa7f7d624a8c084425b14bf7e5907ebc30
(git)
Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < bf795ebbb9995e2fe7945de71177f01c2f1215dc (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 9c8be1f165baee53b5a36ea0b3c9281d403a1d0b (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 35f8d4064e54c18424db2997059d4c0b1d13d093 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 53818746e549e61841428892a8d94344494be797 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < b0c951742348d216f094d16ed4f70ae73db881c0 (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 3d6378f7056ac7350338f941001162a8f660853c (git) Affected: 801c135ce73d5df1caf3eca35b66a10824ae0707 , < 9af31d6ec1a4be4caab2550096c6bd2ba8fba472 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/vmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf9875aa7f7d624a8c084425b14bf7e5907ebc30",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "bf795ebbb9995e2fe7945de71177f01c2f1215dc",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "9c8be1f165baee53b5a36ea0b3c9281d403a1d0b",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "35f8d4064e54c18424db2997059d4c0b1d13d093",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "53818746e549e61841428892a8d94344494be797",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "b0c951742348d216f094d16ed4f70ae73db881c0",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "3d6378f7056ac7350338f941001162a8f660853c",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
},
{
"lessThan": "9af31d6ec1a4be4caab2550096c6bd2ba8fba472",
"status": "affected",
"version": "801c135ce73d5df1caf3eca35b66a10824ae0707",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/vmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix use-after-free when volume resizing failed\n\nThere is an use-after-free problem reported by KASAN:\n ==================================================================\n BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]\n Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735\n\n CPU: 2 PID: 4735 Comm: ubirsvol\n Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n BIOS 1.14.0-1.fc33 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n ubi_eba_copy_table+0x11f/0x1c0 [ubi]\n ubi_resize_volume+0x4f9/0xbc0 [ubi]\n ubi_cdev_ioctl+0x701/0x1850 [ubi]\n __x64_sys_ioctl+0x11d/0x170\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n \u003c/TASK\u003e\n\nWhen ubi_change_vtbl_record() returns an error in ubi_resize_volume(),\n\"new_eba_tbl\" will be freed on error handing path, but it is holded\nby \"vol-\u003eeba_tbl\" in ubi_eba_replace_table(). It means that the liftcycle\nof \"vol-\u003eeba_tbl\" and \"vol\" are different, so when resizing volume in\nnext time, it causing an use-after-free fault.\n\nFix it by not freeing \"new_eba_tbl\" after it replaced in\nubi_eba_replace_table(), while will be freed in next volume resizing."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:56.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf9875aa7f7d624a8c084425b14bf7e5907ebc30"
},
{
"url": "https://git.kernel.org/stable/c/bf795ebbb9995e2fe7945de71177f01c2f1215dc"
},
{
"url": "https://git.kernel.org/stable/c/9c8be1f165baee53b5a36ea0b3c9281d403a1d0b"
},
{
"url": "https://git.kernel.org/stable/c/35f8d4064e54c18424db2997059d4c0b1d13d093"
},
{
"url": "https://git.kernel.org/stable/c/53818746e549e61841428892a8d94344494be797"
},
{
"url": "https://git.kernel.org/stable/c/b0c951742348d216f094d16ed4f70ae73db881c0"
},
{
"url": "https://git.kernel.org/stable/c/3d6378f7056ac7350338f941001162a8f660853c"
},
{
"url": "https://git.kernel.org/stable/c/9af31d6ec1a4be4caab2550096c6bd2ba8fba472"
}
],
"title": "ubi: Fix use-after-free when volume resizing failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53800",
"datePublished": "2025-12-09T00:00:56.507Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:56.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53840 (GCVE-0-2023-53840)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
usb: early: xhci-dbc: Fix a potential out-of-bound memory access
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: early: xhci-dbc: Fix a potential out-of-bound memory access
If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the
string is not guaranteed to be NULL terminated when xdbc_trace() is called.
Reserve an extra byte, which will be zeroed automatically because 'buf' is
a static variable, in order to avoid troubles, should it happen.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0
(git)
Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < 351c8d8650d1ccc006255fa01f98b6c6496a02e5 (git) Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < df7c8aba7309f4dc55df94e06b67f576c0f52406 (git) Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < a4a97ab3db5c081eb6e7dba91306adefb461e0bd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/early/xhci-dbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "351c8d8650d1ccc006255fa01f98b6c6496a02e5",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "df7c8aba7309f4dc55df94e06b67f576c0f52406",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "a4a97ab3db5c081eb6e7dba91306adefb461e0bd",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/early/xhci-dbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: early: xhci-dbc: Fix a potential out-of-bound memory access\n\nIf xdbc_bulk_write() fails, the values in \u0027buf\u0027 can be anything. So the\nstring is not guaranteed to be NULL terminated when xdbc_trace() is called.\n\nReserve an extra byte, which will be zeroed automatically because \u0027buf\u0027 is\na static variable, in order to avoid troubles, should it happen."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:56.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0"
},
{
"url": "https://git.kernel.org/stable/c/351c8d8650d1ccc006255fa01f98b6c6496a02e5"
},
{
"url": "https://git.kernel.org/stable/c/df7c8aba7309f4dc55df94e06b67f576c0f52406"
},
{
"url": "https://git.kernel.org/stable/c/a4a97ab3db5c081eb6e7dba91306adefb461e0bd"
}
],
"title": "usb: early: xhci-dbc: Fix a potential out-of-bound memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53840",
"datePublished": "2025-12-09T01:29:56.848Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:56.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53778 (GCVE-0-2023-53778)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
accel/qaic: Clean up integer overflow checking in map_user_pages()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Clean up integer overflow checking in map_user_pages()
The encode_dma() function has some validation on in_trans->size but it
would be more clear to move those checks to find_and_map_user_pages().
The encode_dma() had two checks:
if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
return -EINVAL;
The in_trans->addr variable is the starting address. The in_trans->size
variable is the total size of the transfer. The transfer can occur in
parts and the resources->xferred_dma_size tracks how many bytes we have
already transferred.
This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans->size) minus the amount we have
already transferred (resources->xferred_dma_size).
I have modified the check for if in_trans->size is zero to instead check
if in_trans->size is less than resources->xferred_dma_size. If we have
already transferred more bytes than in_trans->size then there are negative
bytes remaining which doesn't make sense. If there are zero bytes
remaining to be copied, just return success.
The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts. First check that "in_trans->addr +
resources->xferred_dma_size" is safe. Then check that "xfer_start_addr +
remaining" is safe.
My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits. So
I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit
systems.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Clean up integer overflow checking in map_user_pages()\n\nThe encode_dma() function has some validation on in_trans-\u003esize but it\nwould be more clear to move those checks to find_and_map_user_pages().\n\nThe encode_dma() had two checks:\n\n\tif (in_trans-\u003eaddr + in_trans-\u003esize \u003c in_trans-\u003eaddr || !in_trans-\u003esize)\n\t\treturn -EINVAL;\n\nThe in_trans-\u003eaddr variable is the starting address. The in_trans-\u003esize\nvariable is the total size of the transfer. The transfer can occur in\nparts and the resources-\u003exferred_dma_size tracks how many bytes we have\nalready transferred.\n\nThis patch introduces a new variable \"remaining\" which represents the\namount we want to transfer (in_trans-\u003esize) minus the amount we have\nalready transferred (resources-\u003exferred_dma_size).\n\nI have modified the check for if in_trans-\u003esize is zero to instead check\nif in_trans-\u003esize is less than resources-\u003exferred_dma_size. If we have\nalready transferred more bytes than in_trans-\u003esize then there are negative\nbytes remaining which doesn\u0027t make sense. If there are zero bytes\nremaining to be copied, just return success.\n\nThe check in encode_dma() checked that \"addr + size\" could not overflow\nand barring a driver bug that should work, but it\u0027s easier to check if\nwe do this in parts. First check that \"in_trans-\u003eaddr +\nresources-\u003exferred_dma_size\" is safe. Then check that \"xfer_start_addr +\nremaining\" is safe.\n\nMy final concern was that we are dealing with u64 values but on 32bit\nsystems the kmalloc() function will truncate the sizes to 32 bits. So\nI calculated \"total = in_trans-\u003esize + offset_in_page(xfer_start_addr);\"\nand returned -EINVAL if it were \u003e= SIZE_MAX. This will not affect 64bit\nsystems."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:34.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3"
},
{
"url": "https://git.kernel.org/stable/c/96d3c1cadedb6ae2e8965e19cd12caa244afbd9c"
}
],
"title": "accel/qaic: Clean up integer overflow checking in map_user_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53778",
"datePublished": "2025-12-09T00:00:34.074Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:34.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53823 (GCVE-0-2023-53823)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
block/rq_qos: protect rq_qos apis with a new lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
block/rq_qos: protect rq_qos apis with a new lock
commit 50e34d78815e ("block: disable the elevator int del_gendisk")
move rq_qos_exit() from disk_release() to del_gendisk(), this will
introduce some problems:
1) If rq_qos_add() is triggered by enabling iocost/iolatency through
cgroupfs, then it can concurrent with del_gendisk(), it's not safe to
write 'q->rq_qos' concurrently.
2) Activate cgroup policy that is relied on rq_qos will call
rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is
called in the middle, null-ptr-dereference will be triggered in
blkcg_activate_policy().
3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the
disk, then if rq_qos_exit() from del_gendisk() is done before
rq_qos_add(), then memory will be leaked.
This patch add a new disk level mutex 'rq_qos_mutex':
1) The lock will protect rq_qos_exit() directly.
2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be
called from disk initialization for now because wbt can't be
destructed until rq_qos_exit(), so it's safe not to protect wbt for
now. Hoever, in case that rq_qos dynamically destruction is supported
in the furture, this patch also protect rq_qos_add() from wbt_init()
directly, this is enough because blk-sysfs already synchronize
writers with disk removal.
3) For iocost and iolatency, in order to synchronize disk removal and
cgroup configuration, the lock is held after blkdev_get_no_open()
from blkg_conf_open_bdev(), and is released in blkg_conf_exit().
In order to fix the above memory leak, disk_live() is checked after
holding the new lock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c",
"block/blk-core.c",
"block/blk-rq-qos.c",
"block/blk-wbt.c",
"include/linux/blkdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16398b4638b5cd8c1dc95fc940a1591a801d53ce",
"status": "affected",
"version": "50e34d78815e474d410f342fbe783b18192ca518",
"versionType": "git"
},
{
"lessThan": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
"status": "affected",
"version": "50e34d78815e474d410f342fbe783b18192ca518",
"versionType": "git"
},
{
"status": "affected",
"version": "f28699fafc047ec33299da01e928c3a0073c5cc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c",
"block/blk-core.c",
"block/blk-rq-qos.c",
"block/blk-wbt.c",
"include/linux/blkdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rq_qos: protect rq_qos apis with a new lock\n\ncommit 50e34d78815e (\"block: disable the elevator int del_gendisk\")\nmove rq_qos_exit() from disk_release() to del_gendisk(), this will\nintroduce some problems:\n\n1) If rq_qos_add() is triggered by enabling iocost/iolatency through\n cgroupfs, then it can concurrent with del_gendisk(), it\u0027s not safe to\n write \u0027q-\u003erq_qos\u0027 concurrently.\n\n2) Activate cgroup policy that is relied on rq_qos will call\n rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is\n called in the middle, null-ptr-dereference will be triggered in\n blkcg_activate_policy().\n\n3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the\n disk, then if rq_qos_exit() from del_gendisk() is done before\n rq_qos_add(), then memory will be leaked.\n\nThis patch add a new disk level mutex \u0027rq_qos_mutex\u0027:\n\n1) The lock will protect rq_qos_exit() directly.\n\n2) For wbt that doesn\u0027t relied on blk-cgroup, rq_qos_add() can only be\n called from disk initialization for now because wbt can\u0027t be\n destructed until rq_qos_exit(), so it\u0027s safe not to protect wbt for\n now. Hoever, in case that rq_qos dynamically destruction is supported\n in the furture, this patch also protect rq_qos_add() from wbt_init()\n directly, this is enough because blk-sysfs already synchronize\n writers with disk removal.\n\n3) For iocost and iolatency, in order to synchronize disk removal and\n cgroup configuration, the lock is held after blkdev_get_no_open()\n from blkg_conf_open_bdev(), and is released in blkg_conf_exit().\n In order to fix the above memory leak, disk_live() is checked after\n holding the new lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:36.343Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16398b4638b5cd8c1dc95fc940a1591a801d53ce"
},
{
"url": "https://git.kernel.org/stable/c/a13bd91be22318768d55470cbc0b0f4488ef9edf"
}
],
"title": "block/rq_qos: protect rq_qos apis with a new lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53823",
"datePublished": "2025-12-09T01:29:36.343Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:36.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53835 (GCVE-0-2023-53835)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 07:14
VLAI?
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-12-09T07:14:36.820Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53835",
"datePublished": "2025-12-09T01:29:50.850Z",
"dateRejected": "2025-12-09T07:14:36.820Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T07:14:36.820Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53790 (GCVE-0-2023-53790)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
bpf: Zeroing allocated object from slab in bpf memory allocator
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Zeroing allocated object from slab in bpf memory allocator
Currently the freed element in bpf memory allocator may be immediately
reused, for htab map the reuse will reinitialize special fields in map
value (e.g., bpf_spin_lock), but lookup procedure may still access
these special fields, and it may lead to hard-lockup as shown below:
NMI backtrace for cpu 16
CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
RIP: 0010:queued_spin_lock_slowpath+0x283/0x2c0
......
Call Trace:
<TASK>
copy_map_value_locked+0xb7/0x170
bpf_map_copy_value+0x113/0x3c0
__sys_bpf+0x1c67/0x2780
__x64_sys_bpf+0x1c/0x20
do_syscall_64+0x30/0x60
entry_SYSCALL_64_after_hwframe+0x46/0xb0
......
</TASK>
For htab map, just like the preallocated case, these is no need to
initialize these special fields in map value again once these fields
have been initialized. For preallocated htab map, these fields are
initialized through __GFP_ZERO in bpf_map_area_alloc(), so do the
similar thing for non-preallocated htab in bpf memory allocator. And
there is no need to use __GFP_ZERO for per-cpu bpf memory allocator,
because __alloc_percpu_gfp() does it implicitly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0fd7c5d43339b783ee3301a05f925d1e52ac87c9 , < 678ea18d6240299fd77d7000c8b1d7e5f274c8af
(git)
Affected: 0fd7c5d43339b783ee3301a05f925d1e52ac87c9 , < 5d447e04290e78bdc1a3a6c321320d384e09c2f1 (git) Affected: 0fd7c5d43339b783ee3301a05f925d1e52ac87c9 , < 997849c4b969034e225153f41026657def66d286 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/hashtab.c",
"kernel/bpf/memalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "678ea18d6240299fd77d7000c8b1d7e5f274c8af",
"status": "affected",
"version": "0fd7c5d43339b783ee3301a05f925d1e52ac87c9",
"versionType": "git"
},
{
"lessThan": "5d447e04290e78bdc1a3a6c321320d384e09c2f1",
"status": "affected",
"version": "0fd7c5d43339b783ee3301a05f925d1e52ac87c9",
"versionType": "git"
},
{
"lessThan": "997849c4b969034e225153f41026657def66d286",
"status": "affected",
"version": "0fd7c5d43339b783ee3301a05f925d1e52ac87c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/hashtab.c",
"kernel/bpf/memalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Zeroing allocated object from slab in bpf memory allocator\n\nCurrently the freed element in bpf memory allocator may be immediately\nreused, for htab map the reuse will reinitialize special fields in map\nvalue (e.g., bpf_spin_lock), but lookup procedure may still access\nthese special fields, and it may lead to hard-lockup as shown below:\n\n NMI backtrace for cpu 16\n CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:queued_spin_lock_slowpath+0x283/0x2c0\n ......\n Call Trace:\n \u003cTASK\u003e\n copy_map_value_locked+0xb7/0x170\n bpf_map_copy_value+0x113/0x3c0\n __sys_bpf+0x1c67/0x2780\n __x64_sys_bpf+0x1c/0x20\n do_syscall_64+0x30/0x60\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n ......\n \u003c/TASK\u003e\n\nFor htab map, just like the preallocated case, these is no need to\ninitialize these special fields in map value again once these fields\nhave been initialized. For preallocated htab map, these fields are\ninitialized through __GFP_ZERO in bpf_map_area_alloc(), so do the\nsimilar thing for non-preallocated htab in bpf memory allocator. And\nthere is no need to use __GFP_ZERO for per-cpu bpf memory allocator,\nbecause __alloc_percpu_gfp() does it implicitly."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:47.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/678ea18d6240299fd77d7000c8b1d7e5f274c8af"
},
{
"url": "https://git.kernel.org/stable/c/5d447e04290e78bdc1a3a6c321320d384e09c2f1"
},
{
"url": "https://git.kernel.org/stable/c/997849c4b969034e225153f41026657def66d286"
}
],
"title": "bpf: Zeroing allocated object from slab in bpf memory allocator",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53790",
"datePublished": "2025-12-09T00:00:47.025Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:47.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40334 (GCVE-0-2025-40334)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amdgpu: validate userq buffer virtual address and size
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: validate userq buffer virtual address and size
It needs to validate the userq object virtual address to
determine whether it is residented in a valid vm mapping.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h",
"drivers/gpu/drm/amd/amdgpu/mes_userqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a577de86c4a1c67ca405571d6ef84e65c6897d1",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "9e46b8bb0539d7bc9a9e7b3072fa4f6082490392",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h",
"drivers/gpu/drm/amd/amdgpu/mes_userqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate userq buffer virtual address and size\n\nIt needs to validate the userq object virtual address to\ndetermine whether it is residented in a valid vm mapping."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:07.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a577de86c4a1c67ca405571d6ef84e65c6897d1"
},
{
"url": "https://git.kernel.org/stable/c/9e46b8bb0539d7bc9a9e7b3072fa4f6082490392"
}
],
"title": "drm/amdgpu: validate userq buffer virtual address and size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40334",
"datePublished": "2025-12-09T04:09:51.022Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-20T08:52:07.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40341 (GCVE-0-2025-40341)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
futex: Don't leak robust_list pointer on exec race
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Don't leak robust_list pointer on exec race
sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()
to check if the calling task is allowed to access another task's
robust_list pointer. This check is racy against a concurrent exec() in the
target process.
During exec(), a task may transition from a non-privileged binary to a
privileged one (e.g., setuid binary) and its credentials/memory mappings
may change. If get_robust_list() performs ptrace_may_access() before
this transition, it may erroneously allow access to sensitive information
after the target becomes privileged.
A racy access allows an attacker to exploit a window during which
ptrace_may_access() passes before a target process transitions to a
privileged state via exec().
For example, consider a non-privileged task T that is about to execute a
setuid-root binary. An attacker task A calls get_robust_list(T) while T
is still unprivileged. Since ptrace_may_access() checks permissions
based on current credentials, it succeeds. However, if T begins exec
immediately afterwards, it becomes privileged and may change its memory
mappings. Because get_robust_list() proceeds to access T->robust_list
without synchronizing with exec() it may read user-space pointers from a
now-privileged process.
This violates the intended post-exec access restrictions and could
expose sensitive memory addresses or be used as a primitive in a larger
exploit chain. Consequently, the race can lead to unauthorized
disclosure of information across privilege boundaries and poses a
potential security risk.
Take a read lock on signal->exec_update_lock prior to invoking
ptrace_may_access() and accessing the robust_list/compat_robust_list.
This ensures that the target task's exec state remains stable during the
check, allowing for consistent and synchronized validation of
credentials.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6511984d1aa1360181bcafb1ca75df7f291ef237
(git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 3b4222494489f6d4b8705a496dab03384b7ca998 (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < b524455a51feb6013df3a5dba3160487b2e8e22a (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/futex/syscalls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6511984d1aa1360181bcafb1ca75df7f291ef237",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "4aced32596ead1820b7dbd8e40d30b30dc1f3ad4",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "3b4222494489f6d4b8705a496dab03384b7ca998",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "b524455a51feb6013df3a5dba3160487b2e8e22a",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "6b54082c3ed4dc9821cdf0edb17302355cc5bb45",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/futex/syscalls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Don\u0027t leak robust_list pointer on exec race\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task\u0027s\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T-\u003erobust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal-\u003eexec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task\u0027s exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:41.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237"
},
{
"url": "https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4"
},
{
"url": "https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998"
},
{
"url": "https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a"
},
{
"url": "https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45"
}
],
"title": "futex: Don\u0027t leak robust_list pointer on exec race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40341",
"datePublished": "2025-12-09T04:09:58.392Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:41.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53825 (GCVE-0-2023-53825)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
Summary
In the Linux kernel, the following vulnerability has been resolved:
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720
("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
following sendmsg() will resume from the skb.
However, we cannot know how many bytes were copied when we get the error.
Thus, we could mess up the MSG_MORE queue.
When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
do so for UDP by udp_flush_pending_frames().
Even without this change, when the error occurred, the following sendmsg()
resumed from a wrong skb and the queue was messed up. However, we have
yet to get such a report, and only syzkaller stumbled on it. So, this
can be changed safely.
Note this does not change SOCK_SEQPACKET behaviour.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 21b467735b0888a8daa048f83d3b9b50fdab71ce
(git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 2e18493c421428a936946c452461b8e979088f17 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < e5b28ce127a690f3acc49a6a342e6c9442c9edd6 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 992b2ac783aad360b98ed9d4686e86176a20f6f1 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < a22730b1b4bf437c6bbfdeff5feddf54be4aeada (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/kcm/kcmsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21b467735b0888a8daa048f83d3b9b50fdab71ce",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "2e18493c421428a936946c452461b8e979088f17",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "e5b28ce127a690f3acc49a6a342e6c9442c9edd6",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "992b2ac783aad360b98ed9d4686e86176a20f6f1",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "a22730b1b4bf437c6bbfdeff5feddf54be4aeada",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/kcm/kcmsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().\n\nsyzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720\n(\"kcm: Fix memory leak in error path of kcm_sendmsg()\") suppressed it by\nupdating kcm_tx_msg(head)-\u003elast_skb if partial data is copied so that the\nfollowing sendmsg() will resume from the skb.\n\nHowever, we cannot know how many bytes were copied when we get the error.\nThus, we could mess up the MSG_MORE queue.\n\nWhen kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we\ndo so for UDP by udp_flush_pending_frames().\n\nEven without this change, when the error occurred, the following sendmsg()\nresumed from a wrong skb and the queue was messed up. However, we have\nyet to get such a report, and only syzkaller stumbled on it. So, this\ncan be changed safely.\n\nNote this does not change SOCK_SEQPACKET behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:38.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21b467735b0888a8daa048f83d3b9b50fdab71ce"
},
{
"url": "https://git.kernel.org/stable/c/d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b"
},
{
"url": "https://git.kernel.org/stable/c/1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b"
},
{
"url": "https://git.kernel.org/stable/c/2e18493c421428a936946c452461b8e979088f17"
},
{
"url": "https://git.kernel.org/stable/c/55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc"
},
{
"url": "https://git.kernel.org/stable/c/e5b28ce127a690f3acc49a6a342e6c9442c9edd6"
},
{
"url": "https://git.kernel.org/stable/c/992b2ac783aad360b98ed9d4686e86176a20f6f1"
},
{
"url": "https://git.kernel.org/stable/c/a22730b1b4bf437c6bbfdeff5feddf54be4aeada"
}
],
"title": "kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53825",
"datePublished": "2025-12-09T01:29:38.539Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:38.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53777 (GCVE-0-2023-53777)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
erofs: kill hooked chains to avoid loops on deduplicated compressed images
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: kill hooked chains to avoid loops on deduplicated compressed images
After heavily stressing EROFS with several images which include a
hand-crafted image of repeated patterns for more than 46 days, I found
two chains could be linked with each other almost simultaneously and
form a loop so that the entire loop won't be submitted. As a
consequence, the corresponding file pages will remain locked forever.
It can be _only_ observed on data-deduplicated compressed images.
For example, consider two chains with five pclusters in total:
Chain 1: 2->3->4->5 -- The tail pcluster is 5;
Chain 2: 5->1->2 -- The tail pcluster is 2.
Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link
to Chain 2 at the same time with pcluster 2.
Since hooked chains are all linked locklessly now, I have no idea how
to simply avoid the race. Instead, let's avoid hooked chains completely
until I could work out a proper way to fix this and end users finally
tell us that it's needed to add it back.
Actually, this optimization can be found with multi-threaded workloads
(especially even more often on deduplicated compressed images), yet I'm
not sure about the overall system impacts of not having this compared
with implementation complexity.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
267f2492c8f71dac44399988b510f9bf6b074a51 , < d3b39ea24835ac03da1a30f93ae7c05d55a40191
(git)
Affected: 267f2492c8f71dac44399988b510f9bf6b074a51 , < b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2 (git) Affected: 267f2492c8f71dac44399988b510f9bf6b074a51 , < 10c2b98a40d9044a3e97f4697ca6213bad7e19c2 (git) Affected: 267f2492c8f71dac44399988b510f9bf6b074a51 , < 967c28b23f6c89bb8eef6a046ea88afe0d7c1029 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3b39ea24835ac03da1a30f93ae7c05d55a40191",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
},
{
"lessThan": "b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
},
{
"lessThan": "10c2b98a40d9044a3e97f4697ca6213bad7e19c2",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
},
{
"lessThan": "967c28b23f6c89bb8eef6a046ea88afe0d7c1029",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: kill hooked chains to avoid loops on deduplicated compressed images\n\nAfter heavily stressing EROFS with several images which include a\nhand-crafted image of repeated patterns for more than 46 days, I found\ntwo chains could be linked with each other almost simultaneously and\nform a loop so that the entire loop won\u0027t be submitted. As a\nconsequence, the corresponding file pages will remain locked forever.\n\nIt can be _only_ observed on data-deduplicated compressed images.\nFor example, consider two chains with five pclusters in total:\n\tChain 1: 2-\u003e3-\u003e4-\u003e5 -- The tail pcluster is 5;\n Chain 2: 5-\u003e1-\u003e2 -- The tail pcluster is 2.\n\nChain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link\nto Chain 2 at the same time with pcluster 2.\n\nSince hooked chains are all linked locklessly now, I have no idea how\nto simply avoid the race. Instead, let\u0027s avoid hooked chains completely\nuntil I could work out a proper way to fix this and end users finally\ntell us that it\u0027s needed to add it back.\n\nActually, this optimization can be found with multi-threaded workloads\n(especially even more often on deduplicated compressed images), yet I\u0027m\nnot sure about the overall system impacts of not having this compared\nwith implementation complexity."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:32.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3b39ea24835ac03da1a30f93ae7c05d55a40191"
},
{
"url": "https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2"
},
{
"url": "https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2"
},
{
"url": "https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029"
}
],
"title": "erofs: kill hooked chains to avoid loops on deduplicated compressed images",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53777",
"datePublished": "2025-12-09T00:00:32.947Z",
"dateReserved": "2025-12-08T23:58:35.271Z",
"dateUpdated": "2025-12-09T00:00:32.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50674 (GCVE-0-2022-50674)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
riscv: vdso: fix NULL deference in vdso_join_timens() when vfork
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: vdso: fix NULL deference in vdso_join_timens() when vfork
Testing tools/testing/selftests/timens/vfork_exec.c got below
kernel log:
[ 6.838454] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000020
[ 6.842255] Oops [#1]
[ 6.842871] Modules linked in:
[ 6.844249] CPU: 1 PID: 64 Comm: vfork_exec Not tainted 6.0.0-rc3-rt15+ #8
[ 6.845861] Hardware name: riscv-virtio,qemu (DT)
[ 6.848009] epc : vdso_join_timens+0xd2/0x110
[ 6.850097] ra : vdso_join_timens+0xd2/0x110
[ 6.851164] epc : ffffffff8000635c ra : ffffffff8000635c sp : ff6000000181fbf0
[ 6.852562] gp : ffffffff80cff648 tp : ff60000000fdb700 t0 : 3030303030303030
[ 6.853852] t1 : 0000000000000030 t2 : 3030303030303030 s0 : ff6000000181fc40
[ 6.854984] s1 : ff60000001e6c000 a0 : 0000000000000010 a1 : ffffffff8005654c
[ 6.856221] a2 : 00000000ffffefff a3 : 0000000000000000 a4 : 0000000000000000
[ 6.858114] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
[ 6.859484] s2 : ff60000001e6c068 s3 : ff6000000108abb0 s4 : 0000000000000000
[ 6.860751] s5 : 0000000000001000 s6 : ffffffff8089dc40 s7 : ffffffff8089dc38
[ 6.862029] s8 : ffffffff8089dc30 s9 : ff60000000fdbe38 s10: 000000000000005e
[ 6.863304] s11: ffffffff80cc3510 t3 : ffffffff80d1112f t4 : ffffffff80d1112f
[ 6.864565] t5 : ffffffff80d11130 t6 : ff6000000181fa00
[ 6.865561] status: 0000000000000120 badaddr: 0000000000000020 cause: 000000000000000d
[ 6.868046] [<ffffffff8008dc94>] timens_commit+0x38/0x11a
[ 6.869089] [<ffffffff8008dde8>] timens_on_fork+0x72/0xb4
[ 6.870055] [<ffffffff80190096>] begin_new_exec+0x3c6/0x9f0
[ 6.871231] [<ffffffff801d826c>] load_elf_binary+0x628/0x1214
[ 6.872304] [<ffffffff8018ee7a>] bprm_execve+0x1f2/0x4e4
[ 6.873243] [<ffffffff8018f90c>] do_execveat_common+0x16e/0x1ee
[ 6.874258] [<ffffffff8018f9c8>] sys_execve+0x3c/0x48
[ 6.875162] [<ffffffff80003556>] ret_from_syscall+0x0/0x2
[ 6.877484] ---[ end trace 0000000000000000 ]---
This is because the mm->context.vdso_info is NULL in vfork case. From
another side, mm->context.vdso_info either points to vdso info
for RV64 or vdso info for compat, there's no need to bloat riscv's
mm_context_t, we can handle the difference when setup the additional
page for vdso.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3092eb45637573c5e435fbf5eaf9516316e5f9c6 , < df30c4feba51beeb138f3518c2421abc8cbda3c1
(git)
Affected: 3092eb45637573c5e435fbf5eaf9516316e5f9c6 , < f2419a6fbb4caf8cf3fe0ac7e4cf2e28127d04b4 (git) Affected: 3092eb45637573c5e435fbf5eaf9516316e5f9c6 , < a8616d2dc193b6becc36b5f3cfeaa9ac7a5762f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/mmu.h",
"arch/riscv/kernel/vdso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df30c4feba51beeb138f3518c2421abc8cbda3c1",
"status": "affected",
"version": "3092eb45637573c5e435fbf5eaf9516316e5f9c6",
"versionType": "git"
},
{
"lessThan": "f2419a6fbb4caf8cf3fe0ac7e4cf2e28127d04b4",
"status": "affected",
"version": "3092eb45637573c5e435fbf5eaf9516316e5f9c6",
"versionType": "git"
},
{
"lessThan": "a8616d2dc193b6becc36b5f3cfeaa9ac7a5762f9",
"status": "affected",
"version": "3092eb45637573c5e435fbf5eaf9516316e5f9c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/mmu.h",
"arch/riscv/kernel/vdso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: vdso: fix NULL deference in vdso_join_timens() when vfork\n\nTesting tools/testing/selftests/timens/vfork_exec.c got below\nkernel log:\n\n[ 6.838454] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000020\n[ 6.842255] Oops [#1]\n[ 6.842871] Modules linked in:\n[ 6.844249] CPU: 1 PID: 64 Comm: vfork_exec Not tainted 6.0.0-rc3-rt15+ #8\n[ 6.845861] Hardware name: riscv-virtio,qemu (DT)\n[ 6.848009] epc : vdso_join_timens+0xd2/0x110\n[ 6.850097] ra : vdso_join_timens+0xd2/0x110\n[ 6.851164] epc : ffffffff8000635c ra : ffffffff8000635c sp : ff6000000181fbf0\n[ 6.852562] gp : ffffffff80cff648 tp : ff60000000fdb700 t0 : 3030303030303030\n[ 6.853852] t1 : 0000000000000030 t2 : 3030303030303030 s0 : ff6000000181fc40\n[ 6.854984] s1 : ff60000001e6c000 a0 : 0000000000000010 a1 : ffffffff8005654c\n[ 6.856221] a2 : 00000000ffffefff a3 : 0000000000000000 a4 : 0000000000000000\n[ 6.858114] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038\n[ 6.859484] s2 : ff60000001e6c068 s3 : ff6000000108abb0 s4 : 0000000000000000\n[ 6.860751] s5 : 0000000000001000 s6 : ffffffff8089dc40 s7 : ffffffff8089dc38\n[ 6.862029] s8 : ffffffff8089dc30 s9 : ff60000000fdbe38 s10: 000000000000005e\n[ 6.863304] s11: ffffffff80cc3510 t3 : ffffffff80d1112f t4 : ffffffff80d1112f\n[ 6.864565] t5 : ffffffff80d11130 t6 : ff6000000181fa00\n[ 6.865561] status: 0000000000000120 badaddr: 0000000000000020 cause: 000000000000000d\n[ 6.868046] [\u003cffffffff8008dc94\u003e] timens_commit+0x38/0x11a\n[ 6.869089] [\u003cffffffff8008dde8\u003e] timens_on_fork+0x72/0xb4\n[ 6.870055] [\u003cffffffff80190096\u003e] begin_new_exec+0x3c6/0x9f0\n[ 6.871231] [\u003cffffffff801d826c\u003e] load_elf_binary+0x628/0x1214\n[ 6.872304] [\u003cffffffff8018ee7a\u003e] bprm_execve+0x1f2/0x4e4\n[ 6.873243] [\u003cffffffff8018f90c\u003e] do_execveat_common+0x16e/0x1ee\n[ 6.874258] [\u003cffffffff8018f9c8\u003e] sys_execve+0x3c/0x48\n[ 6.875162] [\u003cffffffff80003556\u003e] ret_from_syscall+0x0/0x2\n[ 6.877484] ---[ end trace 0000000000000000 ]---\n\nThis is because the mm-\u003econtext.vdso_info is NULL in vfork case. From\nanother side, mm-\u003econtext.vdso_info either points to vdso info\nfor RV64 or vdso info for compat, there\u0027s no need to bloat riscv\u0027s\nmm_context_t, we can handle the difference when setup the additional\npage for vdso."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:26.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df30c4feba51beeb138f3518c2421abc8cbda3c1"
},
{
"url": "https://git.kernel.org/stable/c/f2419a6fbb4caf8cf3fe0ac7e4cf2e28127d04b4"
},
{
"url": "https://git.kernel.org/stable/c/a8616d2dc193b6becc36b5f3cfeaa9ac7a5762f9"
}
],
"title": "riscv: vdso: fix NULL deference in vdso_join_timens() when vfork",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50674",
"datePublished": "2025-12-09T01:29:26.600Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:26.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53786 (GCVE-0-2023-53786)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
dm flakey: fix a crash with invalid table line
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm flakey: fix a crash with invalid table line
This command will crash with NULL pointer dereference:
dmsetup create flakey --table \
"0 `blockdev --getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512"
Fix the crash by checking if arg_name is non-NULL before comparing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a3998799fb4df0b0af8271a7d50c4269032397aa , < f95cb1526669ccdf7eb12eefd57a893953e3595f
(git)
Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 12849ed107c0b2869fb775c81208050899006f07 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 337b7af273562b73c46ef77a724604ad139ca762 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < a1e3fffe02e05c05357af91364ac0fc1ed425b5b (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < f76fcb9d43ec014ac4a1bb983768696d5b032df9 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 8258d84a7917aeece773716518deadb7ad776cb7 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 98dba02d9a93eec11bffbb93c7c51624290702d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-flakey.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f95cb1526669ccdf7eb12eefd57a893953e3595f",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "12849ed107c0b2869fb775c81208050899006f07",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "337b7af273562b73c46ef77a724604ad139ca762",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "a1e3fffe02e05c05357af91364ac0fc1ed425b5b",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "f76fcb9d43ec014ac4a1bb983768696d5b032df9",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "8258d84a7917aeece773716518deadb7ad776cb7",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "98dba02d9a93eec11bffbb93c7c51624290702d2",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-flakey.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm flakey: fix a crash with invalid table line\n\nThis command will crash with NULL pointer dereference:\n dmsetup create flakey --table \\\n \"0 `blockdev --getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512\"\n\nFix the crash by checking if arg_name is non-NULL before comparing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:51.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f95cb1526669ccdf7eb12eefd57a893953e3595f"
},
{
"url": "https://git.kernel.org/stable/c/12849ed107c0b2869fb775c81208050899006f07"
},
{
"url": "https://git.kernel.org/stable/c/337b7af273562b73c46ef77a724604ad139ca762"
},
{
"url": "https://git.kernel.org/stable/c/a1e3fffe02e05c05357af91364ac0fc1ed425b5b"
},
{
"url": "https://git.kernel.org/stable/c/f76fcb9d43ec014ac4a1bb983768696d5b032df9"
},
{
"url": "https://git.kernel.org/stable/c/cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc"
},
{
"url": "https://git.kernel.org/stable/c/83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0"
},
{
"url": "https://git.kernel.org/stable/c/8258d84a7917aeece773716518deadb7ad776cb7"
},
{
"url": "https://git.kernel.org/stable/c/98dba02d9a93eec11bffbb93c7c51624290702d2"
}
],
"title": "dm flakey: fix a crash with invalid table line",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53786",
"datePublished": "2025-12-09T00:00:41.426Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2026-01-05T10:32:51.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40330 (GCVE-0-2025-40330)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
bnxt_en: Shutdown FW DMA in bnxt_shutdown()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Shutdown FW DMA in bnxt_shutdown()
The netif_close() call in bnxt_shutdown() only stops packet DMA. There
may be FW DMA for trace logging (recently added) that will continue. If
we kexec to a new kernel, the DMA will corrupt memory in the new kernel.
Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW.
This will stop the FW DMA. In case the call fails, call pcie_flr() to
reset the function and stop the DMA.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a8a15c3f71d1199d510ccba4bc201cbd2204048",
"status": "affected",
"version": "24d694aec139e9e0a31c60993db79bd8ad575afe",
"versionType": "git"
},
{
"lessThan": "bc7208ca805ae6062f353a4753467d913d963bc6",
"status": "affected",
"version": "24d694aec139e9e0a31c60993db79bd8ad575afe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Shutdown FW DMA in bnxt_shutdown()\n\nThe netif_close() call in bnxt_shutdown() only stops packet DMA. There\nmay be FW DMA for trace logging (recently added) that will continue. If\nwe kexec to a new kernel, the DMA will corrupt memory in the new kernel.\n\nAdd bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW.\nThis will stop the FW DMA. In case the call fails, call pcie_flr() to\nreset the function and stop the DMA."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:47.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a8a15c3f71d1199d510ccba4bc201cbd2204048"
},
{
"url": "https://git.kernel.org/stable/c/bc7208ca805ae6062f353a4753467d913d963bc6"
}
],
"title": "bnxt_en: Shutdown FW DMA in bnxt_shutdown()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40330",
"datePublished": "2025-12-09T04:09:47.251Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:47.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53783 (GCVE-0-2023-53783)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
blk-iocost: fix divide by 0 error in calc_lcoefs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-iocost: fix divide by 0 error in calc_lcoefs()
echo max of u64 to cost.model can cause divide by 0 error.
# echo 8:0 rbps=18446744073709551615 > /sys/fs/cgroup/io.cost.model
divide error: 0000 [#1] PREEMPT SMP
RIP: 0010:calc_lcoefs+0x4c/0xc0
Call Trace:
<TASK>
ioc_refresh_params+0x2b3/0x4f0
ioc_cost_model_write+0x3cb/0x4c0
? _copy_from_iter+0x6d/0x6c0
? kernfs_fop_write_iter+0xfc/0x270
cgroup_file_write+0xa0/0x200
kernfs_fop_write_iter+0x17d/0x270
vfs_write+0x414/0x620
ksys_write+0x73/0x160
__x64_sys_write+0x1e/0x30
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
calc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL,
overflow would happen if bps plus IOC_PAGE_SIZE is greater than
ULLONG_MAX, it can cause divide by 0 error.
Fix the problem by setting basecost
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 9e8bf9f95f7a299fa9ea45b678d001806ad5e12c
(git)
Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 6e291810fe83a384700eb24a1f714966391ed562 (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 3538ade9d8c2ba41088e395de916f2599fadba8f (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < bf8eb1fd6110871e6232e8e7efe399276ef7e6f6 (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < b96d7b4a9745fbd0c8384608ceb1f50415e862fa (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 984af1e66b4126cf145153661cc24c213e2ec231 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-iocost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e8bf9f95f7a299fa9ea45b678d001806ad5e12c",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "6e291810fe83a384700eb24a1f714966391ed562",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "3538ade9d8c2ba41088e395de916f2599fadba8f",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "bf8eb1fd6110871e6232e8e7efe399276ef7e6f6",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "b96d7b4a9745fbd0c8384608ceb1f50415e862fa",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "984af1e66b4126cf145153661cc24c213e2ec231",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-iocost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: fix divide by 0 error in calc_lcoefs()\n\necho max of u64 to cost.model can cause divide by 0 error.\n\n # echo 8:0 rbps=18446744073709551615 \u003e /sys/fs/cgroup/io.cost.model\n\n divide error: 0000 [#1] PREEMPT SMP\n RIP: 0010:calc_lcoefs+0x4c/0xc0\n Call Trace:\n \u003cTASK\u003e\n ioc_refresh_params+0x2b3/0x4f0\n ioc_cost_model_write+0x3cb/0x4c0\n ? _copy_from_iter+0x6d/0x6c0\n ? kernfs_fop_write_iter+0xfc/0x270\n cgroup_file_write+0xa0/0x200\n kernfs_fop_write_iter+0x17d/0x270\n vfs_write+0x414/0x620\n ksys_write+0x73/0x160\n __x64_sys_write+0x1e/0x30\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\ncalc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL,\noverflow would happen if bps plus IOC_PAGE_SIZE is greater than\nULLONG_MAX, it can cause divide by 0 error.\n\nFix the problem by setting basecost"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:19.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e8bf9f95f7a299fa9ea45b678d001806ad5e12c"
},
{
"url": "https://git.kernel.org/stable/c/6e291810fe83a384700eb24a1f714966391ed562"
},
{
"url": "https://git.kernel.org/stable/c/3538ade9d8c2ba41088e395de916f2599fadba8f"
},
{
"url": "https://git.kernel.org/stable/c/bf8eb1fd6110871e6232e8e7efe399276ef7e6f6"
},
{
"url": "https://git.kernel.org/stable/c/b96d7b4a9745fbd0c8384608ceb1f50415e862fa"
},
{
"url": "https://git.kernel.org/stable/c/984af1e66b4126cf145153661cc24c213e2ec231"
}
],
"title": "blk-iocost: fix divide by 0 error in calc_lcoefs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53783",
"datePublished": "2025-12-09T00:00:38.679Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-20T08:51:19.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53846 (GCVE-0-2023-53846)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
f2fs: fix to do sanity check on direct node in truncate_dnode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on direct node in truncate_dnode()
syzbot reports below bug:
BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000
CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
print_report mm/kasan/report.c:462 [inline]
kasan_report+0x11c/0x130 mm/kasan/report.c:572
f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944
f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154
f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721
f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749
f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799
f2fs_truncate include/linux/fs.h:825 [inline]
f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006
notify_change+0xb2c/0x1180 fs/attr.c:483
do_truncate+0x143/0x200 fs/open.c:66
handle_truncate fs/namei.c:3295 [inline]
do_open fs/namei.c:3640 [inline]
path_openat+0x2083/0x2750 fs/namei.c:3791
do_filp_open+0x1ba/0x410 fs/namei.c:3818
do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
do_sys_open fs/open.c:1372 [inline]
__do_sys_creat fs/open.c:1448 [inline]
__se_sys_creat fs/open.c:1442 [inline]
__x64_sys_creat+0xcd/0x120 fs/open.c:1442
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is, inodeA references inodeB via inodeB's ino, once inodeA
is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's
node page, it traverse mapping data from node->i.i_addr[0] to
node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.
This patch fixes to add sanity check on dnode page in truncate_dnode(),
so that, it can help to avoid triggering such issue, and once it encounters
such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE
error into superblock, later fsck can detect such issue and try repairing.
Also, it removes f2fs_truncate_data_blocks() for cleanup due to the
function has only one caller, and uses f2fs_truncate_data_blocks_range()
instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af0f716ad3b039cab9d426da63a5ee6c88751185",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "a6ec83786ab9f13f25fb18166dee908845713a95",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on direct node in truncate_dnode()\n\nsyzbot reports below bug:\n\nBUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\nRead of size 4 at addr ffff88802a25c000 by task syz-executor148/5000\n\nCPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\n truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944\n f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154\n f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721\n f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749\n f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799\n f2fs_truncate include/linux/fs.h:825 [inline]\n f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006\n notify_change+0xb2c/0x1180 fs/attr.c:483\n do_truncate+0x143/0x200 fs/open.c:66\n handle_truncate fs/namei.c:3295 [inline]\n do_open fs/namei.c:3640 [inline]\n path_openat+0x2083/0x2750 fs/namei.c:3791\n do_filp_open+0x1ba/0x410 fs/namei.c:3818\n do_sys_openat2+0x16d/0x4c0 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_creat fs/open.c:1448 [inline]\n __se_sys_creat fs/open.c:1442 [inline]\n __x64_sys_creat+0xcd/0x120 fs/open.c:1442\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is, inodeA references inodeB via inodeB\u0027s ino, once inodeA\nis truncated, it calls truncate_dnode() to truncate data blocks in inodeB\u0027s\nnode page, it traverse mapping data from node-\u003ei.i_addr[0] to\nnode-\u003ei.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.\n\nThis patch fixes to add sanity check on dnode page in truncate_dnode(),\nso that, it can help to avoid triggering such issue, and once it encounters\nsuch issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE\nerror into superblock, later fsck can detect such issue and try repairing.\n\nAlso, it removes f2fs_truncate_data_blocks() for cleanup due to the\nfunction has only one caller, and uses f2fs_truncate_data_blocks_range()\ninstead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:30.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af0f716ad3b039cab9d426da63a5ee6c88751185"
},
{
"url": "https://git.kernel.org/stable/c/a6ec83786ab9f13f25fb18166dee908845713a95"
}
],
"title": "f2fs: fix to do sanity check on direct node in truncate_dnode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53846",
"datePublished": "2025-12-09T01:30:09.202Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-20T08:51:30.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53821 (GCVE-0-2023-53821)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ip6_vti: fix slab-use-after-free in decode_session6
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: fix slab-use-after-free in decode_session6
When ipv6_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.
The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
vti6_tnl_xmit+0x3e6/0x1ee0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
Allocated by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
netlink_sendmsg+0x9b1/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0x160/0x1c0
slab_free_freelist_hook+0x11b/0x220
kmem_cache_free+0xf0/0x490
skb_free_head+0x17f/0x1b0
skb_release_data+0x59c/0x850
consume_skb+0xd2/0x170
netlink_unicast+0x54f/0x7f0
netlink_sendmsg+0x926/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88802e08ed00
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 194 bytes inside of
freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f855691975bb06373a98711e4cfe2c224244b536 , < 0f0ab8d52ee0062b28367dea23c29e254a26d7db
(git)
Affected: f855691975bb06373a98711e4cfe2c224244b536 , < fa6c6c04f6c9b21b315023f487e5a07ae7fcf647 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < eb47e612e59c358c3968a92f90dd36c78c9a2106 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < a1639a82ce14af76b6419778d343ccbff86ee626 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 55ad2309205cc00c585344374c7472420e1b2c12 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < c070688bfbe7759e61e697e421b2a331b0dd74bc (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 9fd41f1ba638938c9a1195d09bc6fa3be2712f25 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f0ab8d52ee0062b28367dea23c29e254a26d7db",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "fa6c6c04f6c9b21b315023f487e5a07ae7fcf647",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "eb47e612e59c358c3968a92f90dd36c78c9a2106",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "a1639a82ce14af76b6419778d343ccbff86ee626",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "55ad2309205cc00c585344374c7472420e1b2c12",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "c070688bfbe7759e61e697e421b2a331b0dd74bc",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "9fd41f1ba638938c9a1195d09bc6fa3be2712f25",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: fix slab-use-after-free in decode_session6\n\nWhen ipv6_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ipv6_vti device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff88802e08edc2 by task swapper/0/0\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nvti6_tnl_xmit+0x3e6/0x1ee0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\u003c/IRQ\u003e\nAllocated by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\nnetlink_sendmsg+0x9b1/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nFreed by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x40\n____kasan_slab_free+0x160/0x1c0\nslab_free_freelist_hook+0x11b/0x220\nkmem_cache_free+0xf0/0x490\nskb_free_head+0x17f/0x1b0\nskb_release_data+0x59c/0x850\nconsume_skb+0xd2/0x170\nnetlink_unicast+0x54f/0x7f0\nnetlink_sendmsg+0x926/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe buggy address belongs to the object at ffff88802e08ed00\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 194 bytes inside of\nfreed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)-\u003enhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:34.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f0ab8d52ee0062b28367dea23c29e254a26d7db"
},
{
"url": "https://git.kernel.org/stable/c/fa6c6c04f6c9b21b315023f487e5a07ae7fcf647"
},
{
"url": "https://git.kernel.org/stable/c/eb47e612e59c358c3968a92f90dd36c78c9a2106"
},
{
"url": "https://git.kernel.org/stable/c/ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36"
},
{
"url": "https://git.kernel.org/stable/c/a1639a82ce14af76b6419778d343ccbff86ee626"
},
{
"url": "https://git.kernel.org/stable/c/55ad2309205cc00c585344374c7472420e1b2c12"
},
{
"url": "https://git.kernel.org/stable/c/c070688bfbe7759e61e697e421b2a331b0dd74bc"
},
{
"url": "https://git.kernel.org/stable/c/9fd41f1ba638938c9a1195d09bc6fa3be2712f25"
}
],
"title": "ip6_vti: fix slab-use-after-free in decode_session6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53821",
"datePublished": "2025-12-09T01:29:34.073Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:34.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50667 (GCVE-0-2022-50667)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
If the copy of the description string from userspace fails, then the page
for the instance descriptor doesn't get freed before returning -EFAULT,
which leads to a memleak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < b47a37ad4a444d82f9caf153a79d090b79786ebb
(git)
Affected: 7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < 6ad40bbb2c25f17b899fcea114ebc0a46d8a938b (git) Affected: 7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < 53066b144715332ce9370143c33c50d9a4d3e809 (git) Affected: 7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < a40c7f61d12fbd1e785e59140b9efd57127c0c33 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_msg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b47a37ad4a444d82f9caf153a79d090b79786ebb",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
},
{
"lessThan": "6ad40bbb2c25f17b899fcea114ebc0a46d8a938b",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
},
{
"lessThan": "53066b144715332ce9370143c33c50d9a4d3e809",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
},
{
"lessThan": "a40c7f61d12fbd1e785e59140b9efd57127c0c33",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_msg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()\n\nIf the copy of the description string from userspace fails, then the page\nfor the instance descriptor doesn\u0027t get freed before returning -EFAULT,\nwhich leads to a memleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:17.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b47a37ad4a444d82f9caf153a79d090b79786ebb"
},
{
"url": "https://git.kernel.org/stable/c/6ad40bbb2c25f17b899fcea114ebc0a46d8a938b"
},
{
"url": "https://git.kernel.org/stable/c/53066b144715332ce9370143c33c50d9a4d3e809"
},
{
"url": "https://git.kernel.org/stable/c/a40c7f61d12fbd1e785e59140b9efd57127c0c33"
}
],
"title": "drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50667",
"datePublished": "2025-12-09T01:29:17.925Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:17.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50639 (GCVE-0-2022-50639)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
io-wq: Fix memory leak in worker creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
io-wq: Fix memory leak in worker creation
If the CPU mask allocation for a node fails, then the memory allocated for
the 'io_wqe' struct of the current node doesn't get freed on the error
handling path, since it has not yet been added to the 'wqes' array.
This was spotted when fuzzing v6.1-rc1 with Syzkaller:
BUG: memory leak
unreferenced object 0xffff8880093d5000 (size 1024):
comm "syz-executor.2", pid 7701, jiffies 4295048595 (age 13.900s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000cb463369>] __kmem_cache_alloc_node+0x18e/0x720
[<00000000147a3f9c>] kmalloc_node_trace+0x2a/0x130
[<000000004e107011>] io_wq_create+0x7b9/0xdc0
[<00000000c38b2018>] io_uring_alloc_task_context+0x31e/0x59d
[<00000000867399da>] __io_uring_add_tctx_node.cold+0x19/0x1ba
[<000000007e0e7a79>] io_uring_setup.cold+0x1b80/0x1dce
[<00000000b545e9f6>] __x64_sys_io_uring_setup+0x5d/0x80
[<000000008a8a7508>] do_syscall_64+0x5d/0x90
[<000000004ac08bec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e03496d1967abf1ebb151a24318c07d07f41f7f , < b6e2c54be37d5eb4f6666e6aa59cd0581c7ffc3c
(git)
Affected: 0e03496d1967abf1ebb151a24318c07d07f41f7f , < ed981911a7c90a604f4a2bee908ab07e3b786aca (git) Affected: 0e03496d1967abf1ebb151a24318c07d07f41f7f , < 996d3efeb091c503afd3ee6b5e20eabf446fd955 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6e2c54be37d5eb4f6666e6aa59cd0581c7ffc3c",
"status": "affected",
"version": "0e03496d1967abf1ebb151a24318c07d07f41f7f",
"versionType": "git"
},
{
"lessThan": "ed981911a7c90a604f4a2bee908ab07e3b786aca",
"status": "affected",
"version": "0e03496d1967abf1ebb151a24318c07d07f41f7f",
"versionType": "git"
},
{
"lessThan": "996d3efeb091c503afd3ee6b5e20eabf446fd955",
"status": "affected",
"version": "0e03496d1967abf1ebb151a24318c07d07f41f7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: Fix memory leak in worker creation\n\nIf the CPU mask allocation for a node fails, then the memory allocated for\nthe \u0027io_wqe\u0027 struct of the current node doesn\u0027t get freed on the error\nhandling path, since it has not yet been added to the \u0027wqes\u0027 array.\n\nThis was spotted when fuzzing v6.1-rc1 with Syzkaller:\nBUG: memory leak\nunreferenced object 0xffff8880093d5000 (size 1024):\n comm \"syz-executor.2\", pid 7701, jiffies 4295048595 (age 13.900s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000cb463369\u003e] __kmem_cache_alloc_node+0x18e/0x720\n [\u003c00000000147a3f9c\u003e] kmalloc_node_trace+0x2a/0x130\n [\u003c000000004e107011\u003e] io_wq_create+0x7b9/0xdc0\n [\u003c00000000c38b2018\u003e] io_uring_alloc_task_context+0x31e/0x59d\n [\u003c00000000867399da\u003e] __io_uring_add_tctx_node.cold+0x19/0x1ba\n [\u003c000000007e0e7a79\u003e] io_uring_setup.cold+0x1b80/0x1dce\n [\u003c00000000b545e9f6\u003e] __x64_sys_io_uring_setup+0x5d/0x80\n [\u003c000000008a8a7508\u003e] do_syscall_64+0x5d/0x90\n [\u003c000000004ac08bec\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:12.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6e2c54be37d5eb4f6666e6aa59cd0581c7ffc3c"
},
{
"url": "https://git.kernel.org/stable/c/ed981911a7c90a604f4a2bee908ab07e3b786aca"
},
{
"url": "https://git.kernel.org/stable/c/996d3efeb091c503afd3ee6b5e20eabf446fd955"
}
],
"title": "io-wq: Fix memory leak in worker creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50639",
"datePublished": "2025-12-09T00:00:12.576Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:12.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53815 (GCVE-0-2023-53815)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
posix-timers: Prevent RT livelock in itimer_delete()
Summary
In the Linux kernel, the following vulnerability has been resolved:
posix-timers: Prevent RT livelock in itimer_delete()
itimer_delete() has a retry loop when the timer is concurrently expired. On
non-RT kernels this just spin-waits until the timer callback has completed,
except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK
enabled.
In that case and on RT kernels the existing task could live lock when
preempting the task which does the timer delivery.
Replace spin_unlock() with an invocation of timer_wait_running() to handle
it the same way as the other retry loops in the posix timer code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec8f954a40da8cd3d159713b608e901f0cd909a9 , < f1be1ed32daa053484222f7f9beb2b16c624dffd
(git)
Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < 0670c4c567b27bd8f999a943028f4fe60d1a1106 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < e7aff15ba29ba4b3052786b1636fa5c4aa39e179 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < f9bd298e3e4d3fd6e19f017789a42d0f332cd555 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < c1968bb8a28625cc95d2ad3ca872ab98c9c36d59 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < 9d9e522010eb5685d8b53e8a24320653d9d4cbbf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1be1ed32daa053484222f7f9beb2b16c624dffd",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "0670c4c567b27bd8f999a943028f4fe60d1a1106",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "e7aff15ba29ba4b3052786b1636fa5c4aa39e179",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "f9bd298e3e4d3fd6e19f017789a42d0f332cd555",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "c1968bb8a28625cc95d2ad3ca872ab98c9c36d59",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "9d9e522010eb5685d8b53e8a24320653d9d4cbbf",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-timers: Prevent RT livelock in itimer_delete()\n\nitimer_delete() has a retry loop when the timer is concurrently expired. On\nnon-RT kernels this just spin-waits until the timer callback has completed,\nexcept for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK\nenabled.\n\nIn that case and on RT kernels the existing task could live lock when\npreempting the task which does the timer delivery.\n\nReplace spin_unlock() with an invocation of timer_wait_running() to handle\nit the same way as the other retry loops in the posix timer code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:12.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1be1ed32daa053484222f7f9beb2b16c624dffd"
},
{
"url": "https://git.kernel.org/stable/c/0670c4c567b27bd8f999a943028f4fe60d1a1106"
},
{
"url": "https://git.kernel.org/stable/c/e7aff15ba29ba4b3052786b1636fa5c4aa39e179"
},
{
"url": "https://git.kernel.org/stable/c/f9bd298e3e4d3fd6e19f017789a42d0f332cd555"
},
{
"url": "https://git.kernel.org/stable/c/c1968bb8a28625cc95d2ad3ca872ab98c9c36d59"
},
{
"url": "https://git.kernel.org/stable/c/9d9e522010eb5685d8b53e8a24320653d9d4cbbf"
}
],
"title": "posix-timers: Prevent RT livelock in itimer_delete()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53815",
"datePublished": "2025-12-09T00:01:12.832Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:12.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50650 (GCVE-0-2022-50650)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
bpf: Fix reference state management for synchronous callbacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix reference state management for synchronous callbacks
Currently, verifier verifies callback functions (sync and async) as if
they will be executed once, (i.e. it explores execution state as if the
function was being called once). The next insn to explore is set to
start of subprog and the exit from nested frame is handled using
curframe > 0 and prepare_func_exit. In case of async callback it uses a
customized variant of push_stack simulating a kind of branch to set up
custom state and execution context for the async callback.
While this approach is simple and works when callback really will be
executed only once, it is unsafe for all of our current helpers which
are for_each style, i.e. they execute the callback multiple times.
A callback releasing acquired references of the caller may do so
multiple times, but currently verifier sees it as one call inside the
frame, which then returns to caller. Hence, it thinks it released some
reference that the cb e.g. got access through callback_ctx (register
filled inside cb from spilled typed register on stack).
Similarly, it may see that an acquire call is unpaired inside the
callback, so the caller will copy the reference state of callback and
then will have to release the register with new ref_obj_ids. But again,
the callback may execute multiple times, but the verifier will only
account for acquired references for a single symbolic execution of the
callback, which will cause leaks.
Note that for async callback case, things are different. While currently
we have bpf_timer_set_callback which only executes it once, even for
multiple executions it would be safe, as reference state is NULL and
check_reference_leak would force program to release state before
BPF_EXIT. The state is also unaffected by analysis for the caller frame.
Hence async callback is safe.
Since we want the reference state to be accessible, e.g. for pointers
loaded from stack through callback_ctx's PTR_TO_STACK, we still have to
copy caller's reference_state to callback's bpf_func_state, but we
enforce that whatever references it adds to that reference_state has
been released before it hits BPF_EXIT. This requires introducing a new
callback_ref member in the reference state to distinguish between caller
vs callee references. Hence, check_reference_leak now errors out if it
sees we are in callback_fn and we have not released callback_ref refs.
Since there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2
etc. we need to also distinguish between whether this particular ref
belongs to this callback frame or parent, and only error for our own, so
we store state->frameno (which is always non-zero for callbacks).
In short, callbacks can read parent reference_state, but cannot mutate
it, to be able to use pointers acquired by the caller. They must only
undo their changes (by releasing their own acquired_refs before
BPF_EXIT) on top of caller reference_state before returning (at which
point the caller and callback state will match anyway, so no need to
copy it back to caller).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
69c087ba6225b574afb6e505b72cb75242a3d844 , < 4ed5155043c97ac8912bcf67331df87c833fb067
(git)
Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < caa176c0953cdfd5ce500fb517ce1ea924a8bc4c (git) Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < aed931fd3b6e28f19cc140ff90aa5046ee2aa4e1 (git) Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < 9d9d00ac29d0ef7ce426964de46fa6b380357d0a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf_verifier.h",
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ed5155043c97ac8912bcf67331df87c833fb067",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
},
{
"lessThan": "caa176c0953cdfd5ce500fb517ce1ea924a8bc4c",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
},
{
"lessThan": "aed931fd3b6e28f19cc140ff90aa5046ee2aa4e1",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
},
{
"lessThan": "9d9d00ac29d0ef7ce426964de46fa6b380357d0a",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf_verifier.h",
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference state management for synchronous callbacks\n\nCurrently, verifier verifies callback functions (sync and async) as if\nthey will be executed once, (i.e. it explores execution state as if the\nfunction was being called once). The next insn to explore is set to\nstart of subprog and the exit from nested frame is handled using\ncurframe \u003e 0 and prepare_func_exit. In case of async callback it uses a\ncustomized variant of push_stack simulating a kind of branch to set up\ncustom state and execution context for the async callback.\n\nWhile this approach is simple and works when callback really will be\nexecuted only once, it is unsafe for all of our current helpers which\nare for_each style, i.e. they execute the callback multiple times.\n\nA callback releasing acquired references of the caller may do so\nmultiple times, but currently verifier sees it as one call inside the\nframe, which then returns to caller. Hence, it thinks it released some\nreference that the cb e.g. got access through callback_ctx (register\nfilled inside cb from spilled typed register on stack).\n\nSimilarly, it may see that an acquire call is unpaired inside the\ncallback, so the caller will copy the reference state of callback and\nthen will have to release the register with new ref_obj_ids. But again,\nthe callback may execute multiple times, but the verifier will only\naccount for acquired references for a single symbolic execution of the\ncallback, which will cause leaks.\n\nNote that for async callback case, things are different. While currently\nwe have bpf_timer_set_callback which only executes it once, even for\nmultiple executions it would be safe, as reference state is NULL and\ncheck_reference_leak would force program to release state before\nBPF_EXIT. The state is also unaffected by analysis for the caller frame.\nHence async callback is safe.\n\nSince we want the reference state to be accessible, e.g. for pointers\nloaded from stack through callback_ctx\u0027s PTR_TO_STACK, we still have to\ncopy caller\u0027s reference_state to callback\u0027s bpf_func_state, but we\nenforce that whatever references it adds to that reference_state has\nbeen released before it hits BPF_EXIT. This requires introducing a new\ncallback_ref member in the reference state to distinguish between caller\nvs callee references. Hence, check_reference_leak now errors out if it\nsees we are in callback_fn and we have not released callback_ref refs.\nSince there can be multiple nested callbacks, like frame 0 -\u003e cb1 -\u003e cb2\netc. we need to also distinguish between whether this particular ref\nbelongs to this callback frame or parent, and only error for our own, so\nwe store state-\u003eframeno (which is always non-zero for callbacks).\n\nIn short, callbacks can read parent reference_state, but cannot mutate\nit, to be able to use pointers acquired by the caller. They must only\nundo their changes (by releasing their own acquired_refs before\nBPF_EXIT) on top of caller reference_state before returning (at which\npoint the caller and callback state will match anyway, so no need to\ncopy it back to caller)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:24.598Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ed5155043c97ac8912bcf67331df87c833fb067"
},
{
"url": "https://git.kernel.org/stable/c/caa176c0953cdfd5ce500fb517ce1ea924a8bc4c"
},
{
"url": "https://git.kernel.org/stable/c/aed931fd3b6e28f19cc140ff90aa5046ee2aa4e1"
},
{
"url": "https://git.kernel.org/stable/c/9d9d00ac29d0ef7ce426964de46fa6b380357d0a"
}
],
"title": "bpf: Fix reference state management for synchronous callbacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50650",
"datePublished": "2025-12-09T00:00:24.598Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:24.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40335 (GCVE-0-2025-40335)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amdgpu: validate userq input args
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: validate userq input args
This will help on validating the userq input args, and
rejecting for the invalid userq request at the IOCTLs
first place.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c",
"drivers/gpu/drm/amd/amdgpu/mes_userqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdaa7ad3a5bb606d7dbd5c8627dc7efcb2392eb9",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "219be4711a1ba788bc2a9fafc117139d133e5fea",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c",
"drivers/gpu/drm/amd/amdgpu/mes_userqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate userq input args\n\nThis will help on validating the userq input args, and\nrejecting for the invalid userq request at the IOCTLs\nfirst place."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:09.031Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdaa7ad3a5bb606d7dbd5c8627dc7efcb2392eb9"
},
{
"url": "https://git.kernel.org/stable/c/219be4711a1ba788bc2a9fafc117139d133e5fea"
}
],
"title": "drm/amdgpu: validate userq input args",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40335",
"datePublished": "2025-12-09T04:09:51.937Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-20T08:52:09.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40337 (GCVE-0-2025-40337)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
net: stmmac: Correctly handle Rx checksum offload errors
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Correctly handle Rx checksum offload errors
The stmmac_rx function would previously set skb->ip_summed to
CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled
and the packet was of a known IP ethertype.
However, this logic failed to check if the hardware had actually
reported a checksum error. The hardware status, indicating a header or
payload checksum failure, was being ignored at this stage. This could
cause corrupt packets to be passed up the network stack as valid.
This patch corrects the logic by checking the `csum_none` status flag,
which is set when the hardware reports a checksum error. If this flag
is set, skb->ip_summed is now correctly set to CHECKSUM_NONE,
ensuring the kernel's network stack will perform its own validation and
properly handle the corrupt packet.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 63fbe0e6413279d5ea5842e2423e351ded547683
(git)
Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 719fcdf29051f7471d5d433475af76219019d33d (git) Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 1aa319e0f12d2d761a31556b82a5852c98eb0bea (git) Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < ee0aace5f844ef59335148875d05bec8764e71e8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63fbe0e6413279d5ea5842e2423e351ded547683",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "719fcdf29051f7471d5d433475af76219019d33d",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "1aa319e0f12d2d761a31556b82a5852c98eb0bea",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "ee0aace5f844ef59335148875d05bec8764e71e8",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Correctly handle Rx checksum offload errors\n\nThe stmmac_rx function would previously set skb-\u003eip_summed to\nCHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled\nand the packet was of a known IP ethertype.\n\nHowever, this logic failed to check if the hardware had actually\nreported a checksum error. The hardware status, indicating a header or\npayload checksum failure, was being ignored at this stage. This could\ncause corrupt packets to be passed up the network stack as valid.\n\nThis patch corrects the logic by checking the `csum_none` status flag,\nwhich is set when the hardware reports a checksum error. If this flag\nis set, skb-\u003eip_summed is now correctly set to CHECKSUM_NONE,\nensuring the kernel\u0027s network stack will perform its own validation and\nproperly handle the corrupt packet."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:39.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683"
},
{
"url": "https://git.kernel.org/stable/c/719fcdf29051f7471d5d433475af76219019d33d"
},
{
"url": "https://git.kernel.org/stable/c/1aa319e0f12d2d761a31556b82a5852c98eb0bea"
},
{
"url": "https://git.kernel.org/stable/c/ee0aace5f844ef59335148875d05bec8764e71e8"
}
],
"title": "net: stmmac: Correctly handle Rx checksum offload errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40337",
"datePublished": "2025-12-09T04:09:53.808Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:39.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53824 (GCVE-0-2023-53824)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
netlink: annotate lockless accesses to nlk->max_recvmsg_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: annotate lockless accesses to nlk->max_recvmsg_len
syzbot reported a data-race in data-race in netlink_recvmsg() [1]
Indeed, netlink_recvmsg() can be run concurrently,
and netlink_dump() also needs protection.
[1]
BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:
netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194
__do_sys_recvfrom net/socket.c:2212 [inline]
__se_sys_recvfrom net/socket.c:2208 [inline]
__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:
netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
____sys_recvmsg+0x156/0x310 net/socket.c:2720
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x0000000000000000 -> 0x0000000000001000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9063e21fb026c4966fc93261c18322214f9835eb , < 05c9e3fc93b02d18c3ab258d43350a6d44b40bbd
(git)
Affected: 9063e21fb026c4966fc93261c18322214f9835eb , < 7cff4103be7c402ecc3e7bf8f95a64089e3c91b8 (git) Affected: 9063e21fb026c4966fc93261c18322214f9835eb , < e3bcf2a77060bea4d8d09cb09d92c7056f07df5a (git) Affected: 9063e21fb026c4966fc93261c18322214f9835eb , < fc4ba13013ddaea8b11b88fd52b35449e2d9cf85 (git) Affected: 9063e21fb026c4966fc93261c18322214f9835eb , < a1865f2e7d10dde00d35a2122b38d2e469ae67ed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05c9e3fc93b02d18c3ab258d43350a6d44b40bbd",
"status": "affected",
"version": "9063e21fb026c4966fc93261c18322214f9835eb",
"versionType": "git"
},
{
"lessThan": "7cff4103be7c402ecc3e7bf8f95a64089e3c91b8",
"status": "affected",
"version": "9063e21fb026c4966fc93261c18322214f9835eb",
"versionType": "git"
},
{
"lessThan": "e3bcf2a77060bea4d8d09cb09d92c7056f07df5a",
"status": "affected",
"version": "9063e21fb026c4966fc93261c18322214f9835eb",
"versionType": "git"
},
{
"lessThan": "fc4ba13013ddaea8b11b88fd52b35449e2d9cf85",
"status": "affected",
"version": "9063e21fb026c4966fc93261c18322214f9835eb",
"versionType": "git"
},
{
"lessThan": "a1865f2e7d10dde00d35a2122b38d2e469ae67ed",
"status": "affected",
"version": "9063e21fb026c4966fc93261c18322214f9835eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.218",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.218",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.160",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: annotate lockless accesses to nlk-\u003emax_recvmsg_len\n\nsyzbot reported a data-race in data-race in netlink_recvmsg() [1]\n\nIndeed, netlink_recvmsg() can be run concurrently,\nand netlink_dump() also needs protection.\n\n[1]\nBUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg\n\nread to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:\nnetlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988\nsock_recvmsg_nosec net/socket.c:1017 [inline]\nsock_recvmsg net/socket.c:1038 [inline]\n__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194\n__do_sys_recvfrom net/socket.c:2212 [inline]\n__se_sys_recvfrom net/socket.c:2208 [inline]\n__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nwrite to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:\nnetlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989\nsock_recvmsg_nosec net/socket.c:1017 [inline]\nsock_recvmsg net/socket.c:1038 [inline]\n____sys_recvmsg+0x156/0x310 net/socket.c:2720\n___sys_recvmsg net/socket.c:2762 [inline]\ndo_recvmmsg+0x2e5/0x710 net/socket.c:2856\n__sys_recvmmsg net/socket.c:2935 [inline]\n__do_sys_recvmmsg net/socket.c:2958 [inline]\n__se_sys_recvmmsg net/socket.c:2951 [inline]\n__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -\u003e 0x0000000000001000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:37.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05c9e3fc93b02d18c3ab258d43350a6d44b40bbd"
},
{
"url": "https://git.kernel.org/stable/c/7cff4103be7c402ecc3e7bf8f95a64089e3c91b8"
},
{
"url": "https://git.kernel.org/stable/c/e3bcf2a77060bea4d8d09cb09d92c7056f07df5a"
},
{
"url": "https://git.kernel.org/stable/c/fc4ba13013ddaea8b11b88fd52b35449e2d9cf85"
},
{
"url": "https://git.kernel.org/stable/c/a1865f2e7d10dde00d35a2122b38d2e469ae67ed"
}
],
"title": "netlink: annotate lockless accesses to nlk-\u003emax_recvmsg_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53824",
"datePublished": "2025-12-09T01:29:37.432Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:37.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53834 (GCVE-0-2023-53834)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
The affected lines were resulting in a NULL pointer dereference on our
platform because the device tree contained the following list of
compatible strings:
power-sensor@40 {
compatible = "ti,ina232", "ti,ina231";
...
};
Since the driver doesn't declare a compatible string "ti,ina232", the OF
matching succeeds on "ti,ina231". But the I2C device ID info is
populated via the first compatible string, cf. modalias population in
of_i2c_get_board_info(). Since there is no "ina232" entry in the legacy
I2C device ID table either, the struct i2c_device_id *id pointer in the
probe function is NULL.
Fix this by using the already populated type variable instead, which
points to the proper driver data. Since the name is also wanted, add a
generic one to the ina2xx_config table.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < a8e2ae6296d56478fb98ae7f739846ed121f154f
(git)
Affected: c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < 77b689cc27d489b75d33f1a368356d70eb0ce08c (git) Affected: c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < 13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1 (git) Affected: c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < a41e19cc0d6b6a445a4133170b90271e4a2553dc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/ina2xx-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8e2ae6296d56478fb98ae7f739846ed121f154f",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
},
{
"lessThan": "77b689cc27d489b75d33f1a368356d70eb0ce08c",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
},
{
"lessThan": "13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
},
{
"lessThan": "a41e19cc0d6b6a445a4133170b90271e4a2553dc",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/ina2xx-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ina2xx: avoid NULL pointer dereference on OF device match\n\nThe affected lines were resulting in a NULL pointer dereference on our\nplatform because the device tree contained the following list of\ncompatible strings:\n\n power-sensor@40 {\n compatible = \"ti,ina232\", \"ti,ina231\";\n ...\n };\n\nSince the driver doesn\u0027t declare a compatible string \"ti,ina232\", the OF\nmatching succeeds on \"ti,ina231\". But the I2C device ID info is\npopulated via the first compatible string, cf. modalias population in\nof_i2c_get_board_info(). Since there is no \"ina232\" entry in the legacy\nI2C device ID table either, the struct i2c_device_id *id pointer in the\nprobe function is NULL.\n\nFix this by using the already populated type variable instead, which\npoints to the proper driver data. Since the name is also wanted, add a\ngeneric one to the ina2xx_config table."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:49.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8e2ae6296d56478fb98ae7f739846ed121f154f"
},
{
"url": "https://git.kernel.org/stable/c/77b689cc27d489b75d33f1a368356d70eb0ce08c"
},
{
"url": "https://git.kernel.org/stable/c/13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1"
},
{
"url": "https://git.kernel.org/stable/c/a41e19cc0d6b6a445a4133170b90271e4a2553dc"
}
],
"title": "iio: adc: ina2xx: avoid NULL pointer dereference on OF device match",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53834",
"datePublished": "2025-12-09T01:29:49.742Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:49.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50648 (GCVE-0-2022-50648)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller
Naveen reported recursive locking of direct_mutex with sample
ftrace-direct-modify.ko:
[ 74.762406] WARNING: possible recursive locking detected
[ 74.762887] 6.0.0-rc6+ #33 Not tainted
[ 74.763216] --------------------------------------------
[ 74.763672] event-sample-fn/1084 is trying to acquire lock:
[ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \
register_ftrace_function+0x1f/0x180
[ 74.764922]
[ 74.764922] but task is already holding lock:
[ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \
modify_ftrace_direct+0x34/0x1f0
[ 74.766142]
[ 74.766142] other info that might help us debug this:
[ 74.766701] Possible unsafe locking scenario:
[ 74.766701]
[ 74.767216] CPU0
[ 74.767437] ----
[ 74.767656] lock(direct_mutex);
[ 74.767952] lock(direct_mutex);
[ 74.768245]
[ 74.768245] *** DEADLOCK ***
[ 74.768245]
[ 74.768750] May be due to missing lock nesting notation
[ 74.768750]
[ 74.769332] 1 lock held by event-sample-fn/1084:
[ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \
modify_ftrace_direct+0x34/0x1f0
[ 74.770496]
[ 74.770496] stack backtrace:
[ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted ...
[ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...
[ 74.772474] Call Trace:
[ 74.772696] <TASK>
[ 74.772896] dump_stack_lvl+0x44/0x5b
[ 74.773223] __lock_acquire.cold.74+0xac/0x2b7
[ 74.773616] lock_acquire+0xd2/0x310
[ 74.773936] ? register_ftrace_function+0x1f/0x180
[ 74.774357] ? lock_is_held_type+0xd8/0x130
[ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
[ 74.775213] __mutex_lock+0x99/0x1010
[ 74.775536] ? register_ftrace_function+0x1f/0x180
[ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160
[ 74.776424] ? ftrace_set_hash+0x195/0x220
[ 74.776779] ? register_ftrace_function+0x1f/0x180
[ 74.777194] ? kfree+0x3e1/0x440
[ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
[ 74.777941] ? __schedule+0xb40/0xb40
[ 74.778258] ? register_ftrace_function+0x1f/0x180
[ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify]
[ 74.779128] register_ftrace_function+0x1f/0x180
[ 74.779527] ? ftrace_set_filter_ip+0x33/0x70
[ 74.779910] ? __schedule+0xb40/0xb40
[ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify]
[ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
[ 74.781147] ftrace_modify_direct_caller+0x5b/0x90
[ 74.781563] ? 0xffffffffa0201000
[ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify]
[ 74.782309] modify_ftrace_direct+0x1b2/0x1f0
[ 74.782690] ? __schedule+0xb40/0xb40
[ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify]
[ 74.783508] ? __schedule+0xb40/0xb40
[ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
[ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify]
[ 74.784766] kthread+0xf5/0x120
[ 74.785052] ? kthread_complete_and_exit+0x20/0x20
[ 74.785464] ret_from_fork+0x22/0x30
[ 74.785781] </TASK>
Fix this by using register_ftrace_function_nolock in
ftrace_modify_direct_caller.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2482eacb685b6500e158268befbe6c90de5f166a",
"status": "affected",
"version": "53cd885bc5c3ea283cc9c00ca6446c778f00bfba",
"versionType": "git"
},
{
"lessThan": "9d2ce78ddcee159eb6a97449e9c68b6d60b9cec4",
"status": "affected",
"version": "53cd885bc5c3ea283cc9c00ca6446c778f00bfba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller\n\nNaveen reported recursive locking of direct_mutex with sample\nftrace-direct-modify.ko:\n\n[ 74.762406] WARNING: possible recursive locking detected\n[ 74.762887] 6.0.0-rc6+ #33 Not tainted\n[ 74.763216] --------------------------------------------\n[ 74.763672] event-sample-fn/1084 is trying to acquire lock:\n[ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \\\n register_ftrace_function+0x1f/0x180\n[ 74.764922]\n[ 74.764922] but task is already holding lock:\n[ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \\\n modify_ftrace_direct+0x34/0x1f0\n[ 74.766142]\n[ 74.766142] other info that might help us debug this:\n[ 74.766701] Possible unsafe locking scenario:\n[ 74.766701]\n[ 74.767216] CPU0\n[ 74.767437] ----\n[ 74.767656] lock(direct_mutex);\n[ 74.767952] lock(direct_mutex);\n[ 74.768245]\n[ 74.768245] *** DEADLOCK ***\n[ 74.768245]\n[ 74.768750] May be due to missing lock nesting notation\n[ 74.768750]\n[ 74.769332] 1 lock held by event-sample-fn/1084:\n[ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \\\n modify_ftrace_direct+0x34/0x1f0\n[ 74.770496]\n[ 74.770496] stack backtrace:\n[ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted ...\n[ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...\n[ 74.772474] Call Trace:\n[ 74.772696] \u003cTASK\u003e\n[ 74.772896] dump_stack_lvl+0x44/0x5b\n[ 74.773223] __lock_acquire.cold.74+0xac/0x2b7\n[ 74.773616] lock_acquire+0xd2/0x310\n[ 74.773936] ? register_ftrace_function+0x1f/0x180\n[ 74.774357] ? lock_is_held_type+0xd8/0x130\n[ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.775213] __mutex_lock+0x99/0x1010\n[ 74.775536] ? register_ftrace_function+0x1f/0x180\n[ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160\n[ 74.776424] ? ftrace_set_hash+0x195/0x220\n[ 74.776779] ? register_ftrace_function+0x1f/0x180\n[ 74.777194] ? kfree+0x3e1/0x440\n[ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.777941] ? __schedule+0xb40/0xb40\n[ 74.778258] ? register_ftrace_function+0x1f/0x180\n[ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify]\n[ 74.779128] register_ftrace_function+0x1f/0x180\n[ 74.779527] ? ftrace_set_filter_ip+0x33/0x70\n[ 74.779910] ? __schedule+0xb40/0xb40\n[ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify]\n[ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.781147] ftrace_modify_direct_caller+0x5b/0x90\n[ 74.781563] ? 0xffffffffa0201000\n[ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify]\n[ 74.782309] modify_ftrace_direct+0x1b2/0x1f0\n[ 74.782690] ? __schedule+0xb40/0xb40\n[ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify]\n[ 74.783508] ? __schedule+0xb40/0xb40\n[ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify]\n[ 74.784766] kthread+0xf5/0x120\n[ 74.785052] ? kthread_complete_and_exit+0x20/0x20\n[ 74.785464] ret_from_fork+0x22/0x30\n[ 74.785781] \u003c/TASK\u003e\n\nFix this by using register_ftrace_function_nolock in\nftrace_modify_direct_caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:22.410Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2482eacb685b6500e158268befbe6c90de5f166a"
},
{
"url": "https://git.kernel.org/stable/c/9d2ce78ddcee159eb6a97449e9c68b6d60b9cec4"
}
],
"title": "ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50648",
"datePublished": "2025-12-09T00:00:22.410Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:22.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50669 (GCVE-0-2022-50669)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
If device_register() returns error in ocxl_file_register_afu(),
the name allocated by dev_set_name() need be freed. As comment
of device_register() says, it should use put_device() to give
up the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup(),
and info is freed in info_release().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
75ca758adbafc81804c39b2c200ecdc819a6c042 , < 0cd05062371a49774e8a45258bdedf0bd6d3d327
(git)
Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 7525741cb302a1672b8c3a5edb2a08e4229b5c7c (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 3299983a6bf628249ac650908e62d12de959341e (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 557b7de055d1e230ddb6664c29d26917b8db9143 (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 2fce8b3583d1641a1716486f408478b58e96ec91 (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < a4cb1004aeed2ab893a058fad00a5b41a12c4691 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cd05062371a49774e8a45258bdedf0bd6d3d327",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "7525741cb302a1672b8c3a5edb2a08e4229b5c7c",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "3299983a6bf628249ac650908e62d12de959341e",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "557b7de055d1e230ddb6664c29d26917b8db9143",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "2fce8b3583d1641a1716486f408478b58e96ec91",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "a4cb1004aeed2ab893a058fad00a5b41a12c4691",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible name leak in ocxl_file_register_afu()\n\nIf device_register() returns error in ocxl_file_register_afu(),\nthe name allocated by dev_set_name() need be freed. As comment\nof device_register() says, it should use put_device() to give\nup the reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanup(),\nand info is freed in info_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:20.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cd05062371a49774e8a45258bdedf0bd6d3d327"
},
{
"url": "https://git.kernel.org/stable/c/7525741cb302a1672b8c3a5edb2a08e4229b5c7c"
},
{
"url": "https://git.kernel.org/stable/c/3299983a6bf628249ac650908e62d12de959341e"
},
{
"url": "https://git.kernel.org/stable/c/557b7de055d1e230ddb6664c29d26917b8db9143"
},
{
"url": "https://git.kernel.org/stable/c/2fce8b3583d1641a1716486f408478b58e96ec91"
},
{
"url": "https://git.kernel.org/stable/c/a4cb1004aeed2ab893a058fad00a5b41a12c4691"
}
],
"title": "misc: ocxl: fix possible name leak in ocxl_file_register_afu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50669",
"datePublished": "2025-12-09T01:29:20.745Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:20.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50644 (GCVE-0-2022-50644)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
pm_runtime_get_sync() will increment pm usage counter.
Forgetting to putting operation will result in reference leak.
Add missing pm_runtime_put_sync in some error paths.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 27abe45df1dc394c184688d816cbbf2f194d4c6a
(git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < d84f77ef7d57658d7346f8c4797a570aa5e35fa6 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 25fe7b0d596b343e7a5504ba11767115fff8494f (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < fc39ebf85d0349366b807fe2be848041c8523f03 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 6d01017247eee3fba399f601b0bcb38e4fb88a72 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 3441076f83aace85f5d6ccd9ffb301ac6b874776 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < a9f69663ad571cbd7814dde38e3fcb4876341ed6 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < c01ae99a4e3a0cdf70f7cd758a60a2243eac562c (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/ti/clk-dra7-atl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27abe45df1dc394c184688d816cbbf2f194d4c6a",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "d84f77ef7d57658d7346f8c4797a570aa5e35fa6",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "25fe7b0d596b343e7a5504ba11767115fff8494f",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "fc39ebf85d0349366b807fe2be848041c8523f03",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "6d01017247eee3fba399f601b0bcb38e4fb88a72",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "3441076f83aace85f5d6ccd9ffb301ac6b874776",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "a9f69663ad571cbd7814dde38e3fcb4876341ed6",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "c01ae99a4e3a0cdf70f7cd758a60a2243eac562c",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "9c59a01caba26ec06fefd6ca1f22d5fd1de57d63",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/ti/clk-dra7-atl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe\n\npm_runtime_get_sync() will increment pm usage counter.\nForgetting to putting operation will result in reference leak.\nAdd missing pm_runtime_put_sync in some error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:18.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27abe45df1dc394c184688d816cbbf2f194d4c6a"
},
{
"url": "https://git.kernel.org/stable/c/d84f77ef7d57658d7346f8c4797a570aa5e35fa6"
},
{
"url": "https://git.kernel.org/stable/c/25fe7b0d596b343e7a5504ba11767115fff8494f"
},
{
"url": "https://git.kernel.org/stable/c/fc39ebf85d0349366b807fe2be848041c8523f03"
},
{
"url": "https://git.kernel.org/stable/c/6d01017247eee3fba399f601b0bcb38e4fb88a72"
},
{
"url": "https://git.kernel.org/stable/c/3441076f83aace85f5d6ccd9ffb301ac6b874776"
},
{
"url": "https://git.kernel.org/stable/c/a9f69663ad571cbd7814dde38e3fcb4876341ed6"
},
{
"url": "https://git.kernel.org/stable/c/c01ae99a4e3a0cdf70f7cd758a60a2243eac562c"
},
{
"url": "https://git.kernel.org/stable/c/9c59a01caba26ec06fefd6ca1f22d5fd1de57d63"
}
],
"title": "clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50644",
"datePublished": "2025-12-09T00:00:18.729Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:18.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50656 (GCVE-0-2022-50656)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
nfc: pn533: Clear nfc_target before being used
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: Clear nfc_target before being used
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 9da4a0411f3455e3885831d0758bee3e3d565bbc
(git)
Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 61a7e15d55fae329a245535c3bac494e401005b8 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < bef2f478513e7367ef3b05441f6afca981de29be (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < aea9e64dec2cc6cd742e07ecd4e6236fc76b389b (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 755019e37815a66bb0a23893debbd3dd640ccbd3 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < e491285b4d08884b622638be8e4961eb43b0af64 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 9f28157778ede0d4f183f7ab3b46995bb400abbe (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/pn533.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9da4a0411f3455e3885831d0758bee3e3d565bbc",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "61a7e15d55fae329a245535c3bac494e401005b8",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "bef2f478513e7367ef3b05441f6afca981de29be",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "aea9e64dec2cc6cd742e07ecd4e6236fc76b389b",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "755019e37815a66bb0a23893debbd3dd640ccbd3",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "e491285b4d08884b622638be8e4961eb43b0af64",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "9f28157778ede0d4f183f7ab3b46995bb400abbe",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/pn533.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Clear nfc_target before being used\n\nFix a slab-out-of-bounds read that occurs in nla_put() called from\nnfc_genl_send_target() when target-\u003esensb_res_len, which is duplicated\nfrom an nfc_target in pn533, is too large as the nfc_target is not\nproperly initialized and retains garbage values. Clear nfc_targets with\nmemset() before they are used.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: slab-out-of-bounds in nla_put\nCall Trace:\n memcpy\n nla_put\n nfc_genl_dump_targets\n genl_lock_dumpit\n netlink_dump\n __netlink_dump_start\n genl_family_rcv_msg_dumpit\n genl_rcv_msg\n netlink_rcv_skb\n genl_rcv\n netlink_unicast\n netlink_sendmsg\n sock_sendmsg\n ____sys_sendmsg\n ___sys_sendmsg\n __sys_sendmsg\n do_syscall_64"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:31.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9da4a0411f3455e3885831d0758bee3e3d565bbc"
},
{
"url": "https://git.kernel.org/stable/c/61a7e15d55fae329a245535c3bac494e401005b8"
},
{
"url": "https://git.kernel.org/stable/c/bef2f478513e7367ef3b05441f6afca981de29be"
},
{
"url": "https://git.kernel.org/stable/c/8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03"
},
{
"url": "https://git.kernel.org/stable/c/aea9e64dec2cc6cd742e07ecd4e6236fc76b389b"
},
{
"url": "https://git.kernel.org/stable/c/aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6"
},
{
"url": "https://git.kernel.org/stable/c/755019e37815a66bb0a23893debbd3dd640ccbd3"
},
{
"url": "https://git.kernel.org/stable/c/e491285b4d08884b622638be8e4961eb43b0af64"
},
{
"url": "https://git.kernel.org/stable/c/9f28157778ede0d4f183f7ab3b46995bb400abbe"
}
],
"title": "nfc: pn533: Clear nfc_target before being used",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50656",
"datePublished": "2025-12-09T00:00:31.691Z",
"dateReserved": "2025-12-08T23:57:43.372Z",
"dateUpdated": "2025-12-09T00:00:31.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53827 (GCVE-0-2023-53827)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free
caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < f2d38e77aa5f3effc143e7dd24da8acf02925958
(git)
Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < 1351551aa9058e07a20a27a158270cf84fcde621 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < c02421992505c95c7f3c9ad59ee35e22eac60988 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < d9ba36c22a7bb09d6bac4cc2f243eff05da53f43 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < ac6725a634f7e8c0330610a8527f20c730b61115 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < 348d446762e7c70778df8bafbdf3fa0df2123f58 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < a2a9339e1c9deb7e1e079e12e27a0265aea8421a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2d38e77aa5f3effc143e7dd24da8acf02925958",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "1351551aa9058e07a20a27a158270cf84fcde621",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "c02421992505c95c7f3c9ad59ee35e22eac60988",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "d9ba36c22a7bb09d6bac4cc2f243eff05da53f43",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "ac6725a634f7e8c0330610a8527f20c730b61115",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "348d446762e7c70778df8bafbdf3fa0df2123f58",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "a2a9339e1c9deb7e1e079e12e27a0265aea8421a",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}\n\nSimilar to commit d0be8347c623 (\"Bluetooth: L2CAP: Fix use-after-free\ncaused by l2cap_chan_put\"), just use l2cap_chan_hold_unless_zero to\nprevent referencing a channel that is about to be destroyed."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:00.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2d38e77aa5f3effc143e7dd24da8acf02925958"
},
{
"url": "https://git.kernel.org/stable/c/1351551aa9058e07a20a27a158270cf84fcde621"
},
{
"url": "https://git.kernel.org/stable/c/c02421992505c95c7f3c9ad59ee35e22eac60988"
},
{
"url": "https://git.kernel.org/stable/c/d9ba36c22a7bb09d6bac4cc2f243eff05da53f43"
},
{
"url": "https://git.kernel.org/stable/c/ac6725a634f7e8c0330610a8527f20c730b61115"
},
{
"url": "https://git.kernel.org/stable/c/348d446762e7c70778df8bafbdf3fa0df2123f58"
},
{
"url": "https://git.kernel.org/stable/c/d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284"
},
{
"url": "https://git.kernel.org/stable/c/a2a9339e1c9deb7e1e079e12e27a0265aea8421a"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53827",
"datePublished": "2025-12-09T01:29:40.794Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2026-01-05T10:33:00.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53822 (GCVE-0-2023-53822)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
wifi: ath11k: Ignore frags from uninitialized peer in dp.
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Ignore frags from uninitialized peer in dp.
When max virtual ap interfaces are configured in all the bands with
ACS and hostapd restart is done every 60s, a crash is observed at
random times.
In this certain scenario, a fragmented packet is received for
self peer, for which rx_tid and rx_frags are not initialized in
datapath. While handling this fragment, crash is observed as the
rx_frag list is uninitialised and when we walk in
ath11k_dp_rx_h_sort_frags, skb null leads to exception.
To address this, before processing received fragments we check
dp_setup_done flag is set to ensure that peer has completed its
dp peer setup for fragment queue, else ignore processing the
fragments.
Call trace:
ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]
ath11k_dp_service_srng+0x70/0x370 [ath11k]
0xffffffc009693a04
__napi_poll+0x30/0xa4
net_rx_action+0x118/0x270
__do_softirq+0x10c/0x244
irq_exit+0x64/0xb4
__handle_domain_irq+0x88/0xac
gic_handle_irq+0x74/0xbc
el1_irq+0xf0/0x1c0
arch_cpu_idle+0x10/0x18
do_idle+0x104/0x248
cpu_startup_entry+0x20/0x64
rest_init+0xd0/0xdc
arch_call_rest_init+0xc/0x14
start_kernel+0x480/0x4b8
Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d5c65159f2895379e11ca13f62feabe93278985d , < e78526a06b53718bfc1dfff37864c7760e41f8ec
(git)
Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 41efc47f5bc53e63461579e206adc17c4452ab6e (git) Affected: d5c65159f2895379e11ca13f62feabe93278985d , < a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp.c",
"drivers/net/wireless/ath/ath11k/dp_rx.c",
"drivers/net/wireless/ath/ath11k/peer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e78526a06b53718bfc1dfff37864c7760e41f8ec",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "41efc47f5bc53e63461579e206adc17c4452ab6e",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp.c",
"drivers/net/wireless/ath/ath11k/dp_rx.c",
"drivers/net/wireless/ath/ath11k/peer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Ignore frags from uninitialized peer in dp.\n\nWhen max virtual ap interfaces are configured in all the bands with\nACS and hostapd restart is done every 60s, a crash is observed at\nrandom times.\nIn this certain scenario, a fragmented packet is received for\nself peer, for which rx_tid and rx_frags are not initialized in\ndatapath. While handling this fragment, crash is observed as the\nrx_frag list is uninitialised and when we walk in\nath11k_dp_rx_h_sort_frags, skb null leads to exception.\n\nTo address this, before processing received fragments we check\ndp_setup_done flag is set to ensure that peer has completed its\ndp peer setup for fragment queue, else ignore processing the\nfragments.\n\nCall trace:\n ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]\n ath11k_dp_service_srng+0x70/0x370 [ath11k]\n 0xffffffc009693a04\n __napi_poll+0x30/0xa4\n net_rx_action+0x118/0x270\n __do_softirq+0x10c/0x244\n irq_exit+0x64/0xb4\n __handle_domain_irq+0x88/0xac\n gic_handle_irq+0x74/0xbc\n el1_irq+0xf0/0x1c0\n arch_cpu_idle+0x10/0x18\n do_idle+0x104/0x248\n cpu_startup_entry+0x20/0x64\n rest_init+0xd0/0xdc\n arch_call_rest_init+0xc/0x14\n start_kernel+0x480/0x4b8\n Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:27.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e78526a06b53718bfc1dfff37864c7760e41f8ec"
},
{
"url": "https://git.kernel.org/stable/c/41efc47f5bc53e63461579e206adc17c4452ab6e"
},
{
"url": "https://git.kernel.org/stable/c/a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6"
}
],
"title": "wifi: ath11k: Ignore frags from uninitialized peer in dp.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53822",
"datePublished": "2025-12-09T01:29:35.206Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-20T08:51:27.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50651 (GCVE-0-2022-50651)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
ethtool: eeprom: fix null-deref on genl_info in dump
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: eeprom: fix null-deref on genl_info in dump
The similar fix as commit 46cdedf2a0fa ("ethtool: pse-pd: fix null-deref on
genl_info in dump") is also needed for ethtool eeprom.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c781ff12a2f37a9795e13bf328e5053d3e69f9e0 , < 138a13d8f5c81266032af680f63069387f2748da
(git)
Affected: c781ff12a2f37a9795e13bf328e5053d3e69f9e0 , < 1e3be98592a12511d4e78a9a67aaff3e6ca4980c (git) Affected: c781ff12a2f37a9795e13bf328e5053d3e69f9e0 , < 9d9effca9d7d7cf6341182a7c5cabcbd6fa28063 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/eeprom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "138a13d8f5c81266032af680f63069387f2748da",
"status": "affected",
"version": "c781ff12a2f37a9795e13bf328e5053d3e69f9e0",
"versionType": "git"
},
{
"lessThan": "1e3be98592a12511d4e78a9a67aaff3e6ca4980c",
"status": "affected",
"version": "c781ff12a2f37a9795e13bf328e5053d3e69f9e0",
"versionType": "git"
},
{
"lessThan": "9d9effca9d7d7cf6341182a7c5cabcbd6fa28063",
"status": "affected",
"version": "c781ff12a2f37a9795e13bf328e5053d3e69f9e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/eeprom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: eeprom: fix null-deref on genl_info in dump\n\nThe similar fix as commit 46cdedf2a0fa (\"ethtool: pse-pd: fix null-deref on\ngenl_info in dump\") is also needed for ethtool eeprom."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:25.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/138a13d8f5c81266032af680f63069387f2748da"
},
{
"url": "https://git.kernel.org/stable/c/1e3be98592a12511d4e78a9a67aaff3e6ca4980c"
},
{
"url": "https://git.kernel.org/stable/c/9d9effca9d7d7cf6341182a7c5cabcbd6fa28063"
}
],
"title": "ethtool: eeprom: fix null-deref on genl_info in dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50651",
"datePublished": "2025-12-09T00:00:25.571Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:25.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53788 (GCVE-0-2023-53788)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
tuning_ctl_set() might have buffer overrun at (X) if it didn't break
from loop by matching (A).
static int tuning_ctl_set(...)
{
for (i = 0; i < TUNING_CTLS_COUNT; i++)
(A) if (nid == ca0132_tuning_ctls[i].nid)
break;
snd_hda_power_up(...);
(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
snd_hda_power_down(...); ^
return 1;
}
We will get below error by cppcheck
sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
for (i = 0; i < TUNING_CTLS_COUNT; i++)
^
sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
^
This patch cares non match case.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
44f0c9782cc6ab71ea947f8f710a46f2078a151c , < ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea
(git)
Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 3590498117a11aa1f92a97e8a04d95320e347ebd (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < baef27176ea5fdc7ad0947e2dc7733855e35db71 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < d23f65f08247068576a01e28b297e995b7dc3965 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 32854bc91ae7debcdefdc7ae881ed83385a04792 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 734a3deb6614e3597e7e9ef7fb6006c593c5ee18 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 98e5eb110095ec77cb6d775051d181edbf9cd3cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_ca0132.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "3590498117a11aa1f92a97e8a04d95320e347ebd",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "baef27176ea5fdc7ad0947e2dc7733855e35db71",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "d23f65f08247068576a01e28b297e995b7dc3965",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "32854bc91ae7debcdefdc7ae881ed83385a04792",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "734a3deb6614e3597e7e9ef7fb6006c593c5ee18",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "98e5eb110095ec77cb6d775051d181edbf9cd3cf",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_ca0132.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.312",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.280",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()\n\ntuning_ctl_set() might have buffer overrun at (X) if it didn\u0027t break\nfrom loop by matching (A).\n\n\tstatic int tuning_ctl_set(...)\n\t{\n\t\tfor (i = 0; i \u003c TUNING_CTLS_COUNT; i++)\n(A)\t\t\tif (nid == ca0132_tuning_ctls[i].nid)\n\t\t\t\tbreak;\n\n\t\tsnd_hda_power_up(...);\n(X)\t\tdspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);\n\t\tsnd_hda_power_down(...); ^\n\n\t\treturn 1;\n\t}\n\nWe will get below error by cppcheck\n\n\tsound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12\n\t for (i = 0; i \u003c TUNING_CTLS_COUNT; i++)\n\t ^\n\tsound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds\n\t dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,\n\t ^\nThis patch cares non match case."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:52.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea"
},
{
"url": "https://git.kernel.org/stable/c/3590498117a11aa1f92a97e8a04d95320e347ebd"
},
{
"url": "https://git.kernel.org/stable/c/7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99"
},
{
"url": "https://git.kernel.org/stable/c/baef27176ea5fdc7ad0947e2dc7733855e35db71"
},
{
"url": "https://git.kernel.org/stable/c/d23f65f08247068576a01e28b297e995b7dc3965"
},
{
"url": "https://git.kernel.org/stable/c/32854bc91ae7debcdefdc7ae881ed83385a04792"
},
{
"url": "https://git.kernel.org/stable/c/734a3deb6614e3597e7e9ef7fb6006c593c5ee18"
},
{
"url": "https://git.kernel.org/stable/c/98e5eb110095ec77cb6d775051d181edbf9cd3cf"
}
],
"title": "ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53788",
"datePublished": "2025-12-09T00:00:43.777Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2026-01-05T10:32:52.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50679 (GCVE-0-2022-50679)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
i40e: Fix DMA mappings leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix DMA mappings leak
During reallocation of RX buffers, new DMA mappings are created for
those buffers.
steps for reproduction:
while :
do
for ((i=0; i<=8160; i=i+32))
do
ethtool -G enp130s0f0 rx $i tx $i
sleep 0.5
ethtool -g enp130s0f0
done
done
This resulted in crash:
i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536
Driver BUG
WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50
Call Trace:
i40e_free_rx_resources+0x70/0x80 [i40e]
i40e_set_ringparam+0x27c/0x800 [i40e]
ethnl_set_rings+0x1b2/0x290
genl_family_rcv_msg_doit.isra.15+0x10f/0x150
genl_family_rcv_msg+0xb3/0x160
? rings_fill_reply+0x1a0/0x1a0
genl_rcv_msg+0x47/0x90
? genl_family_rcv_msg+0x160/0x160
netlink_rcv_skb+0x4c/0x120
genl_rcv+0x24/0x40
netlink_unicast+0x196/0x230
netlink_sendmsg+0x204/0x3d0
sock_sendmsg+0x4c/0x50
__sys_sendto+0xee/0x160
? handle_mm_fault+0xbe/0x1e0
? syscall_trace_enter+0x1d3/0x2c0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x5b/0x1a0
entry_SYSCALL_64_after_hwframe+0x65/0xca
RIP: 0033:0x7f5eac8b035b
Missing register, driver bug
WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140
Call Trace:
xdp_rxq_info_unreg+0x1e/0x50
i40e_free_rx_resources+0x70/0x80 [i40e]
i40e_set_ringparam+0x27c/0x800 [i40e]
ethnl_set_rings+0x1b2/0x290
genl_family_rcv_msg_doit.isra.15+0x10f/0x150
genl_family_rcv_msg+0xb3/0x160
? rings_fill_reply+0x1a0/0x1a0
genl_rcv_msg+0x47/0x90
? genl_family_rcv_msg+0x160/0x160
netlink_rcv_skb+0x4c/0x120
genl_rcv+0x24/0x40
netlink_unicast+0x196/0x230
netlink_sendmsg+0x204/0x3d0
sock_sendmsg+0x4c/0x50
__sys_sendto+0xee/0x160
? handle_mm_fault+0xbe/0x1e0
? syscall_trace_enter+0x1d3/0x2c0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x5b/0x1a0
entry_SYSCALL_64_after_hwframe+0x65/0xca
RIP: 0033:0x7f5eac8b035b
This was caused because of new buffers with different RX ring count should
substitute older ones, but those buffers were freed in
i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,
thus kfree on rx_bi caused leak of already mapped DMA.
Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally
reallocate back to rx_bi when BPF program unloads.
If BPF program is loaded/unloaded and XSK pools are created, reallocate
RX queues accordingly in XSP_SETUP_XSK_POOL handler.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < ed5baf3d0a33caaca4cd4073ebb0854cc77a616d
(git)
Affected: be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < 94a171c982b8a8137a00721c1e62bc2713435bca (git) Affected: be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < 5f499596dfa3db9b3172645b6de9e1096a669c95 (git) Affected: be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < aae425efdfd1b1d8452260a3cb49344ebf20b1f5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_ethtool.c",
"drivers/net/ethernet/intel/i40e/i40e_main.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.h",
"drivers/net/ethernet/intel/i40e/i40e_xsk.c",
"drivers/net/ethernet/intel/i40e/i40e_xsk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed5baf3d0a33caaca4cd4073ebb0854cc77a616d",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
},
{
"lessThan": "94a171c982b8a8137a00721c1e62bc2713435bca",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
},
{
"lessThan": "5f499596dfa3db9b3172645b6de9e1096a669c95",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
},
{
"lessThan": "aae425efdfd1b1d8452260a3cb49344ebf20b1f5",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_ethtool.c",
"drivers/net/ethernet/intel/i40e/i40e_main.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.h",
"drivers/net/ethernet/intel/i40e/i40e_xsk.c",
"drivers/net/ethernet/intel/i40e/i40e_xsk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix DMA mappings leak\n\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers.\n\nsteps for reproduction:\nwhile :\ndo\nfor ((i=0; i\u003c=8160; i=i+32))\ndo\nethtool -G enp130s0f0 rx $i tx $i\nsleep 0.5\nethtool -g enp130s0f0\ndone\ndone\n\nThis resulted in crash:\ni40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536\nDriver BUG\nWARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50\nCall Trace:\ni40e_free_rx_resources+0x70/0x80 [i40e]\ni40e_set_ringparam+0x27c/0x800 [i40e]\nethnl_set_rings+0x1b2/0x290\ngenl_family_rcv_msg_doit.isra.15+0x10f/0x150\ngenl_family_rcv_msg+0xb3/0x160\n? rings_fill_reply+0x1a0/0x1a0\ngenl_rcv_msg+0x47/0x90\n? genl_family_rcv_msg+0x160/0x160\nnetlink_rcv_skb+0x4c/0x120\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x196/0x230\nnetlink_sendmsg+0x204/0x3d0\nsock_sendmsg+0x4c/0x50\n__sys_sendto+0xee/0x160\n? handle_mm_fault+0xbe/0x1e0\n? syscall_trace_enter+0x1d3/0x2c0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x5b/0x1a0\nentry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f5eac8b035b\nMissing register, driver bug\nWARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140\nCall Trace:\nxdp_rxq_info_unreg+0x1e/0x50\ni40e_free_rx_resources+0x70/0x80 [i40e]\ni40e_set_ringparam+0x27c/0x800 [i40e]\nethnl_set_rings+0x1b2/0x290\ngenl_family_rcv_msg_doit.isra.15+0x10f/0x150\ngenl_family_rcv_msg+0xb3/0x160\n? rings_fill_reply+0x1a0/0x1a0\ngenl_rcv_msg+0x47/0x90\n? genl_family_rcv_msg+0x160/0x160\nnetlink_rcv_skb+0x4c/0x120\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x196/0x230\nnetlink_sendmsg+0x204/0x3d0\nsock_sendmsg+0x4c/0x50\n__sys_sendto+0xee/0x160\n? handle_mm_fault+0xbe/0x1e0\n? syscall_trace_enter+0x1d3/0x2c0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x5b/0x1a0\nentry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f5eac8b035b\n\nThis was caused because of new buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in\ni40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,\nthus kfree on rx_bi caused leak of already mapped DMA.\n\nFix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally\nreallocate back to rx_bi when BPF program unloads.\n\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XSP_SETUP_XSK_POOL handler."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:32.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed5baf3d0a33caaca4cd4073ebb0854cc77a616d"
},
{
"url": "https://git.kernel.org/stable/c/94a171c982b8a8137a00721c1e62bc2713435bca"
},
{
"url": "https://git.kernel.org/stable/c/5f499596dfa3db9b3172645b6de9e1096a669c95"
},
{
"url": "https://git.kernel.org/stable/c/aae425efdfd1b1d8452260a3cb49344ebf20b1f5"
}
],
"title": "i40e: Fix DMA mappings leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50679",
"datePublished": "2025-12-09T01:29:32.925Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:32.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40336 (GCVE-0-2025-40336)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
drm/gpusvm: fix hmm_pfn_to_map_order() usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gpusvm: fix hmm_pfn_to_map_order() usage
Handle the case where the hmm range partially covers a huge page (like
2M), otherwise we can potentially end up doing something nasty like
mapping memory which is outside the range, and maybe not even mapped by
the mm. Fix is based on the xe userptr code, which in a future patch
will directly use gpusvm, so needs alignment here.
v2:
- Add kernel-doc (Matt B)
- s/fls/ilog2/ (Thomas)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gpusvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08e9fd78ba1b9e95141181c69cc51795c9888157",
"status": "affected",
"version": "99624bdff8670795b678eafa6509aaad3a5c0175",
"versionType": "git"
},
{
"lessThan": "c50729c68aaf93611c855752b00e49ce1fdd1558",
"status": "affected",
"version": "99624bdff8670795b678eafa6509aaad3a5c0175",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gpusvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gpusvm: fix hmm_pfn_to_map_order() usage\n\nHandle the case where the hmm range partially covers a huge page (like\n2M), otherwise we can potentially end up doing something nasty like\nmapping memory which is outside the range, and maybe not even mapped by\nthe mm. Fix is based on the xe userptr code, which in a future patch\nwill directly use gpusvm, so needs alignment here.\n\nv2:\n - Add kernel-doc (Matt B)\n - s/fls/ilog2/ (Thomas)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:37.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08e9fd78ba1b9e95141181c69cc51795c9888157"
},
{
"url": "https://git.kernel.org/stable/c/c50729c68aaf93611c855752b00e49ce1fdd1558"
}
],
"title": "drm/gpusvm: fix hmm_pfn_to_map_order() usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40336",
"datePublished": "2025-12-09T04:09:52.845Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:37.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50635 (GCVE-0-2022-50635)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
I found a null pointer reference in arch_prepare_kprobe():
# echo 'p cmdline_proc_show' > kprobe_events
# echo 'p cmdline_proc_show+16' >> kprobe_events
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc000000000050bfc
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
Modules linked in:
CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10
NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc
REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)
MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006
CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0
...
NIP arch_prepare_kprobe+0x10c/0x2d0
LR arch_prepare_kprobe+0xfc/0x2d0
Call Trace:
0xc0000000012f77a0 (unreliable)
register_kprobe+0x3c0/0x7a0
__register_trace_kprobe+0x140/0x1a0
__trace_kprobe_create+0x794/0x1040
trace_probe_create+0xc4/0xe0
create_or_delete_trace_kprobe+0x2c/0x80
trace_parse_run_command+0xf0/0x210
probes_write+0x20/0x40
vfs_write+0xfc/0x450
ksys_write+0x84/0x140
system_call_exception+0x17c/0x3a0
system_call_vectored_common+0xe8/0x278
--- interrupt: 3000 at 0x7fffa5682de0
NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000
REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)
MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000
The address being probed has some special:
cmdline_proc_show: Probe based on ftrace
cmdline_proc_show+16: Probe for the next instruction at the ftrace location
The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets
set to NULL. In arch_prepare_kprobe() it will check for:
...
prev = get_kprobe(p->addr - 1);
preempt_enable_no_resched();
if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {
...
If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur
with a null pointer reference. At this point prev->addr will not be a
prefixed instruction, so the check can be skipped.
Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'
to fix this problem.
[mpe: Trim oops]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b4657f7650babc9bfb41ce875abe41b18604a105 , < 7f536a8cb62dd5c084f112373fc34cdb5168a813
(git)
Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 4eac4f6a86ae73ef4b772d37398beeba2fbfde4e (git) Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 5fd1b369387c53ee6c774ab86e32e362a1e537ac (git) Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 97f88a3d723162781d6cbfdc7b9617eefab55b19 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f536a8cb62dd5c084f112373fc34cdb5168a813",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
},
{
"lessThan": "4eac4f6a86ae73ef4b772d37398beeba2fbfde4e",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
},
{
"lessThan": "5fd1b369387c53ee6c774ab86e32e362a1e537ac",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
},
{
"lessThan": "97f88a3d723162781d6cbfdc7b9617eefab55b19",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n # echo \u0027p cmdline_proc_show\u0027 \u003e kprobe_events\n # echo \u0027p cmdline_proc_show+16\u0027 \u003e\u003e kprobe_events\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000000050bfc\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 9000000000009033 \u003cSF,HV,EE,ME,IR,DR,RI,LE\u003e CR: 88002444 XER: 20040006\n CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n ...\n NIP arch_prepare_kprobe+0x10c/0x2d0\n LR arch_prepare_kprobe+0xfc/0x2d0\n Call Trace:\n 0xc0000000012f77a0 (unreliable)\n register_kprobe+0x3c0/0x7a0\n __register_trace_kprobe+0x140/0x1a0\n __trace_kprobe_create+0x794/0x1040\n trace_probe_create+0xc4/0xe0\n create_or_delete_trace_kprobe+0x2c/0x80\n trace_parse_run_command+0xf0/0x210\n probes_write+0x20/0x40\n vfs_write+0xfc/0x450\n ksys_write+0x84/0x140\n system_call_exception+0x17c/0x3a0\n system_call_vectored_common+0xe8/0x278\n --- interrupt: 3000 at 0x7fffa5682de0\n NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 900000000280f033 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE\u003e CR: 44002408 XER: 00000000\n\nThe address being probed has some special:\n\n cmdline_proc_show: Probe based on ftrace\n cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n ...\n prev = get_kprobe(p-\u003eaddr - 1);\n preempt_enable_no_resched();\n if (prev \u0026\u0026 ppc_inst_prefixed(ppc_inst_read(prev-\u003eainsn.insn))) {\n ...\n\nIf prev is based on ftrace, \u0027ppc_inst_read(prev-\u003eainsn.insn)\u0027 will occur\nwith a null pointer reference. At this point prev-\u003eaddr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading \u0027prev-\u003eainsn.insn\u0027\nto fix this problem.\n\n[mpe: Trim oops]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:08.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813"
},
{
"url": "https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e"
},
{
"url": "https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac"
},
{
"url": "https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19"
}
],
"title": "powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50635",
"datePublished": "2025-12-09T00:00:08.590Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:08.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53820 (GCVE-0-2023-53820)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:24 – Updated: 2025-12-23 16:39
VLAI?
EPSS
Title
loop: loop_set_status_from_info() check before assignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
loop: loop_set_status_from_info() check before assignment
In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should
be checked before reassignment, because if an overflow error occurs, the
original correct value will be changed to the wrong value, and it will not
be changed back.
More, the original patch did not solve the problem, the value was set and
ioctl returned an error, but the subsequent io used the value in the loop
driver, which still caused an alarm:
loop_handle_cmd
do_req_filebacked
loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset;
lo_rw_aio
cmd->iocb.ki_pos = pos
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2035c770bfdbcc82bd52e05871a7c82db9529e0f , < 6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcb
(git)
Affected: a217715338fd48f72114725aa7a40e484a781ca7 , < 832580af82ace363205039a8e7c4ef04552ccc1a (git) Affected: 13b2856037a651ba3ab4a8b25ecab3e791926da3 , < 2ea7077748e5d7cc64f1c31342c802fe66ea7426 (git) Affected: b40877b8562c5720d0a7fce20729f56b75a3dede , < 861021710bba9dfa0749a3c209a6c1773208b1f1 (git) Affected: 6858933131d0dadac071c4d33335a9ea4b8e76cf , < c79a924ed6afac1708dfd370ba66bcf6a852ced6 (git) Affected: 0455bef69028c65065f16bb04635591b2374249b , < 3e7d0968203d668af6036b9f9199c7b62c8a3581 (git) Affected: c490a0b5a4f36da3918181a8acdc6991d967c5f3 , < 4be26d553a3f1d4f54f25353d1496c562002126d (git) Affected: c490a0b5a4f36da3918181a8acdc6991d967c5f3 , < 258809bf22bf71d53247856f374f2b1d055f2fd4 (git) Affected: c490a0b5a4f36da3918181a8acdc6991d967c5f3 , < 9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa (git) Affected: 18e28817cb516b39de6281f6db9b0618b2cc7b42 (git) Affected: adf0112d9b8acb03485624220b4934f69bf13369 (git) Affected: 9be7fa7ead18a48940df7b59d993bbc8b9055c15 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcb",
"status": "affected",
"version": "2035c770bfdbcc82bd52e05871a7c82db9529e0f",
"versionType": "git"
},
{
"lessThan": "832580af82ace363205039a8e7c4ef04552ccc1a",
"status": "affected",
"version": "a217715338fd48f72114725aa7a40e484a781ca7",
"versionType": "git"
},
{
"lessThan": "2ea7077748e5d7cc64f1c31342c802fe66ea7426",
"status": "affected",
"version": "13b2856037a651ba3ab4a8b25ecab3e791926da3",
"versionType": "git"
},
{
"lessThan": "861021710bba9dfa0749a3c209a6c1773208b1f1",
"status": "affected",
"version": "b40877b8562c5720d0a7fce20729f56b75a3dede",
"versionType": "git"
},
{
"lessThan": "c79a924ed6afac1708dfd370ba66bcf6a852ced6",
"status": "affected",
"version": "6858933131d0dadac071c4d33335a9ea4b8e76cf",
"versionType": "git"
},
{
"lessThan": "3e7d0968203d668af6036b9f9199c7b62c8a3581",
"status": "affected",
"version": "0455bef69028c65065f16bb04635591b2374249b",
"versionType": "git"
},
{
"lessThan": "4be26d553a3f1d4f54f25353d1496c562002126d",
"status": "affected",
"version": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"versionType": "git"
},
{
"lessThan": "258809bf22bf71d53247856f374f2b1d055f2fd4",
"status": "affected",
"version": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"versionType": "git"
},
{
"lessThan": "9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa",
"status": "affected",
"version": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"versionType": "git"
},
{
"status": "affected",
"version": "18e28817cb516b39de6281f6db9b0618b2cc7b42",
"versionType": "git"
},
{
"status": "affected",
"version": "adf0112d9b8acb03485624220b4934f69bf13369",
"versionType": "git"
},
{
"status": "affected",
"version": "9be7fa7ead18a48940df7b59d993bbc8b9055c15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "4.19.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "5.4.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.15.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.327",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.292",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: loop_set_status_from_info() check before assignment\n\nIn loop_set_status_from_info(), lo-\u003elo_offset and lo-\u003elo_sizelimit should\nbe checked before reassignment, because if an overflow error occurs, the\noriginal correct value will be changed to the wrong value, and it will not\nbe changed back.\n\nMore, the original patch did not solve the problem, the value was set and\nioctl returned an error, but the subsequent io used the value in the loop\ndriver, which still caused an alarm:\n\nloop_handle_cmd\n do_req_filebacked\n loff_t pos = ((loff_t) blk_rq_pos(rq) \u003c\u003c 9) + lo-\u003elo_offset;\n lo_rw_aio\n cmd-\u003eiocb.ki_pos = pos"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T16:39:55.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcb"
},
{
"url": "https://git.kernel.org/stable/c/832580af82ace363205039a8e7c4ef04552ccc1a"
},
{
"url": "https://git.kernel.org/stable/c/2ea7077748e5d7cc64f1c31342c802fe66ea7426"
},
{
"url": "https://git.kernel.org/stable/c/861021710bba9dfa0749a3c209a6c1773208b1f1"
},
{
"url": "https://git.kernel.org/stable/c/c79a924ed6afac1708dfd370ba66bcf6a852ced6"
},
{
"url": "https://git.kernel.org/stable/c/3e7d0968203d668af6036b9f9199c7b62c8a3581"
},
{
"url": "https://git.kernel.org/stable/c/4be26d553a3f1d4f54f25353d1496c562002126d"
},
{
"url": "https://git.kernel.org/stable/c/258809bf22bf71d53247856f374f2b1d055f2fd4"
},
{
"url": "https://git.kernel.org/stable/c/9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa"
}
],
"title": "loop: loop_set_status_from_info() check before assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53820",
"datePublished": "2025-12-09T01:24:29.417Z",
"dateReserved": "2025-12-08T23:58:35.278Z",
"dateUpdated": "2025-12-23T16:39:55.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53797 (GCVE-0-2023-53797)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
HID: wacom: Use ktime_t rather than int when dealing with timestamps
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: Use ktime_t rather than int when dealing with timestamps
Code which interacts with timestamps needs to use the ktime_t type
returned by functions like ktime_get. The int type does not offer
enough space to store these values, and attempting to use it is a
recipe for problems. In this particular case, overflows would occur
when calculating/storing timestamps leading to incorrect values being
reported to userspace. In some cases these bad timestamps cause input
handling in userspace to appear hung.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f9e27d4bdb1fe257c1453d02560e3adc3e5b6023 , < 99036f1aed7e82773904f5d91a9897bb3e507fd9
(git)
Affected: 4502ebbdc0e21e44a8a706428e420ae9c1bb9bba , < 9598a647ecc8f300b0540abf9d3b3439859d163b (git) Affected: 5047a228d4c8e2b5d1b856f21a00ecf717945a9c , < 67ce7724637c6adb66f788677cb50b82615de0ac (git) Affected: fb98336e23c11e9c8c7dd5425ec71adbbef7f773 , < d89750b19681581796dfbe3689bbb5d439b99b24 (git) Affected: 694d3e4387bfa69925e075053894385351106e64 , < bdeaa883b765709f231f47f9d6cc76c837a15396 (git) Affected: 17d793f3ed53080dab6bbeabfc82de890c901001 , < d0198363f9108e4adb2511e607ba91e44779e8b1 (git) Affected: 17d793f3ed53080dab6bbeabfc82de890c901001 , < 9a6c0e28e215535b2938c61ded54603b4e5814c5 (git) Affected: 82a136c35506dc788a6c03ffeb11b10c907b0e26 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c",
"drivers/hid/wacom_wac.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99036f1aed7e82773904f5d91a9897bb3e507fd9",
"status": "affected",
"version": "f9e27d4bdb1fe257c1453d02560e3adc3e5b6023",
"versionType": "git"
},
{
"lessThan": "9598a647ecc8f300b0540abf9d3b3439859d163b",
"status": "affected",
"version": "4502ebbdc0e21e44a8a706428e420ae9c1bb9bba",
"versionType": "git"
},
{
"lessThan": "67ce7724637c6adb66f788677cb50b82615de0ac",
"status": "affected",
"version": "5047a228d4c8e2b5d1b856f21a00ecf717945a9c",
"versionType": "git"
},
{
"lessThan": "d89750b19681581796dfbe3689bbb5d439b99b24",
"status": "affected",
"version": "fb98336e23c11e9c8c7dd5425ec71adbbef7f773",
"versionType": "git"
},
{
"lessThan": "bdeaa883b765709f231f47f9d6cc76c837a15396",
"status": "affected",
"version": "694d3e4387bfa69925e075053894385351106e64",
"versionType": "git"
},
{
"lessThan": "d0198363f9108e4adb2511e607ba91e44779e8b1",
"status": "affected",
"version": "17d793f3ed53080dab6bbeabfc82de890c901001",
"versionType": "git"
},
{
"lessThan": "9a6c0e28e215535b2938c61ded54603b4e5814c5",
"status": "affected",
"version": "17d793f3ed53080dab6bbeabfc82de890c901001",
"versionType": "git"
},
{
"status": "affected",
"version": "82a136c35506dc788a6c03ffeb11b10c907b0e26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c",
"drivers/hid/wacom_wac.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.120",
"versionStartIncluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.37",
"versionStartIncluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.11",
"versionStartIncluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: Use ktime_t rather than int when dealing with timestamps\n\nCode which interacts with timestamps needs to use the ktime_t type\nreturned by functions like ktime_get. The int type does not offer\nenough space to store these values, and attempting to use it is a\nrecipe for problems. In this particular case, overflows would occur\nwhen calculating/storing timestamps leading to incorrect values being\nreported to userspace. In some cases these bad timestamps cause input\nhandling in userspace to appear hung."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:53.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99036f1aed7e82773904f5d91a9897bb3e507fd9"
},
{
"url": "https://git.kernel.org/stable/c/9598a647ecc8f300b0540abf9d3b3439859d163b"
},
{
"url": "https://git.kernel.org/stable/c/67ce7724637c6adb66f788677cb50b82615de0ac"
},
{
"url": "https://git.kernel.org/stable/c/d89750b19681581796dfbe3689bbb5d439b99b24"
},
{
"url": "https://git.kernel.org/stable/c/bdeaa883b765709f231f47f9d6cc76c837a15396"
},
{
"url": "https://git.kernel.org/stable/c/d0198363f9108e4adb2511e607ba91e44779e8b1"
},
{
"url": "https://git.kernel.org/stable/c/9a6c0e28e215535b2938c61ded54603b4e5814c5"
}
],
"title": "HID: wacom: Use ktime_t rather than int when dealing with timestamps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53797",
"datePublished": "2025-12-09T00:00:53.868Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:53.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50634 (GCVE-0-2022-50634)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()
cw_bat_probe() calls create_singlethread_workqueue() and not checked the
ret value, which may return NULL. And a null-ptr-deref may happen:
cw_bat_probe()
create_singlethread_workqueue() # failed, cw_bat->wq is NULL
queue_delayed_work()
queue_delayed_work_on()
__queue_delayed_work() # warning here, but continue
__queue_work() # access wq->flags, null-ptr-deref
Check the ret value and return -ENOMEM if it is NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b4c7715c10c106a041b0b3fabd26151c214ea394 , < f7e2ba8ed08138102f21f3fe6414498c93177fd8
(git)
Affected: b4c7715c10c106a041b0b3fabd26151c214ea394 , < 5150b76aa2eb8bb8feb7f7a048417f9d39c3dd04 (git) Affected: b4c7715c10c106a041b0b3fabd26151c214ea394 , < 97f2b4ddb0aa700d673691a7d5e44d226d22bab7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/cw2015_battery.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7e2ba8ed08138102f21f3fe6414498c93177fd8",
"status": "affected",
"version": "b4c7715c10c106a041b0b3fabd26151c214ea394",
"versionType": "git"
},
{
"lessThan": "5150b76aa2eb8bb8feb7f7a048417f9d39c3dd04",
"status": "affected",
"version": "b4c7715c10c106a041b0b3fabd26151c214ea394",
"versionType": "git"
},
{
"lessThan": "97f2b4ddb0aa700d673691a7d5e44d226d22bab7",
"status": "affected",
"version": "b4c7715c10c106a041b0b3fabd26151c214ea394",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/cw2015_battery.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()\n\ncw_bat_probe() calls create_singlethread_workqueue() and not checked the\nret value, which may return NULL. And a null-ptr-deref may happen:\n\ncw_bat_probe()\n create_singlethread_workqueue() # failed, cw_bat-\u003ewq is NULL\n queue_delayed_work()\n queue_delayed_work_on()\n __queue_delayed_work() # warning here, but continue\n __queue_work() # access wq-\u003eflags, null-ptr-deref\n\nCheck the ret value and return -ENOMEM if it is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:06.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7e2ba8ed08138102f21f3fe6414498c93177fd8"
},
{
"url": "https://git.kernel.org/stable/c/5150b76aa2eb8bb8feb7f7a048417f9d39c3dd04"
},
{
"url": "https://git.kernel.org/stable/c/97f2b4ddb0aa700d673691a7d5e44d226d22bab7"
}
],
"title": "power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50634",
"datePublished": "2025-12-09T00:00:06.318Z",
"dateReserved": "2025-12-08T23:57:43.369Z",
"dateUpdated": "2025-12-09T00:00:06.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53793 (GCVE-0-2023-53793)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
perf tool x86: Fix perf_env memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf tool x86: Fix perf_env memory leak
Found by leak sanitizer:
```
==1632594==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 21 byte(s) in 1 object(s) allocated from:
#0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439
#1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369
#2 0x556701d70589 in perf_env__cpuid util/env.c:465
#3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14
#4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83
#5 0x556701d8f78b in evsel__config util/evsel.c:1366
#6 0x556701ef5872 in evlist__config util/record.c:108
#7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112
#8 0x556701cacd07 in run_test tests/builtin-test.c:236
#9 0x556701cacfac in test_and_print tests/builtin-test.c:265
#10 0x556701cadddb in __cmd_test tests/builtin-test.c:402
#11 0x556701caf2aa in cmd_test tests/builtin-test.c:559
#12 0x556701d3b557 in run_builtin tools/perf/perf.c:323
#13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377
#14 0x556701d3be90 in run_argv tools/perf/perf.c:421
#15 0x556701d3c3f8 in main tools/perf/perf.c:537
#16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s).
```
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < 75d65c1cc439606ada882755fd205d13c2c7907d
(git)
Affected: f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < 010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f (git) Affected: f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < f3daf02a41e3c11e1a473517a8a6169248fb8e7b (git) Affected: f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < 99d4850062a84564f36923764bb93935ef2ed108 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/perf/arch/x86/util/env.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75d65c1cc439606ada882755fd205d13c2c7907d",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
},
{
"lessThan": "010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
},
{
"lessThan": "f3daf02a41e3c11e1a473517a8a6169248fb8e7b",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
},
{
"lessThan": "99d4850062a84564f36923764bb93935ef2ed108",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/perf/arch/x86/util/env.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf tool x86: Fix perf_env memory leak\n\nFound by leak sanitizer:\n```\n==1632594==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 21 byte(s) in 1 object(s) allocated from:\n #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439\n #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369\n #2 0x556701d70589 in perf_env__cpuid util/env.c:465\n #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14\n #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83\n #5 0x556701d8f78b in evsel__config util/evsel.c:1366\n #6 0x556701ef5872 in evlist__config util/record.c:108\n #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112\n #8 0x556701cacd07 in run_test tests/builtin-test.c:236\n #9 0x556701cacfac in test_and_print tests/builtin-test.c:265\n #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402\n #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559\n #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323\n #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377\n #14 0x556701d3be90 in run_argv tools/perf/perf.c:421\n #15 0x556701d3c3f8 in main tools/perf/perf.c:537\n #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nSUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s).\n```"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:50.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75d65c1cc439606ada882755fd205d13c2c7907d"
},
{
"url": "https://git.kernel.org/stable/c/010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f"
},
{
"url": "https://git.kernel.org/stable/c/f3daf02a41e3c11e1a473517a8a6169248fb8e7b"
},
{
"url": "https://git.kernel.org/stable/c/99d4850062a84564f36923764bb93935ef2ed108"
}
],
"title": "perf tool x86: Fix perf_env memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53793",
"datePublished": "2025-12-09T00:00:50.132Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:50.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50662 (GCVE-0-2022-50662)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not
released. Compiled test only.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < 164fa80330a81db67c26d10d071083941d29a510
(git)
Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < 35f9cd060e68ff910e49bf37b1b0d336a311849a (git) Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < fd32e378bc1dea0d48767adf2bbb478581bb0a95 (git) Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < fc2c43bf41c89e7451fe750025ae55eb2e2a741d (git) Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < a115aa00b18f7b8982b8f458149632caf64a862a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "164fa80330a81db67c26d10d071083941d29a510",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "35f9cd060e68ff910e49bf37b1b0d336a311849a",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "fd32e378bc1dea0d48767adf2bbb478581bb0a95",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "fc2c43bf41c89e7451fe750025ae55eb2e2a741d",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "a115aa00b18f7b8982b8f458149632caf64a862a",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: fix memory leak in hns_roce_alloc_mr()\n\nWhen hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not\nreleased. Compiled test only."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:10.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/164fa80330a81db67c26d10d071083941d29a510"
},
{
"url": "https://git.kernel.org/stable/c/35f9cd060e68ff910e49bf37b1b0d336a311849a"
},
{
"url": "https://git.kernel.org/stable/c/fd32e378bc1dea0d48767adf2bbb478581bb0a95"
},
{
"url": "https://git.kernel.org/stable/c/fc2c43bf41c89e7451fe750025ae55eb2e2a741d"
},
{
"url": "https://git.kernel.org/stable/c/a115aa00b18f7b8982b8f458149632caf64a862a"
}
],
"title": "RDMA/hns: fix memory leak in hns_roce_alloc_mr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50662",
"datePublished": "2025-12-09T01:29:10.614Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:10.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50670 (GCVE-0-2022-50670)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
mmc: omap_hsmmc: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: omap_hsmmc: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path wihch
will call mmc_free_host().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a45c6cb816474cefe56059fce422a9bdcd77e0dc , < f153c9e15f8961bdf38707853e15b42ea7c691d9
(git)
Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < fb3d596267a98813a7a8206097d8d46c98505a0d (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < 62005dfcc396424db3337a1dc3ab49623537f5e5 (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < a5f8a4583280a76e50329b910e91ef1dea1e6c79 (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < 4e1dc24bcfc8257f24c0663badec7e4f3ae80558 (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < a525cad241c339ca00bf7ebf03c5180f2a9b767c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/omap_hsmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f153c9e15f8961bdf38707853e15b42ea7c691d9",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "fb3d596267a98813a7a8206097d8d46c98505a0d",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "62005dfcc396424db3337a1dc3ab49623537f5e5",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "a5f8a4583280a76e50329b910e91ef1dea1e6c79",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "4e1dc24bcfc8257f24c0663badec7e4f3ae80558",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "a525cad241c339ca00bf7ebf03c5180f2a9b767c",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/omap_hsmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: omap_hsmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it\u0027s not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path wihch\nwill call mmc_free_host()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:21.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f153c9e15f8961bdf38707853e15b42ea7c691d9"
},
{
"url": "https://git.kernel.org/stable/c/fb3d596267a98813a7a8206097d8d46c98505a0d"
},
{
"url": "https://git.kernel.org/stable/c/62005dfcc396424db3337a1dc3ab49623537f5e5"
},
{
"url": "https://git.kernel.org/stable/c/a5f8a4583280a76e50329b910e91ef1dea1e6c79"
},
{
"url": "https://git.kernel.org/stable/c/4e1dc24bcfc8257f24c0663badec7e4f3ae80558"
},
{
"url": "https://git.kernel.org/stable/c/a525cad241c339ca00bf7ebf03c5180f2a9b767c"
}
],
"title": "mmc: omap_hsmmc: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50670",
"datePublished": "2025-12-09T01:29:21.864Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:21.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50654 (GCVE-0-2022-50654)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
bpf: Fix panic due to wrong pageattr of im->image
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix panic due to wrong pageattr of im->image
In the scenario where livepatch and kretfunc coexist, the pageattr of
im->image is rox after arch_prepare_bpf_trampoline in
bpf_trampoline_update, and then modify_fentry or register_fentry returns
-EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag
will be configured, and arch_prepare_bpf_trampoline will be re-executed.
At this time, because the pageattr of im->image is rox,
arch_prepare_bpf_trampoline will read and write im->image, which causes
a fault. as follows:
insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c
bpftrace -e 'kretfunc:cmdline_proc_show {}'
BUG: unable to handle page fault for address: ffffffffa0206000
PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061
Oops: 0003 [#1] PREEMPT SMP PTI
CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5
RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0
RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202
RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000
RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030
RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400
R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8
R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10
FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bpf_trampoline_update+0x25a/0x6b0
__bpf_trampoline_link_prog+0x101/0x240
bpf_trampoline_link_prog+0x2d/0x50
bpf_tracing_prog_attach+0x24c/0x530
bpf_raw_tp_link_attach+0x73/0x1d0
__sys_bpf+0x100e/0x2570
__x64_sys_bpf+0x1c/0x30
do_syscall_64+0x5b/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
With this patch, when modify_fentry or register_fentry returns -EAGAIN
from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset
to nx+rw.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00963a2e75a872e5fce4d0115ac2786ec86b57a6 , < d9d383cbf812a3b4094c089aa5f5d41a3bb4531d
(git)
Affected: 00963a2e75a872e5fce4d0115ac2786ec86b57a6 , < 7f656fff955ccb216c40fa188a24c05fa40985a5 (git) Affected: 00963a2e75a872e5fce4d0115ac2786ec86b57a6 , < 9ed1d9aeef5842ecacb660fce933613b58af1e00 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9d383cbf812a3b4094c089aa5f5d41a3bb4531d",
"status": "affected",
"version": "00963a2e75a872e5fce4d0115ac2786ec86b57a6",
"versionType": "git"
},
{
"lessThan": "7f656fff955ccb216c40fa188a24c05fa40985a5",
"status": "affected",
"version": "00963a2e75a872e5fce4d0115ac2786ec86b57a6",
"versionType": "git"
},
{
"lessThan": "9ed1d9aeef5842ecacb660fce933613b58af1e00",
"status": "affected",
"version": "00963a2e75a872e5fce4d0115ac2786ec86b57a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix panic due to wrong pageattr of im-\u003eimage\n\nIn the scenario where livepatch and kretfunc coexist, the pageattr of\nim-\u003eimage is rox after arch_prepare_bpf_trampoline in\nbpf_trampoline_update, and then modify_fentry or register_fentry returns\n-EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag\nwill be configured, and arch_prepare_bpf_trampoline will be re-executed.\n\nAt this time, because the pageattr of im-\u003eimage is rox,\narch_prepare_bpf_trampoline will read and write im-\u003eimage, which causes\na fault. as follows:\n\n insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c\n bpftrace -e \u0027kretfunc:cmdline_proc_show {}\u0027\n\nBUG: unable to handle page fault for address: ffffffffa0206000\nPGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061\nOops: 0003 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5\nRIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0\nRSP: 0018:ffffc90001083ad8 EFLAGS: 00010202\nRAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000\nRDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030\nRBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400\nR10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8\nR13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10\nFS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n bpf_trampoline_update+0x25a/0x6b0\n __bpf_trampoline_link_prog+0x101/0x240\n bpf_trampoline_link_prog+0x2d/0x50\n bpf_tracing_prog_attach+0x24c/0x530\n bpf_raw_tp_link_attach+0x73/0x1d0\n __sys_bpf+0x100e/0x2570\n __x64_sys_bpf+0x1c/0x30\n do_syscall_64+0x5b/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nWith this patch, when modify_fentry or register_fentry returns -EAGAIN\nfrom bpf_tramp_ftrace_ops_func, the pageattr of im-\u003eimage will be reset\nto nx+rw."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:28.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9d383cbf812a3b4094c089aa5f5d41a3bb4531d"
},
{
"url": "https://git.kernel.org/stable/c/7f656fff955ccb216c40fa188a24c05fa40985a5"
},
{
"url": "https://git.kernel.org/stable/c/9ed1d9aeef5842ecacb660fce933613b58af1e00"
}
],
"title": "bpf: Fix panic due to wrong pageattr of im-\u003eimage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50654",
"datePublished": "2025-12-09T00:00:28.878Z",
"dateReserved": "2025-12-08T23:57:43.372Z",
"dateUpdated": "2025-12-09T00:00:28.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53829 (GCVE-0-2023-53829)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
f2fs: flush inode if atomic file is aborted
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: flush inode if atomic file is aborted
Let's flush the inode being aborted atomic operation to avoid stale dirty
inode during eviction in this call stack:
f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs]
f2fs_abort_atomic_write+0xc4/0xf0 [f2fs]
f2fs_evict_inode+0x3f/0x690 [f2fs]
? sugov_start+0x140/0x140
evict+0xc3/0x1c0
evict_inodes+0x17b/0x210
generic_shutdown_super+0x32/0x120
kill_block_super+0x21/0x50
deactivate_locked_super+0x31/0x90
cleanup_mnt+0x100/0x160
task_work_run+0x59/0x90
do_exit+0x33b/0xa50
do_group_exit+0x2d/0x80
__x64_sys_exit_group+0x14/0x20
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
This triggers f2fs_bug_on() in f2fs_evict_inode:
f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));
This fixes the syzbot report:
loop0: detected capacity change from 0 to 131072
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4
------------[ cut here ]------------
kernel BUG at fs/f2fs/inode.c:869!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5014 Comm: syz-executor220 Not tainted 6.4.0-syzkaller-11479-g6cd06ab12d1a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff8880273b8000 RSI: ffffffff83a2bd0d RDI: 0000000000000007
RBP: ffff888077db91b0 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888029a3c000
R13: ffff888077db9660 R14: ffff888029a3c0b8 R15: ffff888077db9c50
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1909bb9000 CR3: 00000000276a9000 CR4: 0000000000350ef0
Call Trace:
<TASK>
evict+0x2ed/0x6b0 fs/inode.c:665
dispose_list+0x117/0x1e0 fs/inode.c:698
evict_inodes+0x345/0x440 fs/inode.c:748
generic_shutdown_super+0xaf/0x480 fs/super.c:478
kill_block_super+0x64/0xb0 fs/super.c:1417
kill_f2fs_super+0x2af/0x3c0 fs/f2fs/super.c:4704
deactivate_locked_super+0x98/0x160 fs/super.c:330
deactivate_super+0xb1/0xd0 fs/super.c:361
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1254
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa9a/0x29a0 kernel/exit.c:874
do_group_exit+0xd4/0x2a0 kernel/exit.c:1024
__do_sys_exit_group kernel/exit.c:1035 [inline]
__se_sys_exit_group kernel/exit.c:1033 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f309be71a09
Code: Unable to access opcode bytes at 0x7f309be719df.
RSP: 002b:00007fff171df518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f309bef7330 RCX: 00007f309be71a09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f309bef1e40
R10: 0000000000010600 R11: 0000000000000246 R12: 00007f309bef7330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 1c64dbe8fa3552a340bca6d7fa09468c16ed2a85
(git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < bfa7853bb47fee0c17030b377c98cf4ede47ba33 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < a3ab55746612247ce3dcaac6de66f5ffc055b9df (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c64dbe8fa3552a340bca6d7fa09468c16ed2a85",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "bfa7853bb47fee0c17030b377c98cf4ede47ba33",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "a3ab55746612247ce3dcaac6de66f5ffc055b9df",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: flush inode if atomic file is aborted\n\nLet\u0027s flush the inode being aborted atomic operation to avoid stale dirty\ninode during eviction in this call stack:\n\n f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs]\n f2fs_abort_atomic_write+0xc4/0xf0 [f2fs]\n f2fs_evict_inode+0x3f/0x690 [f2fs]\n ? sugov_start+0x140/0x140\n evict+0xc3/0x1c0\n evict_inodes+0x17b/0x210\n generic_shutdown_super+0x32/0x120\n kill_block_super+0x21/0x50\n deactivate_locked_super+0x31/0x90\n cleanup_mnt+0x100/0x160\n task_work_run+0x59/0x90\n do_exit+0x33b/0xa50\n do_group_exit+0x2d/0x80\n __x64_sys_exit_group+0x14/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis triggers f2fs_bug_on() in f2fs_evict_inode:\n f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));\n\nThis fixes the syzbot report:\n\nloop0: detected capacity change from 0 to 131072\nF2FS-fs (loop0): invalid crc value\nF2FS-fs (loop0): Found nat_bits in checkpoint\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inode.c:869!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 5014 Comm: syz-executor220 Not tainted 6.4.0-syzkaller-11479-g6cd06ab12d1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nRIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869\nCode: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd \u003c0f\u003e 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc\nRSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff8880273b8000 RSI: ffffffff83a2bd0d RDI: 0000000000000007\nRBP: ffff888077db91b0 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff888029a3c000\nR13: ffff888077db9660 R14: ffff888029a3c0b8 R15: ffff888077db9c50\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1909bb9000 CR3: 00000000276a9000 CR4: 0000000000350ef0\nCall Trace:\n \u003cTASK\u003e\n evict+0x2ed/0x6b0 fs/inode.c:665\n dispose_list+0x117/0x1e0 fs/inode.c:698\n evict_inodes+0x345/0x440 fs/inode.c:748\n generic_shutdown_super+0xaf/0x480 fs/super.c:478\n kill_block_super+0x64/0xb0 fs/super.c:1417\n kill_f2fs_super+0x2af/0x3c0 fs/f2fs/super.c:4704\n deactivate_locked_super+0x98/0x160 fs/super.c:330\n deactivate_super+0xb1/0xd0 fs/super.c:361\n cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1254\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa9a/0x29a0 kernel/exit.c:874\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1024\n __do_sys_exit_group kernel/exit.c:1035 [inline]\n __se_sys_exit_group kernel/exit.c:1033 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f309be71a09\nCode: Unable to access opcode bytes at 0x7f309be719df.\nRSP: 002b:00007fff171df518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f309bef7330 RCX: 00007f309be71a09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\nRBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f309bef1e40\nR10: 0000000000010600 R11: 0000000000000246 R12: 00007f309bef7330\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n \u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869\nCode: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd \u003c0f\u003e 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc\nRSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:28.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c64dbe8fa3552a340bca6d7fa09468c16ed2a85"
},
{
"url": "https://git.kernel.org/stable/c/bfa7853bb47fee0c17030b377c98cf4ede47ba33"
},
{
"url": "https://git.kernel.org/stable/c/a3ab55746612247ce3dcaac6de66f5ffc055b9df"
}
],
"title": "f2fs: flush inode if atomic file is aborted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53829",
"datePublished": "2025-12-09T01:29:43.645Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-20T08:51:28.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53852 (GCVE-0-2023-53852)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
nvme-core: fix memory leak in dhchap_secret_store
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix memory leak in dhchap_secret_store
Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return
fix following kmemleack:-
unreferenced object 0xffff8886376ea800 (size 64):
comm "check", pid 22048, jiffies 4344316705 (age 92.199s)
hex dump (first 32 bytes):
44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg
75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL
backtrace:
[<0000000030ce5d4b>] __kmalloc+0x4b/0x130
[<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]
[<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0
[<00000000437e7ced>] vfs_write+0x2ba/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
unreferenced object 0xffff8886376eaf00 (size 64):
comm "check", pid 22048, jiffies 4344316736 (age 92.168s)
hex dump (first 32 bytes):
44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg
75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL
backtrace:
[<0000000030ce5d4b>] __kmalloc+0x4b/0x130
[<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]
[<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0
[<00000000437e7ced>] vfs_write+0x2ba/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 2e9b141307554521d60fecf6bf1d2edc8dd0181d
(git)
Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 6a5eda5017959541ab82c5d56bcf784b8294e298 (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < a836ca33c5b07d34dd5347af9f64d25651d12674 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e9b141307554521d60fecf6bf1d2edc8dd0181d",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "6a5eda5017959541ab82c5d56bcf784b8294e298",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "a836ca33c5b07d34dd5347af9f64d25651d12674",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_secret_store\n\nFree dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return\nfix following kmemleack:-\n\nunreferenced object 0xffff8886376ea800 (size 64):\n comm \"check\", pid 22048, jiffies 4344316705 (age 92.199s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [\u003c0000000030ce5d4b\u003e] __kmalloc+0x4b/0x130\n [\u003c000000009be1cdc1\u003e] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [\u003c00000000ac06c96a\u003e] kernfs_fop_write_iter+0x12b/0x1c0\n [\u003c00000000437e7ced\u003e] vfs_write+0x2ba/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc\nunreferenced object 0xffff8886376eaf00 (size 64):\n comm \"check\", pid 22048, jiffies 4344316736 (age 92.168s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [\u003c0000000030ce5d4b\u003e] __kmalloc+0x4b/0x130\n [\u003c000000009be1cdc1\u003e] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [\u003c00000000ac06c96a\u003e] kernfs_fop_write_iter+0x12b/0x1c0\n [\u003c00000000437e7ced\u003e] vfs_write+0x2ba/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:17.449Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e9b141307554521d60fecf6bf1d2edc8dd0181d"
},
{
"url": "https://git.kernel.org/stable/c/c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa"
},
{
"url": "https://git.kernel.org/stable/c/6a5eda5017959541ab82c5d56bcf784b8294e298"
},
{
"url": "https://git.kernel.org/stable/c/a836ca33c5b07d34dd5347af9f64d25651d12674"
}
],
"title": "nvme-core: fix memory leak in dhchap_secret_store",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53852",
"datePublished": "2025-12-09T01:30:17.449Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:17.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53794 (GCVE-0-2023-53794)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
cifs: fix session state check in reconnect to avoid use-after-free issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix session state check in reconnect to avoid use-after-free issue
Don't collect exiting session in smb2_reconnect_server(), because it
will be released soon.
Note that the exiting session will stay in server->smb_ses_list until
it complete the cifs_free_ipc() and logoff() and then delete itself
from the list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 7e4f5c3f01fb0e51ca438e43262d858daf9a0a76
(git)
Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 759ffc164d95a32c09528766d74d9b4fb054e8f4 (git) Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 99f280700b4cc02d5f141b8d15f8e9fad0418f65 (git) Affected: 655e0c067f0e02ece03fd0591dabe3db2ae27552 (git) Affected: 875cc09c0767a4ac06b57af383709657f98b3ea1 (git) Affected: 599fe1409085059ba12a2c3897c853be9fa9e7cf (git) Affected: 2e4378ee60049b752c9dce16f62ce6fbd11b379a (git) Affected: 59b520454b323ec43b2ae757217332cea33091e0 (git) Affected: e20c888e2b3576e5f498c167729d274ef60b86f8 (git) Affected: 4ce7aa4e44d88ce64ea8ae2337b8910f3670b0ba (git) Affected: 419fad68e4c4135ff9859e9214dd6cf954413ca1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e4f5c3f01fb0e51ca438e43262d858daf9a0a76",
"status": "affected",
"version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
"versionType": "git"
},
{
"lessThan": "759ffc164d95a32c09528766d74d9b4fb054e8f4",
"status": "affected",
"version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
"versionType": "git"
},
{
"lessThan": "99f280700b4cc02d5f141b8d15f8e9fad0418f65",
"status": "affected",
"version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
"versionType": "git"
},
{
"status": "affected",
"version": "655e0c067f0e02ece03fd0591dabe3db2ae27552",
"versionType": "git"
},
{
"status": "affected",
"version": "875cc09c0767a4ac06b57af383709657f98b3ea1",
"versionType": "git"
},
{
"status": "affected",
"version": "599fe1409085059ba12a2c3897c853be9fa9e7cf",
"versionType": "git"
},
{
"status": "affected",
"version": "2e4378ee60049b752c9dce16f62ce6fbd11b379a",
"versionType": "git"
},
{
"status": "affected",
"version": "59b520454b323ec43b2ae757217332cea33091e0",
"versionType": "git"
},
{
"status": "affected",
"version": "e20c888e2b3576e5f498c167729d274ef60b86f8",
"versionType": "git"
},
{
"status": "affected",
"version": "4ce7aa4e44d88ce64ea8ae2337b8910f3670b0ba",
"versionType": "git"
},
{
"status": "affected",
"version": "419fad68e4c4135ff9859e9214dd6cf954413ca1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix session state check in reconnect to avoid use-after-free issue\n\nDon\u0027t collect exiting session in smb2_reconnect_server(), because it\nwill be released soon.\n\nNote that the exiting session will stay in server-\u003esmb_ses_list until\nit complete the cifs_free_ipc() and logoff() and then delete itself\nfrom the list."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:55.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e4f5c3f01fb0e51ca438e43262d858daf9a0a76"
},
{
"url": "https://git.kernel.org/stable/c/759ffc164d95a32c09528766d74d9b4fb054e8f4"
},
{
"url": "https://git.kernel.org/stable/c/99f280700b4cc02d5f141b8d15f8e9fad0418f65"
}
],
"title": "cifs: fix session state check in reconnect to avoid use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53794",
"datePublished": "2025-12-09T00:00:51.061Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2026-01-05T10:32:55.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53832 (GCVE-0-2023-53832)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
md/raid10: fix null-ptr-deref in raid10_sync_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix null-ptr-deref in raid10_sync_request
init_resync() inits mempool and sets conf->have_replacemnt at the beginning
of sync, close_sync() frees the mempool when sync is completed.
After [1] recovery might be skipped and init_resync() is called but
close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.
The following is one way to reproduce the issue.
1) create a array, wait for resync to complete, mddev->recovery_cp is set
to MaxSector.
2) recovery is woken and it is skipped. conf->have_replacement is set to
0 in init_resync(). close_sync() not called.
3) some io errors and rdev A is set to WantReplacement.
4) a new device is added and set to A's replacement.
5) recovery is woken, A have replacement, but conf->have_replacemnt is
0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref
occurs.
Fix it by not calling init_resync() if recovery skipped.
[1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e83ccbecd608b971f340e951c9e84cd0343002f , < 38d33593260536840b49fd1dcac9aedfd14a9d42
(git)
Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 14964127be77884003976a392c9faa9ebaabbbe1 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < bdbf104b1c91fbf38f82c522ebf75429f094292a (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 68695084077e3de9d3e94e09238ace2b6f246446 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < b50fd1c3d9d0175aa29ff2706ef36cc178bc356a (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 99b503e4edc5938885d839cf0e7571963f75d800 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 9e9efc77efd1956cc244af975240f2513d78a371 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < a405c6f0229526160aa3f177f65e20c86fce84c5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38d33593260536840b49fd1dcac9aedfd14a9d42",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "14964127be77884003976a392c9faa9ebaabbbe1",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "bdbf104b1c91fbf38f82c522ebf75429f094292a",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "68695084077e3de9d3e94e09238ace2b6f246446",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "b50fd1c3d9d0175aa29ff2706ef36cc178bc356a",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "99b503e4edc5938885d839cf0e7571963f75d800",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "9e9efc77efd1956cc244af975240f2513d78a371",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "a405c6f0229526160aa3f177f65e20c86fce84c5",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix null-ptr-deref in raid10_sync_request\n\ninit_resync() inits mempool and sets conf-\u003ehave_replacemnt at the beginning\nof sync, close_sync() frees the mempool when sync is completed.\n\nAfter [1] recovery might be skipped and init_resync() is called but\nclose_sync() is not. null-ptr-deref occurs with r10bio-\u003edev[i].repl_bio.\n\nThe following is one way to reproduce the issue.\n\n 1) create a array, wait for resync to complete, mddev-\u003erecovery_cp is set\n to MaxSector.\n 2) recovery is woken and it is skipped. conf-\u003ehave_replacement is set to\n 0 in init_resync(). close_sync() not called.\n 3) some io errors and rdev A is set to WantReplacement.\n 4) a new device is added and set to A\u0027s replacement.\n 5) recovery is woken, A have replacement, but conf-\u003ehave_replacemnt is\n 0. r10bio-\u003edev[i].repl_bio will not be alloced and null-ptr-deref\n occurs.\n\nFix it by not calling init_resync() if recovery skipped.\n\n[1] commit 7e83ccbecd60 (\"md/raid10: Allow skipping recovery when clean arrays are assembled\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:47.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38d33593260536840b49fd1dcac9aedfd14a9d42"
},
{
"url": "https://git.kernel.org/stable/c/14964127be77884003976a392c9faa9ebaabbbe1"
},
{
"url": "https://git.kernel.org/stable/c/bdbf104b1c91fbf38f82c522ebf75429f094292a"
},
{
"url": "https://git.kernel.org/stable/c/68695084077e3de9d3e94e09238ace2b6f246446"
},
{
"url": "https://git.kernel.org/stable/c/b50fd1c3d9d0175aa29ff2706ef36cc178bc356a"
},
{
"url": "https://git.kernel.org/stable/c/99b503e4edc5938885d839cf0e7571963f75d800"
},
{
"url": "https://git.kernel.org/stable/c/9e9efc77efd1956cc244af975240f2513d78a371"
},
{
"url": "https://git.kernel.org/stable/c/a405c6f0229526160aa3f177f65e20c86fce84c5"
}
],
"title": "md/raid10: fix null-ptr-deref in raid10_sync_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53832",
"datePublished": "2025-12-09T01:29:47.513Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:47.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53841 (GCVE-0-2023-53841)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
devlink: report devlink_port_type_warn source device
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: report devlink_port_type_warn source device
devlink_port_type_warn is scheduled for port devlink and warning
when the port type is not set. But from this warning it is not easy
found out which device (driver) has no devlink port set.
[ 3709.975552] Type was not set for devlink port.
[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20
[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm
[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse
[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1
[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022
[ 3710.108437] Workqueue: events devlink_port_type_warn
[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20
[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87
[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282
[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027
[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8
[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18
[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600
[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905
[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000
[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0
[ 3710.108456] PKRU: 55555554
[ 3710.108457] Call Trace:
[ 3710.108458] <TASK>
[ 3710.108459] process_one_work+0x1e2/0x3b0
[ 3710.108466] ? rescuer_thread+0x390/0x390
[ 3710.108468] worker_thread+0x50/0x3a0
[ 3710.108471] ? rescuer_thread+0x390/0x390
[ 3710.108473] kthread+0xdd/0x100
[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20
[ 3710.108479] ret_from_fork+0x1f/0x30
[ 3710.108485] </TASK>
[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---
After patch:
[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.
[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 970c7035f4b03c7be9f49c403ccf6fb0b70039a1
(git)
Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 2864cc9a1fd13666ed7fd9064dc3f2c51a85de32 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 7552020e3aa8283b215ca6b3840e6f9281ee4664 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 408d40c729cbe3a918a381405df769491a472122 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 21b9e0efb38eac1fe7bed369e96980cad45aa9c7 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < a52305a81d6bb74b90b400dfa56455d37872fe4b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/devlink/leftover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "970c7035f4b03c7be9f49c403ccf6fb0b70039a1",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "2864cc9a1fd13666ed7fd9064dc3f2c51a85de32",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "7552020e3aa8283b215ca6b3840e6f9281ee4664",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "408d40c729cbe3a918a381405df769491a472122",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "21b9e0efb38eac1fe7bed369e96980cad45aa9c7",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "a52305a81d6bb74b90b400dfa56455d37872fe4b",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/devlink/leftover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: report devlink_port_type_warn source device\n\ndevlink_port_type_warn is scheduled for port devlink and warning\nwhen the port type is not set. But from this warning it is not easy\nfound out which device (driver) has no devlink port set.\n\n[ 3709.975552] Type was not set for devlink port.\n[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20\n[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm\n[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse\n[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1\n[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022\n[ 3710.108437] Workqueue: events devlink_port_type_warn\n[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20\n[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff \u003c0f\u003e 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87\n[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282\n[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027\n[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8\n[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18\n[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600\n[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905\n[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000\n[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0\n[ 3710.108456] PKRU: 55555554\n[ 3710.108457] Call Trace:\n[ 3710.108458] \u003cTASK\u003e\n[ 3710.108459] process_one_work+0x1e2/0x3b0\n[ 3710.108466] ? rescuer_thread+0x390/0x390\n[ 3710.108468] worker_thread+0x50/0x3a0\n[ 3710.108471] ? rescuer_thread+0x390/0x390\n[ 3710.108473] kthread+0xdd/0x100\n[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20\n[ 3710.108479] ret_from_fork+0x1f/0x30\n[ 3710.108485] \u003c/TASK\u003e\n[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---\n\nAfter patch:\n[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.\n[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:01.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/970c7035f4b03c7be9f49c403ccf6fb0b70039a1"
},
{
"url": "https://git.kernel.org/stable/c/2864cc9a1fd13666ed7fd9064dc3f2c51a85de32"
},
{
"url": "https://git.kernel.org/stable/c/7552020e3aa8283b215ca6b3840e6f9281ee4664"
},
{
"url": "https://git.kernel.org/stable/c/408d40c729cbe3a918a381405df769491a472122"
},
{
"url": "https://git.kernel.org/stable/c/21b9e0efb38eac1fe7bed369e96980cad45aa9c7"
},
{
"url": "https://git.kernel.org/stable/c/a52305a81d6bb74b90b400dfa56455d37872fe4b"
}
],
"title": "devlink: report devlink_port_type_warn source device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53841",
"datePublished": "2025-12-09T01:29:58.448Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2026-01-05T10:33:01.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53804 (GCVE-0-2023-53804)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since
nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may
cause use-after-free read if inodes are left in "garbage_list" and
released by nilfs_dispose_list() at the end of nilfs_detach_log_writer().
Fix this issue by modifying nilfs_evict_inode() to only clear inode
without additional metadata changes that use nilfs_root if the file system
is degraded to read-only or the writer is detached.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e912a5b66837ee89fb025e67b5efeaa11930c2ce , < f31e18131ee2ce80a4da5c808221d25b1ae9ad6d
(git)
Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 2a782ea8ebd712a458466e3103e2881b4f886cb5 (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 116d53f09ff52e6f98e3fe1f85d8898d6ba26c68 (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 6b4205ea97901f822004e6c8d59484ccfda03faa (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < b8427b8522d9ede53015ba45a9978ba68d1162f5 (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < acc2a40e428f12780004e1e9fce4722d88f909fd (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < fb8e8d58f116d069e5939e1f786ac84e7fa4533e (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f31e18131ee2ce80a4da5c808221d25b1ae9ad6d",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "2a782ea8ebd712a458466e3103e2881b4f886cb5",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "116d53f09ff52e6f98e3fe1f85d8898d6ba26c68",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "6b4205ea97901f822004e6c8d59484ccfda03faa",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "b8427b8522d9ede53015ba45a9978ba68d1162f5",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "acc2a40e428f12780004e1e9fce4722d88f909fd",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "fb8e8d58f116d069e5939e1f786ac84e7fa4533e",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "9b5a04ac3ad9898c4745cba46ea26de74ba56a8e",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). However, since\nnilfs_evict_inode() uses nilfs_root for some cleanup operations, it may\ncause use-after-free read if inodes are left in \"garbage_list\" and\nreleased by nilfs_dispose_list() at the end of nilfs_detach_log_writer().\n\nFix this issue by modifying nilfs_evict_inode() to only clear inode\nwithout additional metadata changes that use nilfs_root if the file system\nis degraded to read-only or the writer is detached."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:57.431Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f31e18131ee2ce80a4da5c808221d25b1ae9ad6d"
},
{
"url": "https://git.kernel.org/stable/c/2a782ea8ebd712a458466e3103e2881b4f886cb5"
},
{
"url": "https://git.kernel.org/stable/c/116d53f09ff52e6f98e3fe1f85d8898d6ba26c68"
},
{
"url": "https://git.kernel.org/stable/c/6b4205ea97901f822004e6c8d59484ccfda03faa"
},
{
"url": "https://git.kernel.org/stable/c/b8427b8522d9ede53015ba45a9978ba68d1162f5"
},
{
"url": "https://git.kernel.org/stable/c/acc2a40e428f12780004e1e9fce4722d88f909fd"
},
{
"url": "https://git.kernel.org/stable/c/fb8e8d58f116d069e5939e1f786ac84e7fa4533e"
},
{
"url": "https://git.kernel.org/stable/c/9b5a04ac3ad9898c4745cba46ea26de74ba56a8e"
}
],
"title": "nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53804",
"datePublished": "2025-12-09T00:01:01.787Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2026-01-05T10:32:57.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53855 (GCVE-0-2023-53855)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
When the tagging protocol in current use is "ocelot-8021q" and we unbind
the driver, we see this splat:
$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind
mscc_felix 0000:00:00.5 swp0: left promiscuous mode
sja1105 spi2.0: Link is Down
DSA: tree 1 torn down
mscc_felix 0000:00:00.5 swp2: left promiscuous mode
sja1105 spi2.2: Link is Down
DSA: tree 3 torn down
fsl_enetc 0000:00:00.2 eno2: left promiscuous mode
mscc_felix 0000:00:00.5: Link is Down
------------[ cut here ]------------
RTNL: assertion failed at net/dsa/tag_8021q.c (409)
WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0
Modules linked in:
CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771
pc : dsa_tag_8021q_unregister+0x12c/0x1a0
lr : dsa_tag_8021q_unregister+0x12c/0x1a0
Call trace:
dsa_tag_8021q_unregister+0x12c/0x1a0
felix_tag_8021q_teardown+0x130/0x150
felix_teardown+0x3c/0xd8
dsa_tree_teardown_switches+0xbc/0xe0
dsa_unregister_switch+0x168/0x260
felix_pci_remove+0x30/0x60
pci_device_remove+0x4c/0x100
device_release_driver_internal+0x188/0x288
device_links_unbind_consumers+0xfc/0x138
device_release_driver_internal+0xe0/0x288
device_driver_detach+0x24/0x38
unbind_store+0xd8/0x108
drv_attr_store+0x30/0x50
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
RTNL: assertion failed at net/8021q/vlan_core.c (376)
WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0
CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771
pc : vlan_vid_del+0x1b8/0x1f0
lr : vlan_vid_del+0x1b8/0x1f0
dsa_tag_8021q_unregister+0x8c/0x1a0
felix_tag_8021q_teardown+0x130/0x150
felix_teardown+0x3c/0xd8
dsa_tree_teardown_switches+0xbc/0xe0
dsa_unregister_switch+0x168/0x260
felix_pci_remove+0x30/0x60
pci_device_remove+0x4c/0x100
device_release_driver_internal+0x188/0x288
device_links_unbind_consumers+0xfc/0x138
device_release_driver_internal+0xe0/0x288
device_driver_detach+0x24/0x38
unbind_store+0xd8/0x108
drv_attr_store+0x30/0x50
DSA: tree 0 torn down
This was somewhat not so easy to spot, because "ocelot-8021q" is not the
default tagging protocol, and thus, not everyone who tests the unbinding
path may have switched to it beforehand. The default
felix_tag_npi_teardown() does not require rtnl_lock() to be held.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < 758dbcfb257e1aee0a310bae789c2af6ffe35d0f
(git)
Affected: 7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < 7ae8fa6b70975b6efbbef7912d09bff5a0bff491 (git) Affected: 7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < a94c16a2fda010866b8858a386a8bfbeba4f72c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "758dbcfb257e1aee0a310bae789c2af6ffe35d0f",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
},
{
"lessThan": "7ae8fa6b70975b6efbbef7912d09bff5a0bff491",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
},
{
"lessThan": "a94c16a2fda010866b8858a386a8bfbeba4f72c5",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove\n\nWhen the tagging protocol in current use is \"ocelot-8021q\" and we unbind\nthe driver, we see this splat:\n\n$ echo \u00270000:00:00.2\u0027 \u003e /sys/bus/pci/drivers/fsl_enetc/unbind\nmscc_felix 0000:00:00.5 swp0: left promiscuous mode\nsja1105 spi2.0: Link is Down\nDSA: tree 1 torn down\nmscc_felix 0000:00:00.5 swp2: left promiscuous mode\nsja1105 spi2.2: Link is Down\nDSA: tree 3 torn down\nfsl_enetc 0000:00:00.2 eno2: left promiscuous mode\nmscc_felix 0000:00:00.5: Link is Down\n------------[ cut here ]------------\nRTNL: assertion failed at net/dsa/tag_8021q.c (409)\nWARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0\nModules linked in:\nCPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771\npc : dsa_tag_8021q_unregister+0x12c/0x1a0\nlr : dsa_tag_8021q_unregister+0x12c/0x1a0\nCall trace:\n dsa_tag_8021q_unregister+0x12c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\n---[ end trace 0000000000000000 ]---\n------------[ cut here ]------------\nRTNL: assertion failed at net/8021q/vlan_core.c (376)\nWARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0\nCPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771\npc : vlan_vid_del+0x1b8/0x1f0\nlr : vlan_vid_del+0x1b8/0x1f0\n dsa_tag_8021q_unregister+0x8c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\nDSA: tree 0 torn down\n\nThis was somewhat not so easy to spot, because \"ocelot-8021q\" is not the\ndefault tagging protocol, and thus, not everyone who tests the unbinding\npath may have switched to it beforehand. The default\nfelix_tag_npi_teardown() does not require rtnl_lock() to be held."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:20.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/758dbcfb257e1aee0a310bae789c2af6ffe35d0f"
},
{
"url": "https://git.kernel.org/stable/c/7ae8fa6b70975b6efbbef7912d09bff5a0bff491"
},
{
"url": "https://git.kernel.org/stable/c/a94c16a2fda010866b8858a386a8bfbeba4f72c5"
}
],
"title": "net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53855",
"datePublished": "2025-12-09T01:30:20.864Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:20.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50664 (GCVE-0-2022-50664)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
media: dvb-frontends: fix leak of memory fw
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-frontends: fix leak of memory fw
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < afccb6ac63fc4328bc61ba086a3cad30054d87c1
(git)
Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < a44828482bd5b11d728d7dac09b0d723aab9ff7b (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < b4d8fd008de1774d99a5b50acc03d92a1919c3a7 (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 438a4a8dece2abac099777a00db91784c0996cdc (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < b42580c8d8aac11a66046897979cc13cfd04c541 (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 438cd29fec3ea09769639f6032687e0c1434dbe0 (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 25cab05aa2df904ee1fea37d8dfa0d92c951bb4e (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 669fb90507dbaf419aa3871bf73160e93d50487f (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/bcm3510.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afccb6ac63fc4328bc61ba086a3cad30054d87c1",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "a44828482bd5b11d728d7dac09b0d723aab9ff7b",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "b4d8fd008de1774d99a5b50acc03d92a1919c3a7",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "438a4a8dece2abac099777a00db91784c0996cdc",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "b42580c8d8aac11a66046897979cc13cfd04c541",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "438cd29fec3ea09769639f6032687e0c1434dbe0",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "25cab05aa2df904ee1fea37d8dfa0d92c951bb4e",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "669fb90507dbaf419aa3871bf73160e93d50487f",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/bcm3510.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: fix leak of memory fw"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:28.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afccb6ac63fc4328bc61ba086a3cad30054d87c1"
},
{
"url": "https://git.kernel.org/stable/c/a44828482bd5b11d728d7dac09b0d723aab9ff7b"
},
{
"url": "https://git.kernel.org/stable/c/b4d8fd008de1774d99a5b50acc03d92a1919c3a7"
},
{
"url": "https://git.kernel.org/stable/c/438a4a8dece2abac099777a00db91784c0996cdc"
},
{
"url": "https://git.kernel.org/stable/c/b42580c8d8aac11a66046897979cc13cfd04c541"
},
{
"url": "https://git.kernel.org/stable/c/438cd29fec3ea09769639f6032687e0c1434dbe0"
},
{
"url": "https://git.kernel.org/stable/c/25cab05aa2df904ee1fea37d8dfa0d92c951bb4e"
},
{
"url": "https://git.kernel.org/stable/c/669fb90507dbaf419aa3871bf73160e93d50487f"
},
{
"url": "https://git.kernel.org/stable/c/a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa"
}
],
"title": "media: dvb-frontends: fix leak of memory fw",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50664",
"datePublished": "2025-12-09T01:29:13.652Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-23T13:30:28.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53865 (GCVE-0-2023-53865)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
btrfs: fix warning when putting transaction with qgroups enabled after abort
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix warning when putting transaction with qgroups enabled after abort
If we have a transaction abort with qgroups enabled we get a warning
triggered when doing the final put on the transaction, like this:
[552.6789] ------------[ cut here ]------------
[552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6817] Modules linked in: btrfs blake2b_generic xor (...)
[552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6821] Code: bd a0 01 00 (...)
[552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286
[552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000
[552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010
[552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20
[552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70
[552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028
[552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000
[552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0
[552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[552.6822] Call Trace:
[552.6822] <TASK>
[552.6822] ? __warn+0x80/0x130
[552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6824] ? report_bug+0x1f4/0x200
[552.6824] ? handle_bug+0x42/0x70
[552.6824] ? exc_invalid_op+0x14/0x70
[552.6824] ? asm_exc_invalid_op+0x16/0x20
[552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]
[552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40
[552.6828] ? try_to_wake_up+0x94/0x5e0
[552.6828] ? __pfx_process_timeout+0x10/0x10
[552.6828] transaction_kthread+0x103/0x1d0 [btrfs]
[552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]
[552.6832] kthread+0xee/0x120
[552.6832] ? __pfx_kthread+0x10/0x10
[552.6832] ret_from_fork+0x29/0x50
[552.6832] </TASK>
[552.6832] ---[ end trace 0000000000000000 ]---
This corresponds to this line of code:
void btrfs_put_transaction(struct btrfs_transaction *transaction)
{
(...)
WARN_ON(!RB_EMPTY_ROOT(
&transaction->delayed_refs.dirty_extent_root));
(...)
}
The warning happens because btrfs_qgroup_destroy_extent_records(), called
in the transaction abort path, we free all entries from the rbtree
"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we
don't actually empty the rbtree - it's still pointing to nodes that were
freed.
So set the rbtree's root node to NULL to avoid this warning (assign
RB_ROOT).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
40ea30638d20c92b44107247415842b72c460459 , < ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0
(git)
Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < d2c667cc18314c9bad3ec86ae071c0342132aa09 (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < c9060caab4135dd660c4676d1ea33a6e0d3fc09d (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < 89e994688e965813ec0a09fb30b87fb8cee06474 (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < 62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 (git) Affected: 4e2e49d4211db43e0ec932579dab6a969e7e8df1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0",
"status": "affected",
"version": "40ea30638d20c92b44107247415842b72c460459",
"versionType": "git"
},
{
"lessThan": "d2c667cc18314c9bad3ec86ae071c0342132aa09",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "c9060caab4135dd660c4676d1ea33a6e0d3fc09d",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "89e994688e965813ec0a09fb30b87fb8cee06474",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"status": "affected",
"version": "4e2e49d4211db43e0ec932579dab6a969e7e8df1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix warning when putting transaction with qgroups enabled after abort\n\nIf we have a transaction abort with qgroups enabled we get a warning\ntriggered when doing the final put on the transaction, like this:\n\n [552.6789] ------------[ cut here ]------------\n [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6817] Modules linked in: btrfs blake2b_generic xor (...)\n [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6821] Code: bd a0 01 00 (...)\n [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286\n [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000\n [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010\n [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20\n [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70\n [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028\n [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000\n [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0\n [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [552.6822] Call Trace:\n [552.6822] \u003cTASK\u003e\n [552.6822] ? __warn+0x80/0x130\n [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6824] ? report_bug+0x1f4/0x200\n [552.6824] ? handle_bug+0x42/0x70\n [552.6824] ? exc_invalid_op+0x14/0x70\n [552.6824] ? asm_exc_invalid_op+0x16/0x20\n [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]\n [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40\n [552.6828] ? try_to_wake_up+0x94/0x5e0\n [552.6828] ? __pfx_process_timeout+0x10/0x10\n [552.6828] transaction_kthread+0x103/0x1d0 [btrfs]\n [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]\n [552.6832] kthread+0xee/0x120\n [552.6832] ? __pfx_kthread+0x10/0x10\n [552.6832] ret_from_fork+0x29/0x50\n [552.6832] \u003c/TASK\u003e\n [552.6832] ---[ end trace 0000000000000000 ]---\n\nThis corresponds to this line of code:\n\n void btrfs_put_transaction(struct btrfs_transaction *transaction)\n {\n (...)\n WARN_ON(!RB_EMPTY_ROOT(\n \u0026transaction-\u003edelayed_refs.dirty_extent_root));\n (...)\n }\n\nThe warning happens because btrfs_qgroup_destroy_extent_records(), called\nin the transaction abort path, we free all entries from the rbtree\n\"dirty_extent_root\" with rbtree_postorder_for_each_entry_safe(), but we\ndon\u0027t actually empty the rbtree - it\u0027s still pointing to nodes that were\nfreed.\n\nSo set the rbtree\u0027s root node to NULL to avoid this warning (assign\nRB_ROOT)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:34.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0"
},
{
"url": "https://git.kernel.org/stable/c/d2c667cc18314c9bad3ec86ae071c0342132aa09"
},
{
"url": "https://git.kernel.org/stable/c/c9060caab4135dd660c4676d1ea33a6e0d3fc09d"
},
{
"url": "https://git.kernel.org/stable/c/89e994688e965813ec0a09fb30b87fb8cee06474"
},
{
"url": "https://git.kernel.org/stable/c/62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb"
},
{
"url": "https://git.kernel.org/stable/c/aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6"
}
],
"title": "btrfs: fix warning when putting transaction with qgroups enabled after abort",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53865",
"datePublished": "2025-12-09T01:30:34.588Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:34.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53858 (GCVE-0-2023-53858)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
If clk_get_rate() fails, the clk that has just been allocated needs to be
freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 755289d67eb9a74ae71bb624902e979c66859444
(git)
Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < f47e6631a8fcc6fe05b8644aa4222a60f3b0a927 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 30962268fa1a7466413b3d83037688129021d470 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < a49e5a05121c8bc471a57b4916c5393749c24de5 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 073dbbe5743779faf24f233cc95459b47c7198dd (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 34f5b826dd509b76644f83094b4af7e7668a6a38 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 1694fc8ad734e2909a9e40d2be03cc4423e0bee6 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < a9c09546e903f1068acfa38e1ee18bded7114b37 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "755289d67eb9a74ae71bb624902e979c66859444",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "f47e6631a8fcc6fe05b8644aa4222a60f3b0a927",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "30962268fa1a7466413b3d83037688129021d470",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "a49e5a05121c8bc471a57b4916c5393749c24de5",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "073dbbe5743779faf24f233cc95459b47c7198dd",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "34f5b826dd509b76644f83094b4af7e7668a6a38",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1694fc8ad734e2909a9e40d2be03cc4423e0bee6",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "a9c09546e903f1068acfa38e1ee18bded7114b37",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error\n\nIf clk_get_rate() fails, the clk that has just been allocated needs to be\nfreed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:24.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/755289d67eb9a74ae71bb624902e979c66859444"
},
{
"url": "https://git.kernel.org/stable/c/f47e6631a8fcc6fe05b8644aa4222a60f3b0a927"
},
{
"url": "https://git.kernel.org/stable/c/30962268fa1a7466413b3d83037688129021d470"
},
{
"url": "https://git.kernel.org/stable/c/a49e5a05121c8bc471a57b4916c5393749c24de5"
},
{
"url": "https://git.kernel.org/stable/c/073dbbe5743779faf24f233cc95459b47c7198dd"
},
{
"url": "https://git.kernel.org/stable/c/34f5b826dd509b76644f83094b4af7e7668a6a38"
},
{
"url": "https://git.kernel.org/stable/c/1694fc8ad734e2909a9e40d2be03cc4423e0bee6"
},
{
"url": "https://git.kernel.org/stable/c/a9c09546e903f1068acfa38e1ee18bded7114b37"
}
],
"title": "tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53858",
"datePublished": "2025-12-09T01:30:24.886Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:24.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…