Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-2920
Vulnerability from csaf_certbund - Published: 2025-12-23 23:00 - Updated: 2025-12-28 23:00Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service- Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2920 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2920.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2920 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2920"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50697",
"url": "https://lore.kernel.org/linux-cve-announce/2025122415-CVE-2022-50697-6281@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50698",
"url": "https://lore.kernel.org/linux-cve-announce/2025122417-CVE-2022-50698-0d67@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50699",
"url": "https://lore.kernel.org/linux-cve-announce/2025122417-CVE-2022-50699-ddde@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50700",
"url": "https://lore.kernel.org/linux-cve-announce/2025122418-CVE-2022-50700-9cf6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50701",
"url": "https://lore.kernel.org/linux-cve-announce/2025122418-CVE-2022-50701-32f6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50702",
"url": "https://lore.kernel.org/linux-cve-announce/2025122418-CVE-2022-50702-c339@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50703",
"url": "https://lore.kernel.org/linux-cve-announce/2025122419-CVE-2022-50703-1c22@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50704",
"url": "https://lore.kernel.org/linux-cve-announce/2025122419-CVE-2022-50704-ca2b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50705",
"url": "https://lore.kernel.org/linux-cve-announce/2025122419-CVE-2022-50705-8196@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50706",
"url": "https://lore.kernel.org/linux-cve-announce/2025122420-CVE-2022-50706-930a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50707",
"url": "https://lore.kernel.org/linux-cve-announce/2025122420-CVE-2022-50707-8f32@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50708",
"url": "https://lore.kernel.org/linux-cve-announce/2025122420-CVE-2022-50708-dfe3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50709",
"url": "https://lore.kernel.org/linux-cve-announce/2025122421-CVE-2022-50709-54af@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50710",
"url": "https://lore.kernel.org/linux-cve-announce/2025122421-CVE-2022-50710-3f0d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50711",
"url": "https://lore.kernel.org/linux-cve-announce/2025122421-CVE-2022-50711-30c0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53867",
"url": "https://lore.kernel.org/linux-cve-announce/2025122422-CVE-2023-53867-cb3e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53986",
"url": "https://lore.kernel.org/linux-cve-announce/2025122422-CVE-2023-53986-14c4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53987",
"url": "https://lore.kernel.org/linux-cve-announce/2025122422-CVE-2023-53987-9f08@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53988",
"url": "https://lore.kernel.org/linux-cve-announce/2025122423-CVE-2023-53988-7ea3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53989",
"url": "https://lore.kernel.org/linux-cve-announce/2025122423-CVE-2023-53989-1b3b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53990",
"url": "https://lore.kernel.org/linux-cve-announce/2025122423-CVE-2023-53990-b239@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53991",
"url": "https://lore.kernel.org/linux-cve-announce/2025122424-CVE-2023-53991-037d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53992",
"url": "https://lore.kernel.org/linux-cve-announce/2025122424-CVE-2023-53992-d45e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53993",
"url": "https://lore.kernel.org/linux-cve-announce/2025122424-CVE-2023-53993-7ec2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53994",
"url": "https://lore.kernel.org/linux-cve-announce/2025122425-CVE-2023-53994-2d1b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53995",
"url": "https://lore.kernel.org/linux-cve-announce/2025122425-CVE-2023-53995-1860@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53996",
"url": "https://lore.kernel.org/linux-cve-announce/2025122425-CVE-2023-53996-2c23@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53997",
"url": "https://lore.kernel.org/linux-cve-announce/2025122426-CVE-2023-53997-8776@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53998",
"url": "https://lore.kernel.org/linux-cve-announce/2025122426-CVE-2023-53998-2282@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53999",
"url": "https://lore.kernel.org/linux-cve-announce/2025122426-CVE-2023-53999-57a4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54000",
"url": "https://lore.kernel.org/linux-cve-announce/2025122426-CVE-2023-54000-b0c0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54001",
"url": "https://lore.kernel.org/linux-cve-announce/2025122427-CVE-2023-54001-7e74@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54002",
"url": "https://lore.kernel.org/linux-cve-announce/2025122427-CVE-2023-54002-10d8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54003",
"url": "https://lore.kernel.org/linux-cve-announce/2025122427-CVE-2023-54003-01b7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54004",
"url": "https://lore.kernel.org/linux-cve-announce/2025122428-CVE-2023-54004-34a0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54005",
"url": "https://lore.kernel.org/linux-cve-announce/2025122428-CVE-2023-54005-d9ae@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54006",
"url": "https://lore.kernel.org/linux-cve-announce/2025122428-CVE-2023-54006-d646@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54007",
"url": "https://lore.kernel.org/linux-cve-announce/2025122429-CVE-2023-54007-89b1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54008",
"url": "https://lore.kernel.org/linux-cve-announce/2025122429-CVE-2023-54008-cfde@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54009",
"url": "https://lore.kernel.org/linux-cve-announce/2025122429-CVE-2023-54009-38dc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54010",
"url": "https://lore.kernel.org/linux-cve-announce/2025122430-CVE-2023-54010-9ff1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54011",
"url": "https://lore.kernel.org/linux-cve-announce/2025122430-CVE-2023-54011-258c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54012",
"url": "https://lore.kernel.org/linux-cve-announce/2025122430-CVE-2023-54012-a617@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54013",
"url": "https://lore.kernel.org/linux-cve-announce/2025122431-CVE-2023-54013-c6e4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54014",
"url": "https://lore.kernel.org/linux-cve-announce/2025122431-CVE-2023-54014-9b8c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54015",
"url": "https://lore.kernel.org/linux-cve-announce/2025122431-CVE-2023-54015-13a3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54016",
"url": "https://lore.kernel.org/linux-cve-announce/2025122432-CVE-2023-54016-522e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54017",
"url": "https://lore.kernel.org/linux-cve-announce/2025122432-CVE-2023-54017-f83d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54018",
"url": "https://lore.kernel.org/linux-cve-announce/2025122432-CVE-2023-54018-0a10@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54019",
"url": "https://lore.kernel.org/linux-cve-announce/2025122433-CVE-2023-54019-95e0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54020",
"url": "https://lore.kernel.org/linux-cve-announce/2025122433-CVE-2023-54020-3f2f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54021",
"url": "https://lore.kernel.org/linux-cve-announce/2025122433-CVE-2023-54021-15bf@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54022",
"url": "https://lore.kernel.org/linux-cve-announce/2025122434-CVE-2023-54022-ae26@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54023",
"url": "https://lore.kernel.org/linux-cve-announce/2025122434-CVE-2023-54023-1300@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54024",
"url": "https://lore.kernel.org/linux-cve-announce/2025122434-CVE-2023-54024-30aa@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54025",
"url": "https://lore.kernel.org/linux-cve-announce/2025122435-CVE-2023-54025-68db@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54026",
"url": "https://lore.kernel.org/linux-cve-announce/2025122435-CVE-2023-54026-123c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54027",
"url": "https://lore.kernel.org/linux-cve-announce/2025122435-CVE-2023-54027-c1a0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54028",
"url": "https://lore.kernel.org/linux-cve-announce/2025122436-CVE-2023-54028-2399@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54029",
"url": "https://lore.kernel.org/linux-cve-announce/2025122436-CVE-2023-54029-0d67@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54030",
"url": "https://lore.kernel.org/linux-cve-announce/2025122436-CVE-2023-54030-e7f3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54031",
"url": "https://lore.kernel.org/linux-cve-announce/2025122437-CVE-2023-54031-90af@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54032",
"url": "https://lore.kernel.org/linux-cve-announce/2025122437-CVE-2023-54032-cb33@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54033",
"url": "https://lore.kernel.org/linux-cve-announce/2025122437-CVE-2023-54033-ad11@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54034",
"url": "https://lore.kernel.org/linux-cve-announce/2025122438-CVE-2023-54034-3089@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54035",
"url": "https://lore.kernel.org/linux-cve-announce/2025122438-CVE-2023-54035-76a5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54036",
"url": "https://lore.kernel.org/linux-cve-announce/2025122438-CVE-2023-54036-ae42@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54037",
"url": "https://lore.kernel.org/linux-cve-announce/2025122439-CVE-2023-54037-0d5e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54038",
"url": "https://lore.kernel.org/linux-cve-announce/2025122439-CVE-2023-54038-41bb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54039",
"url": "https://lore.kernel.org/linux-cve-announce/2025122439-CVE-2023-54039-82a4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54040",
"url": "https://lore.kernel.org/linux-cve-announce/2025122440-CVE-2023-54040-83dd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54041",
"url": "https://lore.kernel.org/linux-cve-announce/2025122440-CVE-2023-54041-57f4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-54042",
"url": "https://lore.kernel.org/linux-cve-announce/2025122440-CVE-2023-54042-2617@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68344",
"url": "https://lore.kernel.org/linux-cve-announce/2025122449-CVE-2025-68344-3af5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68345",
"url": "https://lore.kernel.org/linux-cve-announce/2025122452-CVE-2025-68345-eea0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68346",
"url": "https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2025-68346-10ef@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68347",
"url": "https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2025-68347-74dd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68348",
"url": "https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2025-68348-2088@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68349",
"url": "https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2025-68349-12d5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68350",
"url": "https://lore.kernel.org/linux-cve-announce/2025122454-CVE-2025-68350-c55b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68351",
"url": "https://lore.kernel.org/linux-cve-announce/2025122454-CVE-2025-68351-bafe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68352",
"url": "https://lore.kernel.org/linux-cve-announce/2025122454-CVE-2025-68352-a3fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68353",
"url": "https://lore.kernel.org/linux-cve-announce/2025122455-CVE-2025-68353-8704@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68354",
"url": "https://lore.kernel.org/linux-cve-announce/2025122455-CVE-2025-68354-d175@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68355",
"url": "https://lore.kernel.org/linux-cve-announce/2025122455-CVE-2025-68355-adf4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68356",
"url": "https://lore.kernel.org/linux-cve-announce/2025122456-CVE-2025-68356-1574@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68357",
"url": "https://lore.kernel.org/linux-cve-announce/2025122456-CVE-2025-68357-2d18@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68358",
"url": "https://lore.kernel.org/linux-cve-announce/2025122456-CVE-2025-68358-4efc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68359",
"url": "https://lore.kernel.org/linux-cve-announce/2025122457-CVE-2025-68359-c931@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68360",
"url": "https://lore.kernel.org/linux-cve-announce/2025122457-CVE-2025-68360-63e6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68361",
"url": "https://lore.kernel.org/linux-cve-announce/2025122457-CVE-2025-68361-83eb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68363",
"url": "https://lore.kernel.org/linux-cve-announce/2025122458-CVE-2025-68363-3863@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68364",
"url": "https://lore.kernel.org/linux-cve-announce/2025122458-CVE-2025-68364-ee48@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68365",
"url": "https://lore.kernel.org/linux-cve-announce/2025122459-CVE-2025-68365-4ad3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68366",
"url": "https://lore.kernel.org/linux-cve-announce/2025122459-CVE-2025-68366-b367@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68367",
"url": "https://lore.kernel.org/linux-cve-announce/2025122459-CVE-2025-68367-847e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68368",
"url": "https://lore.kernel.org/linux-cve-announce/2025122400-CVE-2025-68368-4e1b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68369",
"url": "https://lore.kernel.org/linux-cve-announce/2025122400-CVE-2025-68369-f437@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68370",
"url": "https://lore.kernel.org/linux-cve-announce/2025122400-CVE-2025-68370-d381@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68371",
"url": "https://lore.kernel.org/linux-cve-announce/2025122401-CVE-2025-68371-5c31@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68372",
"url": "https://lore.kernel.org/linux-cve-announce/2025122401-CVE-2025-68372-98d0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68373",
"url": "https://lore.kernel.org/linux-cve-announce/2025122401-CVE-2025-68373-c983@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68374",
"url": "https://lore.kernel.org/linux-cve-announce/2025122402-CVE-2025-68374-560c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68375",
"url": "https://lore.kernel.org/linux-cve-announce/2025122402-CVE-2025-68375-aa1b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68376",
"url": "https://lore.kernel.org/linux-cve-announce/2025122402-CVE-2025-68376-a954@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68377",
"url": "https://lore.kernel.org/linux-cve-announce/2025122403-CVE-2025-68377-38f8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68378",
"url": "https://lore.kernel.org/linux-cve-announce/2025122403-CVE-2025-68378-60d1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68379",
"url": "https://lore.kernel.org/linux-cve-announce/2025122403-CVE-2025-68379-f90f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68380",
"url": "https://lore.kernel.org/linux-cve-announce/2025122404-CVE-2025-68380-3436@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68724",
"url": "https://lore.kernel.org/linux-cve-announce/2025122404-CVE-2025-68724-4d3c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68725",
"url": "https://lore.kernel.org/linux-cve-announce/2025122404-CVE-2025-68725-4488@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68726",
"url": "https://lore.kernel.org/linux-cve-announce/2025122405-CVE-2025-68726-7aff@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68727",
"url": "https://lore.kernel.org/linux-cve-announce/2025122405-CVE-2025-68727-8481@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68728",
"url": "https://lore.kernel.org/linux-cve-announce/2025122405-CVE-2025-68728-2b2c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68729",
"url": "https://lore.kernel.org/linux-cve-announce/2025122406-CVE-2025-68729-1e07@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68730",
"url": "https://lore.kernel.org/linux-cve-announce/2025122406-CVE-2025-68730-c272@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68731",
"url": "https://lore.kernel.org/linux-cve-announce/2025122406-CVE-2025-68731-d6d9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68732",
"url": "https://lore.kernel.org/linux-cve-announce/2025122406-CVE-2025-68732-d91d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68733",
"url": "https://lore.kernel.org/linux-cve-announce/2025122407-CVE-2025-68733-a65e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68734",
"url": "https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2025-68734-6403@gregkh/"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-12-28T23:00:00.000+00:00",
"generator": {
"date": "2025-12-29T08:50:31.283+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2920",
"initial_release_date": "2025-12-23T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-12-23T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-12-28T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-205133, EUVD-2025-205111, EUVD-2025-205112, EUVD-2025-205121, EUVD-2025-205113, EUVD-2025-205114, EUVD-2025-205124, EUVD-2025-205130, EUVD-2025-205117, EUVD-2025-205137, EUVD-2025-205128, EUVD-2025-205134, EUVD-2025-205138, EUVD-2025-205127, EUVD-2025-205135, EUVD-2025-205120, EUVD-2025-205122, EUVD-2025-205132, EUVD-2025-205131, EUVD-2025-205125, EUVD-2025-205115, EUVD-2025-205136, EUVD-2025-205129, EUVD-2025-205123, EUVD-2025-205118, EUVD-2025-205139, EUVD-2025-205116, EUVD-2025-205143, EUVD-2025-205163, EUVD-2025-205144, EUVD-2025-205152, EUVD-2025-205161, EUVD-2025-205149, EUVD-2025-205148, EUVD-2025-205157, EUVD-2025-205146, EUVD-2025-205145, EUVD-2025-205147, EUVD-2025-205159, EUVD-2025-205142, EUVD-2025-205141, EUVD-2025-205151, EUVD-2025-205150, EUVD-2025-205164, EUVD-2025-205140, EUVD-2025-205160, EUVD-2025-205168, EUVD-2025-205177, EUVD-2025-205155, EUVD-2025-205181, EUVD-2025-205172, EUVD-2025-205153, EUVD-2025-205174, EUVD-2025-205180, EUVD-2025-205175, EUVD-2025-205167, EUVD-2025-205179, EUVD-2025-205173, EUVD-2025-205166, EUVD-2025-205165, EUVD-2025-205170, EUVD-2025-205176, EUVD-2025-205169, EUVD-2025-205178, EUVD-2025-205182, EUVD-2025-205184, EUVD-2025-205183, EUVD-2025-205064, EUVD-2025-205065, EUVD-2025-205067, EUVD-2025-205068, EUVD-2025-205070, EUVD-2025-205069, EUVD-2025-205071, EUVD-2025-205072, EUVD-2025-205074, EUVD-2025-205083, EUVD-2025-205094, EUVD-2025-205103, EUVD-2025-205066, EUVD-2025-205162, EUVD-2025-205154, EUVD-2025-205158, EUVD-2025-205156, EUVD-2025-205171, EUVD-2025-205126, EUVD-2025-205119"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T028463",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:unspecified"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50697",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50697"
},
{
"cve": "CVE-2022-50698",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50698"
},
{
"cve": "CVE-2022-50699",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50699"
},
{
"cve": "CVE-2022-50700",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50700"
},
{
"cve": "CVE-2022-50701",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50701"
},
{
"cve": "CVE-2022-50702",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50702"
},
{
"cve": "CVE-2022-50703",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50703"
},
{
"cve": "CVE-2022-50704",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50704"
},
{
"cve": "CVE-2022-50705",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50705"
},
{
"cve": "CVE-2022-50706",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50706"
},
{
"cve": "CVE-2022-50707",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50707"
},
{
"cve": "CVE-2022-50708",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50708"
},
{
"cve": "CVE-2022-50709",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50709"
},
{
"cve": "CVE-2022-50710",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50710"
},
{
"cve": "CVE-2022-50711",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2022-50711"
},
{
"cve": "CVE-2023-3773",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-3773"
},
{
"cve": "CVE-2023-53867",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53867"
},
{
"cve": "CVE-2023-53986",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53986"
},
{
"cve": "CVE-2023-53987",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53987"
},
{
"cve": "CVE-2023-53988",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53988"
},
{
"cve": "CVE-2023-53989",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53989"
},
{
"cve": "CVE-2023-53990",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53990"
},
{
"cve": "CVE-2023-53991",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53991"
},
{
"cve": "CVE-2023-53992",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53992"
},
{
"cve": "CVE-2023-53993",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53993"
},
{
"cve": "CVE-2023-53994",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53994"
},
{
"cve": "CVE-2023-53995",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53995"
},
{
"cve": "CVE-2023-53996",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53996"
},
{
"cve": "CVE-2023-53997",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53997"
},
{
"cve": "CVE-2023-53998",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53998"
},
{
"cve": "CVE-2023-53999",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-53999"
},
{
"cve": "CVE-2023-54000",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54000"
},
{
"cve": "CVE-2023-54001",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54001"
},
{
"cve": "CVE-2023-54002",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54002"
},
{
"cve": "CVE-2023-54003",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54003"
},
{
"cve": "CVE-2023-54004",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54004"
},
{
"cve": "CVE-2023-54005",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54005"
},
{
"cve": "CVE-2023-54006",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54006"
},
{
"cve": "CVE-2023-54007",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54007"
},
{
"cve": "CVE-2023-54008",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54008"
},
{
"cve": "CVE-2023-54009",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54009"
},
{
"cve": "CVE-2023-54010",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54010"
},
{
"cve": "CVE-2023-54011",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54011"
},
{
"cve": "CVE-2023-54012",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54012"
},
{
"cve": "CVE-2023-54013",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54013"
},
{
"cve": "CVE-2023-54014",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54014"
},
{
"cve": "CVE-2023-54015",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54015"
},
{
"cve": "CVE-2023-54016",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54016"
},
{
"cve": "CVE-2023-54017",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54017"
},
{
"cve": "CVE-2023-54018",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54018"
},
{
"cve": "CVE-2023-54019",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54019"
},
{
"cve": "CVE-2023-54020",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54020"
},
{
"cve": "CVE-2023-54021",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54021"
},
{
"cve": "CVE-2023-54022",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54022"
},
{
"cve": "CVE-2023-54023",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54023"
},
{
"cve": "CVE-2023-54024",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54024"
},
{
"cve": "CVE-2023-54025",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54025"
},
{
"cve": "CVE-2023-54026",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54026"
},
{
"cve": "CVE-2023-54027",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54027"
},
{
"cve": "CVE-2023-54028",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54028"
},
{
"cve": "CVE-2023-54029",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54029"
},
{
"cve": "CVE-2023-54030",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54030"
},
{
"cve": "CVE-2023-54031",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54031"
},
{
"cve": "CVE-2023-54032",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54032"
},
{
"cve": "CVE-2023-54033",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54033"
},
{
"cve": "CVE-2023-54034",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54034"
},
{
"cve": "CVE-2023-54035",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54035"
},
{
"cve": "CVE-2023-54036",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54036"
},
{
"cve": "CVE-2023-54037",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54037"
},
{
"cve": "CVE-2023-54038",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54038"
},
{
"cve": "CVE-2023-54039",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54039"
},
{
"cve": "CVE-2023-54040",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54040"
},
{
"cve": "CVE-2023-54041",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54041"
},
{
"cve": "CVE-2023-54042",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2023-54042"
},
{
"cve": "CVE-2025-68344",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68344"
},
{
"cve": "CVE-2025-68345",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68345"
},
{
"cve": "CVE-2025-68346",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68346"
},
{
"cve": "CVE-2025-68347",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68347"
},
{
"cve": "CVE-2025-68348",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68348"
},
{
"cve": "CVE-2025-68349",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68349"
},
{
"cve": "CVE-2025-68350",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68350"
},
{
"cve": "CVE-2025-68351",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68351"
},
{
"cve": "CVE-2025-68352",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68352"
},
{
"cve": "CVE-2025-68353",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68353"
},
{
"cve": "CVE-2025-68354",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68354"
},
{
"cve": "CVE-2025-68355",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68355"
},
{
"cve": "CVE-2025-68356",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68356"
},
{
"cve": "CVE-2025-68357",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68357"
},
{
"cve": "CVE-2025-68358",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68358"
},
{
"cve": "CVE-2025-68359",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68359"
},
{
"cve": "CVE-2025-68360",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68360"
},
{
"cve": "CVE-2025-68361",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68361"
},
{
"cve": "CVE-2025-68363",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68363"
},
{
"cve": "CVE-2025-68364",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68364"
},
{
"cve": "CVE-2025-68365",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68365"
},
{
"cve": "CVE-2025-68366",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68366"
},
{
"cve": "CVE-2025-68367",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68367"
},
{
"cve": "CVE-2025-68368",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68368"
},
{
"cve": "CVE-2025-68369",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68369"
},
{
"cve": "CVE-2025-68370",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68370"
},
{
"cve": "CVE-2025-68371",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68371"
},
{
"cve": "CVE-2025-68372",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68372"
},
{
"cve": "CVE-2025-68373",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68373"
},
{
"cve": "CVE-2025-68374",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68374"
},
{
"cve": "CVE-2025-68375",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68375"
},
{
"cve": "CVE-2025-68376",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68376"
},
{
"cve": "CVE-2025-68377",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68377"
},
{
"cve": "CVE-2025-68378",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68378"
},
{
"cve": "CVE-2025-68379",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68379"
},
{
"cve": "CVE-2025-68380",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68380"
},
{
"cve": "CVE-2025-68724",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68724"
},
{
"cve": "CVE-2025-68725",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68725"
},
{
"cve": "CVE-2025-68726",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68726"
},
{
"cve": "CVE-2025-68727",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68727"
},
{
"cve": "CVE-2025-68728",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68728"
},
{
"cve": "CVE-2025-68729",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68729"
},
{
"cve": "CVE-2025-68730",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68730"
},
{
"cve": "CVE-2025-68731",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68731"
},
{
"cve": "CVE-2025-68732",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68732"
},
{
"cve": "CVE-2025-68733",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68733"
},
{
"cve": "CVE-2025-68734",
"product_status": {
"known_affected": [
"T028463"
]
},
"release_date": "2025-12-23T23:00:00.000+00:00",
"title": "CVE-2025-68734"
}
]
}
CVE-2025-68358 (GCVE-0-2025-68358)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
From the memory-barriers.txt document regarding memory barrier ordering
guarantees:
(*) These guarantees do not apply to bitfields, because compilers often
generate code to modify these using non-atomic read-modify-write
sequences. Do not attempt to use bitfields to synchronize parallel
algorithms.
(*) Even in cases where bitfields are protected by locks, all fields
in a given bitfield must be protected by one lock. If two fields
in a given bitfield are protected by different locks, the compiler's
non-atomic read-modify-write sequences can cause an update to one
field to corrupt the value of an adjacent field.
btrfs_space_info has a bitfield sharing an underlying word consisting of
the fields full, chunk_alloc, and flush:
struct btrfs_space_info {
struct btrfs_fs_info * fs_info; /* 0 8 */
struct btrfs_space_info * parent; /* 8 8 */
...
int clamp; /* 172 4 */
unsigned int full:1; /* 176: 0 4 */
unsigned int chunk_alloc:1; /* 176: 1 4 */
unsigned int flush:1; /* 176: 2 4 */
...
Therefore, to be safe from parallel read-modify-writes losing a write to
one of the bitfield members protected by a lock, all writes to all the
bitfields must use the lock. They almost universally do, except for
btrfs_clear_space_info_full() which iterates over the space_infos and
writes out found->full = 0 without a lock.
Imagine that we have one thread completing a transaction in which we
finished deleting a block_group and are thus calling
btrfs_clear_space_info_full() while simultaneously the data reclaim
ticket infrastructure is running do_async_reclaim_data_space():
T1 T2
btrfs_commit_transaction
btrfs_clear_space_info_full
data_sinfo->full = 0
READ: full:0, chunk_alloc:0, flush:1
do_async_reclaim_data_space(data_sinfo)
spin_lock(&space_info->lock);
if(list_empty(tickets))
space_info->flush = 0;
READ: full: 0, chunk_alloc:0, flush:1
MOD/WRITE: full: 0, chunk_alloc:0, flush:0
spin_unlock(&space_info->lock);
return;
MOD/WRITE: full:0, chunk_alloc:0, flush:1
and now data_sinfo->flush is 1 but the reclaim worker has exited. This
breaks the invariant that flush is 0 iff there is no work queued or
running. Once this invariant is violated, future allocations that go
into __reserve_bytes() will add tickets to space_info->tickets but will
see space_info->flush is set to 1 and not queue the work. After this,
they will block forever on the resulting ticket, as it is now impossible
to kick the worker again.
I also confirmed by looking at the assembly of the affected kernel that
it is doing RMW operations. For example, to set the flush (3rd) bit to 0,
the assembly is:
andb $0xfb,0x60(%rbx)
and similarly for setting the full (1st) bit to 0:
andb $0xfe,-0x20(%rax)
So I think this is really a bug on practical systems. I have observed
a number of systems in this exact state, but am currently unable to
reproduce it.
Rather than leaving this footgun lying around for the future, take
advantage of the fact that there is room in the struct anyway, and that
it is already quite large and simply change the three bitfield members to
bools. This avoids writes to space_info->full having any effect on
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
957780eb2788d8c218d539e19a85653f51a96dc1 , < 6f442808a86eef847ee10afa9e6459494ed85bb3
(git)
Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 742b90eaf394f0018352c0e10dc89763b2dd5267 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 38e818718c5e04961eea0fa8feff3f100ce40408 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/space-info.c",
"fs/btrfs/space-info.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f442808a86eef847ee10afa9e6459494ed85bb3",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "742b90eaf394f0018352c0e10dc89763b2dd5267",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "38e818718c5e04961eea0fa8feff3f100ce40408",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/space-info.c",
"fs/btrfs/space-info.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix racy bitfield write in btrfs_clear_space_info_full()\n\nFrom the memory-barriers.txt document regarding memory barrier ordering\nguarantees:\n\n (*) These guarantees do not apply to bitfields, because compilers often\n generate code to modify these using non-atomic read-modify-write\n sequences. Do not attempt to use bitfields to synchronize parallel\n algorithms.\n\n (*) Even in cases where bitfields are protected by locks, all fields\n in a given bitfield must be protected by one lock. If two fields\n in a given bitfield are protected by different locks, the compiler\u0027s\n non-atomic read-modify-write sequences can cause an update to one\n field to corrupt the value of an adjacent field.\n\nbtrfs_space_info has a bitfield sharing an underlying word consisting of\nthe fields full, chunk_alloc, and flush:\n\nstruct btrfs_space_info {\n struct btrfs_fs_info * fs_info; /* 0 8 */\n struct btrfs_space_info * parent; /* 8 8 */\n ...\n int clamp; /* 172 4 */\n unsigned int full:1; /* 176: 0 4 */\n unsigned int chunk_alloc:1; /* 176: 1 4 */\n unsigned int flush:1; /* 176: 2 4 */\n ...\n\nTherefore, to be safe from parallel read-modify-writes losing a write to\none of the bitfield members protected by a lock, all writes to all the\nbitfields must use the lock. They almost universally do, except for\nbtrfs_clear_space_info_full() which iterates over the space_infos and\nwrites out found-\u003efull = 0 without a lock.\n\nImagine that we have one thread completing a transaction in which we\nfinished deleting a block_group and are thus calling\nbtrfs_clear_space_info_full() while simultaneously the data reclaim\nticket infrastructure is running do_async_reclaim_data_space():\n\n T1 T2\nbtrfs_commit_transaction\n btrfs_clear_space_info_full\n data_sinfo-\u003efull = 0\n READ: full:0, chunk_alloc:0, flush:1\n do_async_reclaim_data_space(data_sinfo)\n spin_lock(\u0026space_info-\u003elock);\n if(list_empty(tickets))\n space_info-\u003eflush = 0;\n READ: full: 0, chunk_alloc:0, flush:1\n MOD/WRITE: full: 0, chunk_alloc:0, flush:0\n spin_unlock(\u0026space_info-\u003elock);\n return;\n MOD/WRITE: full:0, chunk_alloc:0, flush:1\n\nand now data_sinfo-\u003eflush is 1 but the reclaim worker has exited. This\nbreaks the invariant that flush is 0 iff there is no work queued or\nrunning. Once this invariant is violated, future allocations that go\ninto __reserve_bytes() will add tickets to space_info-\u003etickets but will\nsee space_info-\u003eflush is set to 1 and not queue the work. After this,\nthey will block forever on the resulting ticket, as it is now impossible\nto kick the worker again.\n\nI also confirmed by looking at the assembly of the affected kernel that\nit is doing RMW operations. For example, to set the flush (3rd) bit to 0,\nthe assembly is:\n andb $0xfb,0x60(%rbx)\nand similarly for setting the full (1st) bit to 0:\n andb $0xfe,-0x20(%rax)\n\nSo I think this is really a bug on practical systems. I have observed\na number of systems in this exact state, but am currently unable to\nreproduce it.\n\nRather than leaving this footgun lying around for the future, take\nadvantage of the fact that there is room in the struct anyway, and that\nit is already quite large and simply change the three bitfield members to\nbools. This avoids writes to space_info-\u003efull having any effect on\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:47.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3"
},
{
"url": "https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267"
},
{
"url": "https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408"
}
],
"title": "btrfs: fix racy bitfield write in btrfs_clear_space_info_full()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68358",
"datePublished": "2025-12-24T10:32:47.692Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2025-12-24T10:32:47.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54031 (GCVE-0-2023-54031)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa queue index attr to avoid
such bugs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
13b00b135665c92065a27c0c39dd97e0f380bd4f , < 8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70
(git)
Affected: 13b00b135665c92065a27c0c39dd97e0f380bd4f , < ccb533b7070aeeb65c66ea5d590e9c62421dcd61 (git) Affected: 13b00b135665c92065a27c0c39dd97e0f380bd4f , < b3003e1b54e057f5f3124e437b80c3bef26ed3fe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70",
"status": "affected",
"version": "13b00b135665c92065a27c0c39dd97e0f380bd4f",
"versionType": "git"
},
{
"lessThan": "ccb533b7070aeeb65c66ea5d590e9c62421dcd61",
"status": "affected",
"version": "13b00b135665c92065a27c0c39dd97e0f380bd4f",
"versionType": "git"
},
{
"lessThan": "b3003e1b54e057f5f3124e437b80c3bef26ed3fe",
"status": "affected",
"version": "13b00b135665c92065a27c0c39dd97e0f380bd4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add queue index attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info-\u003eattrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa queue index attr to avoid\nsuch bugs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:58.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70"
},
{
"url": "https://git.kernel.org/stable/c/ccb533b7070aeeb65c66ea5d590e9c62421dcd61"
},
{
"url": "https://git.kernel.org/stable/c/b3003e1b54e057f5f3124e437b80c3bef26ed3fe"
}
],
"title": "vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54031",
"datePublished": "2025-12-24T10:55:58.885Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:58.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50710 (GCVE-0-2022-50710)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
ice: set tx_tstamps when creating new Tx rings via ethtool
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: set tx_tstamps when creating new Tx rings via ethtool
When the user changes the number of queues via ethtool, the driver
allocates new rings. This allocation did not initialize tx_tstamps. This
results in the tx_tstamps field being zero (due to kcalloc allocation), and
would result in a NULL pointer dereference when attempting a transmit
timestamp on the new ring.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < 624f03a027f2b18647cc4f1a7a81920a1e4e0201
(git)
Affected: ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < 13180cb88a7be5ee389f65f6ab9f78e46f7722b2 (git) Affected: ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < 9eb5fff6b0e78819c758892282da5faa915724d0 (git) Affected: ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < b3b173745c8cab1e24d6821488b60abed3acb24d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "624f03a027f2b18647cc4f1a7a81920a1e4e0201",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
},
{
"lessThan": "13180cb88a7be5ee389f65f6ab9f78e46f7722b2",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
},
{
"lessThan": "9eb5fff6b0e78819c758892282da5faa915724d0",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
},
{
"lessThan": "b3b173745c8cab1e24d6821488b60abed3acb24d",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: set tx_tstamps when creating new Tx rings via ethtool\n\nWhen the user changes the number of queues via ethtool, the driver\nallocates new rings. This allocation did not initialize tx_tstamps. This\nresults in the tx_tstamps field being zero (due to kcalloc allocation), and\nwould result in a NULL pointer dereference when attempting a transmit\ntimestamp on the new ring."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:59.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/624f03a027f2b18647cc4f1a7a81920a1e4e0201"
},
{
"url": "https://git.kernel.org/stable/c/13180cb88a7be5ee389f65f6ab9f78e46f7722b2"
},
{
"url": "https://git.kernel.org/stable/c/9eb5fff6b0e78819c758892282da5faa915724d0"
},
{
"url": "https://git.kernel.org/stable/c/b3b173745c8cab1e24d6821488b60abed3acb24d"
}
],
"title": "ice: set tx_tstamps when creating new Tx rings via ethtool",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50710",
"datePublished": "2025-12-24T10:55:23.918Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2026-01-02T15:03:59.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53993 (GCVE-0-2023-53993)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
PCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y
After a pci_doe_task completes, its work_struct needs to be destroyed
to avoid a memory leak with CONFIG_DEBUG_OBJECTS=y.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9d24322e887b6a3d3f9f9c3e76937a646102c8c1 , < 2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b
(git)
Affected: 9d24322e887b6a3d3f9f9c3e76937a646102c8c1 , < 95628b830952943631d3d74f73f431f501c5d6f5 (git) Affected: 9d24322e887b6a3d3f9f9c3e76937a646102c8c1 , < abf04be0e7071f2bcd39bf97ba407e7d4439785e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/doe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b",
"status": "affected",
"version": "9d24322e887b6a3d3f9f9c3e76937a646102c8c1",
"versionType": "git"
},
{
"lessThan": "95628b830952943631d3d74f73f431f501c5d6f5",
"status": "affected",
"version": "9d24322e887b6a3d3f9f9c3e76937a646102c8c1",
"versionType": "git"
},
{
"lessThan": "abf04be0e7071f2bcd39bf97ba407e7d4439785e",
"status": "affected",
"version": "9d24322e887b6a3d3f9f9c3e76937a646102c8c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/doe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y\n\nAfter a pci_doe_task completes, its work_struct needs to be destroyed\nto avoid a memory leak with CONFIG_DEBUG_OBJECTS=y."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:31.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b"
},
{
"url": "https://git.kernel.org/stable/c/95628b830952943631d3d74f73f431f501c5d6f5"
},
{
"url": "https://git.kernel.org/stable/c/abf04be0e7071f2bcd39bf97ba407e7d4439785e"
}
],
"title": "PCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53993",
"datePublished": "2025-12-24T10:55:31.344Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:31.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54005 (GCVE-0-2023-54005)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
binder: fix memory leak in binder_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix memory leak in binder_init()
In binder_init(), the destruction of binder_alloc_shrinker_init() is not
performed in the wrong path, which will cause memory leaks. So this commit
introduces binder_alloc_shrinker_exit() and calls it in the wrong path to
fix that.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2517eb76f1f2f7f89761f9db2b202e89931738c , < 486dd742ba186ea333664c517d6775b06b1448ca
(git)
Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < ceb0f8cc987fb3d25c06b9662e08a42f99651207 (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < b97dad01c12169991f895de3d4f61b8115d12bab (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < d7e5e2b87f5d27469075b6326b6b358e38cd9dcb (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < 03eebad96233397f951d8e9fafd82a1674a77284 (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < ee95051c0c1928051f86198bf5e554277a53b26b (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < adb9743d6a08778b78d62d16b4230346d3508986 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/binder.c",
"drivers/android/binder_alloc.c",
"drivers/android/binder_alloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "486dd742ba186ea333664c517d6775b06b1448ca",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "ceb0f8cc987fb3d25c06b9662e08a42f99651207",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "b97dad01c12169991f895de3d4f61b8115d12bab",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "d7e5e2b87f5d27469075b6326b6b358e38cd9dcb",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "03eebad96233397f951d8e9fafd82a1674a77284",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "ee95051c0c1928051f86198bf5e554277a53b26b",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "adb9743d6a08778b78d62d16b4230346d3508986",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/binder.c",
"drivers/android/binder_alloc.c",
"drivers/android/binder_alloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix memory leak in binder_init()\n\nIn binder_init(), the destruction of binder_alloc_shrinker_init() is not\nperformed in the wrong path, which will cause memory leaks. So this commit\nintroduces binder_alloc_shrinker_exit() and calls it in the wrong path to\nfix that."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:39.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/486dd742ba186ea333664c517d6775b06b1448ca"
},
{
"url": "https://git.kernel.org/stable/c/ceb0f8cc987fb3d25c06b9662e08a42f99651207"
},
{
"url": "https://git.kernel.org/stable/c/b97dad01c12169991f895de3d4f61b8115d12bab"
},
{
"url": "https://git.kernel.org/stable/c/d7e5e2b87f5d27469075b6326b6b358e38cd9dcb"
},
{
"url": "https://git.kernel.org/stable/c/03eebad96233397f951d8e9fafd82a1674a77284"
},
{
"url": "https://git.kernel.org/stable/c/f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f"
},
{
"url": "https://git.kernel.org/stable/c/ee95051c0c1928051f86198bf5e554277a53b26b"
},
{
"url": "https://git.kernel.org/stable/c/adb9743d6a08778b78d62d16b4230346d3508986"
}
],
"title": "binder: fix memory leak in binder_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54005",
"datePublished": "2025-12-24T10:55:39.826Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:39.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68366 (GCVE-0-2025-68366)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
nbd: defer config unlock in nbd_genl_connect
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < ae3e7bc1f4b393ae20e5c85583eb2c6977374716
(git)
Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 2e5e0665a594f076ef2b9439447bae8be293d09d (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9b99c948b4fb014812afe7b5ccf2db121d22e46 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 9a38306643874566d20f7aba7dff9e6f657b51a9 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9e805f6a35d1dd189a9345595a5c20e87611942 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 1649714b930f9ea6233ce0810ba885999da3b5d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae3e7bc1f4b393ae20e5c85583eb2c6977374716",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "2e5e0665a594f076ef2b9439447bae8be293d09d",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9b99c948b4fb014812afe7b5ccf2db121d22e46",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "9a38306643874566d20f7aba7dff9e6f657b51a9",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9e805f6a35d1dd189a9345595a5c20e87611942",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "1649714b930f9ea6233ce0810ba885999da3b5d4",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n nbd_alloc_and_init_config // config_refs=1\n nbd_start_device // config_refs=2\n set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n refcount_inc -\u003e uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\n\n mutex_unlock(\u0026nbd-\u003econfig_lock);\n if (!ret) {\n set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\n+ printk(\"before sleep\\n\");\n+ mdelay(5 * 1000);\n+ printk(\"after sleep\\n\");\n refcount_inc(\u0026nbd-\u003econfig_refs);\n nbd_connect_reply(info, nbd-\u003eindex);\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:01.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae3e7bc1f4b393ae20e5c85583eb2c6977374716"
},
{
"url": "https://git.kernel.org/stable/c/2e5e0665a594f076ef2b9439447bae8be293d09d"
},
{
"url": "https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46"
},
{
"url": "https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9"
},
{
"url": "https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942"
},
{
"url": "https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4"
}
],
"title": "nbd: defer config unlock in nbd_genl_connect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68366",
"datePublished": "2025-12-24T10:32:53.399Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-01-11T16:30:01.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54038 (GCVE-0-2023-54038)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
hci_connect_sco currently returns NULL when there is no link (i.e. when
hci_conn_link() returns NULL).
sco_connect() expects an ERR_PTR in case of any error (see line 266 in
sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which
tries to get hcon->hdev, resulting in dereferencing a NULL pointer as
reported by syzkaller.
The same issue exists for iso_connect_cis() calling hci_connect_cis().
Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR
instead of NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "357ab53c83a5322437fa434e9a9e3e0bafe6b383",
"status": "affected",
"version": "06149746e7203d5ffe2d6faf9799ee36203aa8b8",
"versionType": "git"
},
{
"lessThan": "b4066eb04bb67e7ff66e5aaab0db4a753f37eaad",
"status": "affected",
"version": "06149746e7203d5ffe2d6faf9799ee36203aa8b8",
"versionType": "git"
},
{
"status": "affected",
"version": "f72fc94a17d45be98aecfd59c39b5b24a6a342e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link\n\nhci_connect_sco currently returns NULL when there is no link (i.e. when\nhci_conn_link() returns NULL).\n\nsco_connect() expects an ERR_PTR in case of any error (see line 266 in\nsco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which\ntries to get hcon-\u003ehdev, resulting in dereferencing a NULL pointer as\nreported by syzkaller.\n\nThe same issue exists for iso_connect_cis() calling hci_connect_cis().\n\nThus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR\ninstead of NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:04.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383"
},
{
"url": "https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad"
}
],
"title": "Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54038",
"datePublished": "2025-12-24T10:56:04.623Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:04.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53991 (GCVE-0-2023-53991)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
drm/msm/dpu: Disallow unallocated resources to be returned
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Disallow unallocated resources to be returned
In the event that the topology requests resources that have not been
created by the system (because they are typically not represented in
dpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC
blocks, until their allocation/assignment is being sanity-checked in
"drm/msm/dpu: Reject topologies for which no DSC blocks are available")
remain NULL but will still be returned out of
dpu_rm_get_assigned_resources, where the caller expects to get an array
containing num_blks valid pointers (but instead gets these NULLs).
To prevent this from happening, where null-pointer dereferences
typically result in a hard-to-debug platform lockup, num_blks shouldn't
increase past NULL blocks and will print an error and break instead.
After all, max_blks represents the static size of the maximum number of
blocks whereas the actual amount varies per platform.
^1: which can happen after a git rebase ended up moving additions to
_dpu_cfg to a different struct which has the same patch context.
Patchwork: https://patchwork.freedesktop.org/patch/517636/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bb00a452d6f77391441ef7df48f7115dd459cd2f , < 8dbd54d679e3ab37be43bc1ed9f463dbf83a2259
(git)
Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < bf661c5e3bc48973acb363c76e3db965d9ed26d0 (git) Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < 9e1e236acdc42b5c43ec8d7f03a39537e70cc309 (git) Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < 9fe3644c720ac87d150f0bba5a4ae86cae55afaf (git) Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < abc40122d9a69f56c04efb5a7485795f5ac799d1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dbd54d679e3ab37be43bc1ed9f463dbf83a2259",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "bf661c5e3bc48973acb363c76e3db965d9ed26d0",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "9e1e236acdc42b5c43ec8d7f03a39537e70cc309",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "9fe3644c720ac87d150f0bba5a4ae86cae55afaf",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "abc40122d9a69f56c04efb5a7485795f5ac799d1",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Disallow unallocated resources to be returned\n\nIn the event that the topology requests resources that have not been\ncreated by the system (because they are typically not represented in\ndpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC\nblocks, until their allocation/assignment is being sanity-checked in\n\"drm/msm/dpu: Reject topologies for which no DSC blocks are available\")\nremain NULL but will still be returned out of\ndpu_rm_get_assigned_resources, where the caller expects to get an array\ncontaining num_blks valid pointers (but instead gets these NULLs).\n\nTo prevent this from happening, where null-pointer dereferences\ntypically result in a hard-to-debug platform lockup, num_blks shouldn\u0027t\nincrease past NULL blocks and will print an error and break instead.\nAfter all, max_blks represents the static size of the maximum number of\nblocks whereas the actual amount varies per platform.\n\n^1: which can happen after a git rebase ended up moving additions to\n_dpu_cfg to a different struct which has the same patch context.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517636/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:29.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dbd54d679e3ab37be43bc1ed9f463dbf83a2259"
},
{
"url": "https://git.kernel.org/stable/c/bf661c5e3bc48973acb363c76e3db965d9ed26d0"
},
{
"url": "https://git.kernel.org/stable/c/9e1e236acdc42b5c43ec8d7f03a39537e70cc309"
},
{
"url": "https://git.kernel.org/stable/c/9fe3644c720ac87d150f0bba5a4ae86cae55afaf"
},
{
"url": "https://git.kernel.org/stable/c/abc40122d9a69f56c04efb5a7485795f5ac799d1"
}
],
"title": "drm/msm/dpu: Disallow unallocated resources to be returned",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53991",
"datePublished": "2025-12-24T10:55:29.833Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:29.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68374 (GCVE-0-2025-68374)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
md: fix rcu protection in md_wakeup_thread
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix rcu protection in md_wakeup_thread
We attempted to use RCU to protect the pointer 'thread', but directly
passed the value when calling md_wakeup_thread(). This means that the
RCU pointer has been acquired before rcu_read_lock(), which renders
rcu_read_lock() ineffective and could lead to a use-after-free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4469315439827290923fce4f3f672599cabeb366 , < 21989cb5034c835b212385a2afadf279d8069da0
(git)
Affected: 4469315439827290923fce4f3f672599cabeb366 , < a4bd1caf591faeae44cb10b6517e7dacb5139bda (git) Affected: 4469315439827290923fce4f3f672599cabeb366 , < f98b191f78124405294481dea85f8a22a3eb0a59 (git) Affected: 4469315439827290923fce4f3f672599cabeb366 , < 0dc76205549b4c25705e54345f211b9f66e018a0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21989cb5034c835b212385a2afadf279d8069da0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "a4bd1caf591faeae44cb10b6517e7dacb5139bda",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "f98b191f78124405294481dea85f8a22a3eb0a59",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "0dc76205549b4c25705e54345f211b9f66e018a0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix rcu protection in md_wakeup_thread\n\nWe attempted to use RCU to protect the pointer \u0027thread\u0027, but directly\npassed the value when calling md_wakeup_thread(). This means that the\nRCU pointer has been acquired before rcu_read_lock(), which renders\nrcu_read_lock() ineffective and could lead to a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:04.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0"
},
{
"url": "https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda"
},
{
"url": "https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59"
},
{
"url": "https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0"
}
],
"title": "md: fix rcu protection in md_wakeup_thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68374",
"datePublished": "2025-12-24T10:33:04.046Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2025-12-24T10:33:04.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68727 (GCVE-0-2025-68727)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
ntfs3: Fix uninit buffer allocated by __getname()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: Fix uninit buffer allocated by __getname()
Fix uninit errors caused after buffer allocation given to 'de'; by
initializing the buffer with zeroes. The fix was found by using KMSAN.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 53f4d6cb97096590410f3719f75cdf9fc5120f37
(git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 4b1fd82848fdf0e01b3320815b261006c1722c3e (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < d88d4b455b6794f48d7adad52593f1700c7bd50e (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < b40a4eb4a0543d49686a6e693745009dac3b86a9 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53f4d6cb97096590410f3719f75cdf9fc5120f37",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "4b1fd82848fdf0e01b3320815b261006c1722c3e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "d88d4b455b6794f48d7adad52593f1700c7bd50e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "b40a4eb4a0543d49686a6e693745009dac3b86a9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Fix uninit buffer allocated by __getname()\n\nFix uninit errors caused after buffer allocation given to \u0027de\u0027; by\ninitializing the buffer with zeroes. The fix was found by using KMSAN."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:13.443Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53f4d6cb97096590410f3719f75cdf9fc5120f37"
},
{
"url": "https://git.kernel.org/stable/c/dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9"
},
{
"url": "https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e"
},
{
"url": "https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e"
},
{
"url": "https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9"
},
{
"url": "https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6"
}
],
"title": "ntfs3: Fix uninit buffer allocated by __getname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68727",
"datePublished": "2025-12-24T10:33:11.085Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-01-11T16:30:13.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68361 (GCVE-0-2025-68361)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
erofs: limit the level of fs stacking for file-backed mounts
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: limit the level of fs stacking for file-backed mounts
Otherwise, it could cause potential kernel stack overflow (e.g., EROFS
mounting itself).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 34447aeedbaea8f9aad3da5b07030a1c0e124639
(git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < b4911825348a494e894e6ccfcf88d99e9425f129 (git) Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4 (git) Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < d53cd891f0e4311889349fff3a784dc552f814b9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34447aeedbaea8f9aad3da5b07030a1c0e124639",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "b4911825348a494e894e6ccfcf88d99e9425f129",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "d53cd891f0e4311889349fff3a784dc552f814b9",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: limit the level of fs stacking for file-backed mounts\n\nOtherwise, it could cause potential kernel stack overflow (e.g., EROFS\nmounting itself)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:49.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34447aeedbaea8f9aad3da5b07030a1c0e124639"
},
{
"url": "https://git.kernel.org/stable/c/b4911825348a494e894e6ccfcf88d99e9425f129"
},
{
"url": "https://git.kernel.org/stable/c/620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4"
},
{
"url": "https://git.kernel.org/stable/c/d53cd891f0e4311889349fff3a784dc552f814b9"
}
],
"title": "erofs: limit the level of fs stacking for file-backed mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68361",
"datePublished": "2025-12-24T10:32:49.792Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2025-12-24T10:32:49.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68349 (GCVE-0-2025-68349)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 104080582ae0aa6dce6c6d75ff89062efe84673b
(git)
Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < f718f9ea6094843b8c059b073af49ad61e9f49bb (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 59947dff0fb7c19c09ce6dccbcd253fd542b6c25 (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < ca2e7fdad7c683b64821c94a58b9b68733214dad (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 38694f9aae00459ab443a7dc8b3949a6b33b560a (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < e0f8058f2cb56de0b7572f51cd563ca5debce746 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "104080582ae0aa6dce6c6d75ff89062efe84673b",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "f718f9ea6094843b8c059b073af49ad61e9f49bb",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "59947dff0fb7c19c09ce6dccbcd253fd542b6c25",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "ca2e7fdad7c683b64821c94a58b9b68733214dad",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "38694f9aae00459ab443a7dc8b3949a6b33b560a",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "e0f8058f2cb56de0b7572f51cd563ca5debce746",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid\n\nFixes a crash when layout is null during this call stack:\n\nwrite_inode\n -\u003e nfs4_write_inode\n -\u003e pnfs_layoutcommit_inode\n\npnfs_set_layoutcommit relies on the lseg refcount to keep the layout\naround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt\nto reference a null layout."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:53.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/104080582ae0aa6dce6c6d75ff89062efe84673b"
},
{
"url": "https://git.kernel.org/stable/c/f718f9ea6094843b8c059b073af49ad61e9f49bb"
},
{
"url": "https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25"
},
{
"url": "https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad"
},
{
"url": "https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a"
},
{
"url": "https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746"
}
],
"title": "NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68349",
"datePublished": "2025-12-24T10:32:41.253Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-01-11T16:29:53.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68345 (GCVE-0-2025-68345)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e63f9c81ca28b06eeeac3630faddc50717897351
(git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 7a35a505d76a4b6cd426b59ff2d800d0394cc5d3 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e6ba921b17797ccc545d80e0dbccb5fab91c248c (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c28946b7409b7b68fb0481ec738c8b04578b11c6 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 343fa9800cf9870ec681e21f0a6f2157b74ae520 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c34b04cc6178f33c08331568c7fd25c5b9a39f66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e63f9c81ca28b06eeeac3630faddc50717897351",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "7a35a505d76a4b6cd426b59ff2d800d0394cc5d3",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "e6ba921b17797ccc545d80e0dbccb5fab91c248c",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c28946b7409b7b68fb0481ec738c8b04578b11c6",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "343fa9800cf9870ec681e21f0a6f2157b74ae520",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c34b04cc6178f33c08331568c7fd25c5b9a39f66",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:49.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e63f9c81ca28b06eeeac3630faddc50717897351"
},
{
"url": "https://git.kernel.org/stable/c/7a35a505d76a4b6cd426b59ff2d800d0394cc5d3"
},
{
"url": "https://git.kernel.org/stable/c/e6ba921b17797ccc545d80e0dbccb5fab91c248c"
},
{
"url": "https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6"
},
{
"url": "https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520"
},
{
"url": "https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66"
}
],
"title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68345",
"datePublished": "2025-12-24T10:32:38.378Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-11T16:29:49.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54001 (GCVE-0-2023-54001)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
staging: r8712: Fix memory leak in _r8712_init_xmit_priv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: r8712: Fix memory leak in _r8712_init_xmit_priv()
In the above mentioned routine, memory is allocated in several places.
If the first succeeds and a later one fails, the routine will leak memory.
This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver
to the mainline kernel"). A potential memory leak in
r8712_xmit_resource_alloc() is also addressed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < fc511ae405f7ba29fbcb0246061ec15c272386e1
(git)
Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < acacdbe0f740ca8c5d5da73d50870903a3ded677 (git) Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < 41e05572e871b10dbdc168c76175c97982daf4a4 (git) Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < 874555472c736813ba1f4baf0b4c09c8e26d81ea (git) Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < ac83631230f77dda94154ed0ebfd368fc81c70a3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/rtl871x_xmit.c",
"drivers/staging/rtl8712/xmit_linux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc511ae405f7ba29fbcb0246061ec15c272386e1",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "acacdbe0f740ca8c5d5da73d50870903a3ded677",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "41e05572e871b10dbdc168c76175c97982daf4a4",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "874555472c736813ba1f4baf0b4c09c8e26d81ea",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "ac83631230f77dda94154ed0ebfd368fc81c70a3",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/rtl871x_xmit.c",
"drivers/staging/rtl8712/xmit_linux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: r8712: Fix memory leak in _r8712_init_xmit_priv()\n\nIn the above mentioned routine, memory is allocated in several places.\nIf the first succeeds and a later one fails, the routine will leak memory.\nThis patch fixes commit 2865d42c78a9 (\"staging: r8712u: Add the new driver\nto the mainline kernel\"). A potential memory leak in\nr8712_xmit_resource_alloc() is also addressed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:36.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc511ae405f7ba29fbcb0246061ec15c272386e1"
},
{
"url": "https://git.kernel.org/stable/c/acacdbe0f740ca8c5d5da73d50870903a3ded677"
},
{
"url": "https://git.kernel.org/stable/c/41e05572e871b10dbdc168c76175c97982daf4a4"
},
{
"url": "https://git.kernel.org/stable/c/874555472c736813ba1f4baf0b4c09c8e26d81ea"
},
{
"url": "https://git.kernel.org/stable/c/ac83631230f77dda94154ed0ebfd368fc81c70a3"
}
],
"title": "staging: r8712: Fix memory leak in _r8712_init_xmit_priv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54001",
"datePublished": "2025-12-24T10:55:36.991Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:36.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68730 (GCVE-0-2025-68730)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()
Don't add BO to the vdev->bo_list in ivpu_gem_create_object().
When failure happens inside drm_gem_shmem_create(), the BO is not
fully created and ivpu_gem_bo_free() callback will not be called
causing a deleted BO to be left on the list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 , < 8172838a284c27190fa6782c2740a97020434750
(git)
Affected: 8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 , < c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec (git) Affected: 8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 , < 8b694b405a84696f1d964f6da7cf9721e68c4714 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8172838a284c27190fa6782c2740a97020434750",
"status": "affected",
"version": "8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66",
"versionType": "git"
},
{
"lessThan": "c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec",
"status": "affected",
"version": "8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66",
"versionType": "git"
},
{
"lessThan": "8b694b405a84696f1d964f6da7cf9721e68c4714",
"status": "affected",
"version": "8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()\n\nDon\u0027t add BO to the vdev-\u003ebo_list in ivpu_gem_create_object().\nWhen failure happens inside drm_gem_shmem_create(), the BO is not\nfully created and ivpu_gem_bo_free() callback will not be called\ncausing a deleted BO to be left on the list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:13.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8172838a284c27190fa6782c2740a97020434750"
},
{
"url": "https://git.kernel.org/stable/c/c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec"
},
{
"url": "https://git.kernel.org/stable/c/8b694b405a84696f1d964f6da7cf9721e68c4714"
}
],
"title": "accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68730",
"datePublished": "2025-12-24T10:33:13.236Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:33:13.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68728 (GCVE-0-2025-68728)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Fix a KMSAN un-init bug found by syzkaller.
ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be
uptodate. We do not bring the buffer uptodate before setting it as
uptodate. If the buffer were to not be uptodate, it could mean adding a
buffer with un-init data to the mi record. Attempting to load that record
will trigger KMSAN.
Avoid this by setting the buffer as uptodate, if it’s not already, by
overwriting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4342306f0f0d5ff4315a204d315c1b51b914fca5 , < c70b3abfd530c7f574bc25a5f84707e6fdf0def8
(git)
Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 8bf729b96303bb862d7c6dc05edcf51274ae04cf (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 7ce8f2028dfccb2161b905cf8ab85cdd9e93909c (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 46f2a881e5a7311d41551edb3915e4d4e8802341 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 81ffe9a265df3e41534726b852ab08792e3d374d (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c70b3abfd530c7f574bc25a5f84707e6fdf0def8",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "8bf729b96303bb862d7c6dc05edcf51274ae04cf",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "7ce8f2028dfccb2161b905cf8ab85cdd9e93909c",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "46f2a881e5a7311d41551edb3915e4d4e8802341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "81ffe9a265df3e41534726b852ab08792e3d374d",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "73e6b9dacf72a1e7a4265eacca46f8f33e0997d6",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix uninit memory after failed mi_read in mi_format_new\n\nFix a KMSAN un-init bug found by syzkaller.\n\nntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be\nuptodate. We do not bring the buffer uptodate before setting it as\nuptodate. If the buffer were to not be uptodate, it could mean adding a\nbuffer with un-init data to the mi record. Attempting to load that record\nwill trigger KMSAN.\n\nAvoid this by setting the buffer as uptodate, if it\u2019s not already, by\noverwriting it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:14.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c70b3abfd530c7f574bc25a5f84707e6fdf0def8"
},
{
"url": "https://git.kernel.org/stable/c/8bf729b96303bb862d7c6dc05edcf51274ae04cf"
},
{
"url": "https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c"
},
{
"url": "https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341"
},
{
"url": "https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d"
},
{
"url": "https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6"
}
],
"title": "ntfs3: fix uninit memory after failed mi_read in mi_format_new",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68728",
"datePublished": "2025-12-24T10:33:11.847Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-01-11T16:30:14.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50706 (GCVE-0-2022-50706)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net/ieee802154: don't warn zero-sized raw_sendmsg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ieee802154: don't warn zero-sized raw_sendmsg()
syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting
__dev_queue_xmit() with skb->len == 0.
Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was
able to return 0, don't call __dev_queue_xmit() if packet length is 0.
----------
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
struct iovec iov = { };
struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);
return 0;
}
----------
Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't
redirect packets with invalid pkt_len") should be reverted, for
skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b68e53d56697a59b5c53893b53f508bbdf272a0 , < 4a36de8947794fa21435d1e916e089095f3246a8
(git)
Affected: 6204bf78b2a903b96ba43afff6abc0b04d6e0462 , < 791489a5c56396ddfed75fc525066d4738dace46 (git) Affected: a75987714bd2d8e59840667a28e15c1fa5c47554 , < 34f31a2b667914ab701ca725554a0b447809d7ef (git) Affected: 72f2dc8993f10262092745a88cb2dd0fef094f23 , < df0da3fc131132b6c32a15c4da4ffa3a5aea1af2 (git) Affected: fd1894224407c484f652ad456e1ce423e89bb3eb , < 9974d220c5073d035b5469d1d8ecd71da86c7afd (git) Affected: fd1894224407c484f652ad456e1ce423e89bb3eb , < b12e924a2f5b960373459c8f8a514f887adf5cac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ieee802154/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a36de8947794fa21435d1e916e089095f3246a8",
"status": "affected",
"version": "8b68e53d56697a59b5c53893b53f508bbdf272a0",
"versionType": "git"
},
{
"lessThan": "791489a5c56396ddfed75fc525066d4738dace46",
"status": "affected",
"version": "6204bf78b2a903b96ba43afff6abc0b04d6e0462",
"versionType": "git"
},
{
"lessThan": "34f31a2b667914ab701ca725554a0b447809d7ef",
"status": "affected",
"version": "a75987714bd2d8e59840667a28e15c1fa5c47554",
"versionType": "git"
},
{
"lessThan": "df0da3fc131132b6c32a15c4da4ffa3a5aea1af2",
"status": "affected",
"version": "72f2dc8993f10262092745a88cb2dd0fef094f23",
"versionType": "git"
},
{
"lessThan": "9974d220c5073d035b5469d1d8ecd71da86c7afd",
"status": "affected",
"version": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"versionType": "git"
},
{
"lessThan": "b12e924a2f5b960373459c8f8a514f887adf5cac",
"status": "affected",
"version": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ieee802154/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.4.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.19.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ieee802154: don\u0027t warn zero-sized raw_sendmsg()\n\nsyzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],\nfor PF_IEEE802154 socket\u0027s zero-sized raw_sendmsg() request is hitting\n__dev_queue_xmit() with skb-\u003elen == 0.\n\nSince PF_IEEE802154 socket\u0027s zero-sized raw_sendmsg() request was\nable to return 0, don\u0027t call __dev_queue_xmit() if packet length is 0.\n\n ----------\n #include \u003csys/socket.h\u003e\n #include \u003cnetinet/in.h\u003e\n\n int main(int argc, char *argv[])\n {\n struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };\n struct iovec iov = { };\n struct msghdr hdr = { .msg_name = \u0026addr, .msg_namelen = sizeof(addr), .msg_iov = \u0026iov, .msg_iovlen = 1 };\n sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), \u0026hdr, 0);\n return 0;\n }\n ----------\n\nNote that this might be a sign that commit fd1894224407c484 (\"bpf: Don\u0027t\nredirect packets with invalid pkt_len\") should be reverted, for\nskb-\u003elen == 0 was acceptable for at least PF_IEEE802154 socket."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:20.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8"
},
{
"url": "https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46"
},
{
"url": "https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef"
},
{
"url": "https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2"
},
{
"url": "https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd"
},
{
"url": "https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac"
}
],
"title": "net/ieee802154: don\u0027t warn zero-sized raw_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50706",
"datePublished": "2025-12-24T10:55:20.835Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:20.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53989 (GCVE-0-2023-53989)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
arm64: mm: fix VA-range sanity check
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mm: fix VA-range sanity check
Both create_mapping_noalloc() and update_mapping_prot() sanity-check
their 'virt' parameter, but the check itself doesn't make much sense.
The condition used today appears to be a historical accident.
The sanity-check condition:
if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
... can only be true for the KASAN shadow region or the module region,
and there's no reason to exclude these specifically for creating and
updateing mappings.
When arm64 support was first upstreamed in commit:
c1cc1552616d0f35 ("arm64: MMU initialisation")
... the condition was:
if (virt < VMALLOC_START) {
[ ... warning here ... ]
return;
}
At the time, VMALLOC_START was the lowest kernel address, and this was
checking whether 'virt' would be translated via TTBR1.
Subsequently in commit:
14c127c957c1c607 ("arm64: mm: Flip kernel VA space")
... the condition was changed to:
if ((virt >= VA_START) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
This appear to have been a thinko. The commit moved the linear map to
the bottom of the kernel address space, with VMALLOC_START being at the
halfway point. The old condition would warn for changes to the linear
map below this, and at the time VA_START was the end of the linear map.
Subsequently we cleaned up the naming of VA_START in commit:
77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END")
... keeping the erroneous condition as:
if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
Correct the condition to check against the start of the TTBR1 address
space, which is currently PAGE_OFFSET. This simplifies the logic, and
more clearly matches the "outside kernel range" message in the warning.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
14c127c957c1c6070647c171e72f06e0db275ebf , < 9d8d3df71516ec3236d8d93ff029d251377ba4b1
(git)
Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < 32020fc2a8373d3de35ae6d029d5969a42651e7a (git) Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < 621619f626cbe702ddbdc54117f3868b8ebd8129 (git) Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < b03c7fcc5ed854d0e1b27e9abf12428bfa751a37 (git) Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < ab9b4008092c86dc12497af155a0901cc1156999 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d8d3df71516ec3236d8d93ff029d251377ba4b1",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "32020fc2a8373d3de35ae6d029d5969a42651e7a",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "621619f626cbe702ddbdc54117f3868b8ebd8129",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "b03c7fcc5ed854d0e1b27e9abf12428bfa751a37",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "ab9b4008092c86dc12497af155a0901cc1156999",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: fix VA-range sanity check\n\nBoth create_mapping_noalloc() and update_mapping_prot() sanity-check\ntheir \u0027virt\u0027 parameter, but the check itself doesn\u0027t make much sense.\nThe condition used today appears to be a historical accident.\n\nThe sanity-check condition:\n\n\tif ((virt \u003e= PAGE_END) \u0026\u0026 (virt \u003c VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\n... can only be true for the KASAN shadow region or the module region,\nand there\u0027s no reason to exclude these specifically for creating and\nupdateing mappings.\n\nWhen arm64 support was first upstreamed in commit:\n\n c1cc1552616d0f35 (\"arm64: MMU initialisation\")\n\n... the condition was:\n\n\tif (virt \u003c VMALLOC_START) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nAt the time, VMALLOC_START was the lowest kernel address, and this was\nchecking whether \u0027virt\u0027 would be translated via TTBR1.\n\nSubsequently in commit:\n\n 14c127c957c1c607 (\"arm64: mm: Flip kernel VA space\")\n\n... the condition was changed to:\n\n\tif ((virt \u003e= VA_START) \u0026\u0026 (virt \u003c VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nThis appear to have been a thinko. The commit moved the linear map to\nthe bottom of the kernel address space, with VMALLOC_START being at the\nhalfway point. The old condition would warn for changes to the linear\nmap below this, and at the time VA_START was the end of the linear map.\n\nSubsequently we cleaned up the naming of VA_START in commit:\n\n 77ad4ce69321abbe (\"arm64: memory: rename VA_START to PAGE_END\")\n\n... keeping the erroneous condition as:\n\n\tif ((virt \u003e= PAGE_END) \u0026\u0026 (virt \u003c VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nCorrect the condition to check against the start of the TTBR1 address\nspace, which is currently PAGE_OFFSET. This simplifies the logic, and\nmore clearly matches the \"outside kernel range\" message in the warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:21.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d8d3df71516ec3236d8d93ff029d251377ba4b1"
},
{
"url": "https://git.kernel.org/stable/c/32020fc2a8373d3de35ae6d029d5969a42651e7a"
},
{
"url": "https://git.kernel.org/stable/c/621619f626cbe702ddbdc54117f3868b8ebd8129"
},
{
"url": "https://git.kernel.org/stable/c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37"
},
{
"url": "https://git.kernel.org/stable/c/ab9b4008092c86dc12497af155a0901cc1156999"
}
],
"title": "arm64: mm: fix VA-range sanity check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53989",
"datePublished": "2025-12-24T10:55:28.461Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2026-01-05T10:33:21.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68724 (GCVE-0-2025-68724)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < dfc1613961828745165aec6552c3818fa14ab725
(git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 6af753ac5205115e6c310c8c4236c01b59a1c44f (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < b7090a5c153105b9fd221a5a81459ee8cd5babd6 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < df0845cf447ae1556c3440b8b155de0926cbaa56 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:12.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
},
{
"url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
},
{
"url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
},
{
"url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
},
{
"url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
},
{
"url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
}
],
"title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68724",
"datePublished": "2025-12-24T10:33:08.932Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-01-11T16:30:12.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54007 (GCVE-0-2023-54007)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
vmci_host: fix a race condition in vmci_host_poll() causing GPF
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmci_host: fix a race condition in vmci_host_poll() causing GPF
During fuzzing, a general protection fault is observed in
vmci_host_poll().
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
<- omitting registers ->
Call Trace:
<TASK>
lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22
poll_wait include/linux/poll.h:49 [inline]
vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
vfs_poll include/linux/poll.h:88 [inline]
do_pollfd fs/select.c:873 [inline]
do_poll fs/select.c:921 [inline]
do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015
__do_sys_ppoll fs/select.c:1121 [inline]
__se_sys_ppoll+0x2cc/0x330 fs/select.c:1101
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Example thread interleaving that causes the general protection fault
is as follows:
CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)
----- -----
// Read uninitialized context
context = vmci_host_dev->context;
// Initialize context
vmci_host_dev->context = vmci_ctx_create();
vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;
if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {
// Dereferencing the wrong pointer
poll_wait(..., &context->host_context);
}
In this scenario, vmci_host_poll() reads vmci_host_dev->context first,
and then reads vmci_host_dev->ct_type to check that
vmci_host_dev->context is initialized. However, since these two reads
are not atomically executed, there is a chance of a race condition as
described above.
To fix this race condition, read vmci_host_dev->context after checking
the value of vmci_host_dev->ct_type so that vmci_host_poll() always
reads an initialized context.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 2053e93ac15519ed1f1fe6eba79a33a4963be4a3
(git)
Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ca0f4ad2b7a36c799213ef0a213eb977a51e03dc (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 770d30b1355c6c8879973dd054fca9168def182c (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < d22b2a35729cb1de311cb650cd67518a24e13fc9 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 67e35824f861a05b44b19d38e16a83f653bd9d92 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ab64bd32b9fac27ff4737d63711b9db5e5462448 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ae13381da5ff0e8e084c0323c3cc0a945e43e9c7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2053e93ac15519ed1f1fe6eba79a33a4963be4a3",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ca0f4ad2b7a36c799213ef0a213eb977a51e03dc",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "770d30b1355c6c8879973dd054fca9168def182c",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "d22b2a35729cb1de311cb650cd67518a24e13fc9",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "67e35824f861a05b44b19d38e16a83f653bd9d92",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ab64bd32b9fac27ff4737d63711b9db5e5462448",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ae13381da5ff0e8e084c0323c3cc0a945e43e9c7",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n\u003c- omitting registers -\u003e\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev-\u003econtext;\n // Initialize context\n vmci_host_dev-\u003econtext = vmci_ctx_create();\n vmci_host_dev-\u003ect_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev-\u003ect_type == VMCIOBJ_CONTEXT) {\n // Dereferencing the wrong pointer\n poll_wait(..., \u0026context-\u003ehost_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev-\u003econtext first,\nand then reads vmci_host_dev-\u003ect_type to check that\nvmci_host_dev-\u003econtext is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev-\u003econtext after checking\nthe value of vmci_host_dev-\u003ect_type so that vmci_host_poll() always\nreads an initialized context."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:41.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"
},
{
"url": "https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"
},
{
"url": "https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"
},
{
"url": "https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"
},
{
"url": "https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"
},
{
"url": "https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"
},
{
"url": "https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"
},
{
"url": "https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"
}
],
"title": "vmci_host: fix a race condition in vmci_host_poll() causing GPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54007",
"datePublished": "2025-12-24T10:55:41.281Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:41.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3773 (GCVE-0-2023-3773)
Vulnerability from cvelistv5 – Published: 2023-07-25 15:47 – Updated: 2025-11-14 14:21
VLAI?
EPSS
Title
Kernel: xfrm: out-of-bounds read of xfrma_mtimer_thresh nlattr
Summary
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.
Severity ?
5.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:5.14.0-362.8.1.el9_3 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::nfv cpe:/a:redhat:enterprise_linux:9::realtime cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::crb |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Credits
Red Hat would like to thank Lin Ma (ZJU & Ant Security Light-Year Lab) for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:49.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3773"
},
{
"name": "RHBZ#2218944",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218944"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:33:27.598158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:47:25.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Lin Ma (ZJU \u0026 Ant Security Light-Year Lab) for reporting this issue."
}
],
"datePublic": "2023-07-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T14:21:06.184Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3773"
},
{
"name": "RHBZ#2218944",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218944"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-29T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-07-23T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: xfrm: out-of-bounds read of xfrma_mtimer_thresh nlattr",
"x_redhatCweChain": "CWE-125: Out-of-bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3773",
"datePublished": "2023-07-25T15:47:40.391Z",
"dateReserved": "2023-07-19T13:55:13.694Z",
"dateUpdated": "2025-11-14T14:21:06.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50711 (GCVE-0-2022-50711)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe()
If mtk_wed_add_hw() has been called, mtk_wed_exit() needs be called
in error path or removing module to free the memory allocated in
mtk_wed_add_hw().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96bde7c4f5683d8c1c809ddb781ef3fdec9b7215",
"status": "affected",
"version": "804775dfc2885e93a0a4b35db1914c2cc25172b5",
"versionType": "git"
},
{
"lessThan": "b3d0d98179d62f9d55635a600679c4fa362baf8d",
"status": "affected",
"version": "804775dfc2885e93a0a4b35db1914c2cc25172b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe()\n\nIf mtk_wed_add_hw() has been called, mtk_wed_exit() needs be called\nin error path or removing module to free the memory allocated in\nmtk_wed_add_hw()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:24.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96bde7c4f5683d8c1c809ddb781ef3fdec9b7215"
},
{
"url": "https://git.kernel.org/stable/c/b3d0d98179d62f9d55635a600679c4fa362baf8d"
}
],
"title": "net: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50711",
"datePublished": "2025-12-24T10:55:24.689Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:24.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54028 (GCVE-0-2023-54028)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"
In the function rxe_create_qp(), rxe_qp_from_init() is called to
initialize qp, internally things like rxe_init_task are not setup until
rxe_qp_init_req().
If an error occurred before this point then the unwind will call
rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()
which will oops when trying to access the uninitialized spinlock.
If rxe_init_task is not executed, rxe_cleanup_task will not be called.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 3236221bb8e4de8e3d0c8385f634064fb26b8e38
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < c8473cd5b301279a41dc75e5afb26b3d5223b6c7 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 0d938264fcfe4927e54f0e519da05af1d5d720b4 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3236221bb8e4de8e3d0c8385f634064fb26b8e38",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "c8473cd5b301279a41dc75e5afb26b3d5223b6c7",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "0d938264fcfe4927e54f0e519da05af1d5d720b4",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.32",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the error \"trying to register non-static key in rxe_cleanup_task\"\n\nIn the function rxe_create_qp(), rxe_qp_from_init() is called to\ninitialize qp, internally things like rxe_init_task are not setup until\nrxe_qp_init_req().\n\nIf an error occurred before this point then the unwind will call\nrxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()\nwhich will oops when trying to access the uninitialized spinlock.\n\nIf rxe_init_task is not executed, rxe_cleanup_task will not be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:56.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3236221bb8e4de8e3d0c8385f634064fb26b8e38"
},
{
"url": "https://git.kernel.org/stable/c/c8473cd5b301279a41dc75e5afb26b3d5223b6c7"
},
{
"url": "https://git.kernel.org/stable/c/0d938264fcfe4927e54f0e519da05af1d5d720b4"
},
{
"url": "https://git.kernel.org/stable/c/b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad"
}
],
"title": "RDMA/rxe: Fix the error \"trying to register non-static key in rxe_cleanup_task\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54028",
"datePublished": "2025-12-24T10:55:56.619Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:56.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54009 (GCVE-0-2023-54009)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
The cdns_i2c_master_xfer() function gets a runtime PM reference when the
function is entered. This reference is released when the function is
exited. There is currently one error path where the function exits
directly, which leads to a leak of the runtime PM reference.
Make sure that this error path also releases the runtime PM reference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < fd7bf900c3215c77f6d779d1532faa22b79f2430
(git)
Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < 2d65599ad1e4f195bbb80752cd5cbc2f1a018dba (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < a712b5a95270e62209f5c2201c774f708f75234e (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44 (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < 5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < ae1664f04f504a998737f5bb563f16b44357bcca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-cadence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd7bf900c3215c77f6d779d1532faa22b79f2430",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "2d65599ad1e4f195bbb80752cd5cbc2f1a018dba",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "a712b5a95270e62209f5c2201c774f708f75234e",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "ae1664f04f504a998737f5bb563f16b44357bcca",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-cadence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path\n\nThe cdns_i2c_master_xfer() function gets a runtime PM reference when the\nfunction is entered. This reference is released when the function is\nexited. There is currently one error path where the function exits\ndirectly, which leads to a leak of the runtime PM reference.\n\nMake sure that this error path also releases the runtime PM reference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:42.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd7bf900c3215c77f6d779d1532faa22b79f2430"
},
{
"url": "https://git.kernel.org/stable/c/2d65599ad1e4f195bbb80752cd5cbc2f1a018dba"
},
{
"url": "https://git.kernel.org/stable/c/a712b5a95270e62209f5c2201c774f708f75234e"
},
{
"url": "https://git.kernel.org/stable/c/d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44"
},
{
"url": "https://git.kernel.org/stable/c/5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa"
},
{
"url": "https://git.kernel.org/stable/c/ae1664f04f504a998737f5bb563f16b44357bcca"
}
],
"title": "i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54009",
"datePublished": "2025-12-24T10:55:42.679Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2025-12-24T10:55:42.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54021 (GCVE-0-2023-54021)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ext4: set goal start correctly in ext4_mb_normalize_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: set goal start correctly in ext4_mb_normalize_request
We need to set ac_g_ex to notify the goal start used in
ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in
ext4_mb_normalize_request.
Besides we should assure goal start is in range [first_data_block,
blocks_count) as ext4_mb_initialize_context does.
[ Added a check to make sure size is less than ar->pright; otherwise
we could end up passing an underflowed value of ar->pright - size to
ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on.
- TYT ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c9de560ded61faa5b754137b7753da252391c55a , < 2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530
(git)
Affected: c9de560ded61faa5b754137b7753da252391c55a , < 390eee955d4de4662db5e3e9e9a9eae020432cb7 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < cee78217a7ae72d11c2e21e1a5263b8044489823 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < 3ca3005b502ca8ea87d6a344323b179b48c4e4a3 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < bc4a3e1d07a86ae5845321d371190244acacb2f2 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < c6bee8970075b256fc1b07bf4873049219380818 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < abb330ffaa3a0ae7ce632e28c9260b461c01f19f (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < b07ffe6927c75d99af534d685282ea188d9f71a6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "390eee955d4de4662db5e3e9e9a9eae020432cb7",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "cee78217a7ae72d11c2e21e1a5263b8044489823",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "3ca3005b502ca8ea87d6a344323b179b48c4e4a3",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "bc4a3e1d07a86ae5845321d371190244acacb2f2",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "c6bee8970075b256fc1b07bf4873049219380818",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "abb330ffaa3a0ae7ce632e28c9260b461c01f19f",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "b07ffe6927c75d99af534d685282ea188d9f71a6",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: set goal start correctly in ext4_mb_normalize_request\n\nWe need to set ac_g_ex to notify the goal start used in\next4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in\next4_mb_normalize_request.\nBesides we should assure goal start is in range [first_data_block,\nblocks_count) as ext4_mb_initialize_context does.\n\n[ Added a check to make sure size is less than ar-\u003epright; otherwise\n we could end up passing an underflowed value of ar-\u003epright - size to\n ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on.\n - TYT ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:30.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530"
},
{
"url": "https://git.kernel.org/stable/c/390eee955d4de4662db5e3e9e9a9eae020432cb7"
},
{
"url": "https://git.kernel.org/stable/c/cee78217a7ae72d11c2e21e1a5263b8044489823"
},
{
"url": "https://git.kernel.org/stable/c/3ca3005b502ca8ea87d6a344323b179b48c4e4a3"
},
{
"url": "https://git.kernel.org/stable/c/bc4a3e1d07a86ae5845321d371190244acacb2f2"
},
{
"url": "https://git.kernel.org/stable/c/c6bee8970075b256fc1b07bf4873049219380818"
},
{
"url": "https://git.kernel.org/stable/c/abb330ffaa3a0ae7ce632e28c9260b461c01f19f"
},
{
"url": "https://git.kernel.org/stable/c/b07ffe6927c75d99af534d685282ea188d9f71a6"
}
],
"title": "ext4: set goal start correctly in ext4_mb_normalize_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54021",
"datePublished": "2025-12-24T10:55:51.373Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2026-01-05T10:33:30.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54025 (GCVE-0-2023-54025)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
In case WoWlan was never configured during the operation of the system,
the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks
whether wowlan_config is non-NULL and if it is not, then WARNs about it.
The warning is valid, as during normal operation the rsi_config_wowlan()
should only ever be called with non-NULL wowlan_config. In shutdown this
rsi_config_wowlan() should only ever be called if WoWlan was configured
before by the user.
Add checks for non-NULL wowlan_config into the shutdown hook. While at it,
check whether the wiphy is also non-NULL before accessing wowlan_config .
Drop the single-use wowlan_config variable, just inline it into function
call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
16bbc3eb83728c03138191a5d23d84d38175fa26 , < b2aeb97fd470206e67f7b3b4a3e68212a13f747b
(git)
Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < 4391fa180856ff84a2cef4a92694a689eebb855e (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < eb205a06908122f50b1dd1baa43f7c8036bfc7dc (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < 1b51236aa49a0564280bd45c94118cab6d9b0fbd (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < b601468539c1d97539097bfc87ad11f1704b7eb7 (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < b241e260820b68c09586e8a0ae0fc23c0e3215bd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_sdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2aeb97fd470206e67f7b3b4a3e68212a13f747b",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "4391fa180856ff84a2cef4a92694a689eebb855e",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "eb205a06908122f50b1dd1baa43f7c8036bfc7dc",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "1b51236aa49a0564280bd45c94118cab6d9b0fbd",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "b601468539c1d97539097bfc87ad11f1704b7eb7",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "b241e260820b68c09586e8a0ae0fc23c0e3215bd",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_sdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Do not configure WoWlan in shutdown hook if not enabled\n\nIn case WoWlan was never configured during the operation of the system,\nthe hw-\u003ewiphy-\u003ewowlan_config will be NULL. rsi_config_wowlan() checks\nwhether wowlan_config is non-NULL and if it is not, then WARNs about it.\nThe warning is valid, as during normal operation the rsi_config_wowlan()\nshould only ever be called with non-NULL wowlan_config. In shutdown this\nrsi_config_wowlan() should only ever be called if WoWlan was configured\nbefore by the user.\n\nAdd checks for non-NULL wowlan_config into the shutdown hook. While at it,\ncheck whether the wiphy is also non-NULL before accessing wowlan_config .\nDrop the single-use wowlan_config variable, just inline it into function\ncall."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:54.440Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2aeb97fd470206e67f7b3b4a3e68212a13f747b"
},
{
"url": "https://git.kernel.org/stable/c/4391fa180856ff84a2cef4a92694a689eebb855e"
},
{
"url": "https://git.kernel.org/stable/c/eb205a06908122f50b1dd1baa43f7c8036bfc7dc"
},
{
"url": "https://git.kernel.org/stable/c/1b51236aa49a0564280bd45c94118cab6d9b0fbd"
},
{
"url": "https://git.kernel.org/stable/c/b601468539c1d97539097bfc87ad11f1704b7eb7"
},
{
"url": "https://git.kernel.org/stable/c/b241e260820b68c09586e8a0ae0fc23c0e3215bd"
}
],
"title": "wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54025",
"datePublished": "2025-12-24T10:55:54.440Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:54.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53990 (GCVE-0-2023-53990)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
SMB3: Add missing locks to protect deferred close file list
Summary
In the Linux kernel, the following vulnerability has been resolved:
SMB3: Add missing locks to protect deferred close file list
cifs_del_deferred_close function has a critical section which modifies
the deferred close file list. We must acquire deferred_lock before
calling cifs_del_deferred_close function.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
860efae127888ae535bc4eda1b7f27642727c69e , < 0f87e18203bd30f71eb1a65259e28e291b6cc43a
(git)
Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < 3aa9d065b0685b4e6052f3f2a2462966fdc44fd2 (git) Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < cb36365dac25d546ca4af0eb22acb43c9b4ddfdf (git) Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < 32a046ccaeea6c19965c04a4c521e703f6607924 (git) Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < ab9ddc87a9055c4bebd6524d5d761d605d52e557 (git) Affected: 60b6d38add7b9c17d6e5d49ee8e930ea1a5650c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f87e18203bd30f71eb1a65259e28e291b6cc43a",
"status": "affected",
"version": "860efae127888ae535bc4eda1b7f27642727c69e",
"versionType": "git"
},
{
"lessThan": "3aa9d065b0685b4e6052f3f2a2462966fdc44fd2",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"lessThan": "cb36365dac25d546ca4af0eb22acb43c9b4ddfdf",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"lessThan": "32a046ccaeea6c19965c04a4c521e703f6607924",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"lessThan": "ab9ddc87a9055c4bebd6524d5d761d605d52e557",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"status": "affected",
"version": "60b6d38add7b9c17d6e5d49ee8e930ea1a5650c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.15.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSMB3: Add missing locks to protect deferred close file list\n\ncifs_del_deferred_close function has a critical section which modifies\nthe deferred close file list. We must acquire deferred_lock before\ncalling cifs_del_deferred_close function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:29.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f87e18203bd30f71eb1a65259e28e291b6cc43a"
},
{
"url": "https://git.kernel.org/stable/c/3aa9d065b0685b4e6052f3f2a2462966fdc44fd2"
},
{
"url": "https://git.kernel.org/stable/c/cb36365dac25d546ca4af0eb22acb43c9b4ddfdf"
},
{
"url": "https://git.kernel.org/stable/c/32a046ccaeea6c19965c04a4c521e703f6607924"
},
{
"url": "https://git.kernel.org/stable/c/ab9ddc87a9055c4bebd6524d5d761d605d52e557"
}
],
"title": "SMB3: Add missing locks to protect deferred close file list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53990",
"datePublished": "2025-12-24T10:55:29.156Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2025-12-24T10:55:29.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68368 (GCVE-0-2025-68368)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
md: init bioset in mddev_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: init bioset in mddev_init
IO operations may be needed before md_run(), such as updating metadata
after writing sysfs. Without bioset, this triggers a NULL pointer
dereference as below:
BUG: kernel NULL pointer dereference, address: 0000000000000020
Call Trace:
md_update_sb+0x658/0xe00
new_level_store+0xc5/0x120
md_attr_store+0xc9/0x1e0
sysfs_kf_write+0x6f/0xa0
kernfs_fop_write_iter+0x141/0x2a0
vfs_write+0x1fc/0x5a0
ksys_write+0x79/0x180
__x64_sys_write+0x1d/0x30
x64_sys_call+0x2818/0x2880
do_syscall_64+0xa9/0x580
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Reproducer
```
mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd]
echo inactive > /sys/block/md0/md/array_state
echo 10 > /sys/block/md0/md/new_level
```
mddev_init() can only be called once per mddev, no need to test if bioset
has been initialized anymore.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d37fe37dfa0833a8768740f0575e0ffd793cb4a",
"status": "affected",
"version": "d981ed8419303ed12351eea8541ad6cb76455fe3",
"versionType": "git"
},
{
"lessThan": "381a3ce1c0ffed647c9b913e142b099c7e9d5afc",
"status": "affected",
"version": "d981ed8419303ed12351eea8541ad6cb76455fe3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: init bioset in mddev_init\n\nIO operations may be needed before md_run(), such as updating metadata\nafter writing sysfs. Without bioset, this triggers a NULL pointer\ndereference as below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n Call Trace:\n md_update_sb+0x658/0xe00\n new_level_store+0xc5/0x120\n md_attr_store+0xc9/0x1e0\n sysfs_kf_write+0x6f/0xa0\n kernfs_fop_write_iter+0x141/0x2a0\n vfs_write+0x1fc/0x5a0\n ksys_write+0x79/0x180\n __x64_sys_write+0x1d/0x30\n x64_sys_call+0x2818/0x2880\n do_syscall_64+0xa9/0x580\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nReproducer\n```\n mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd]\n echo inactive \u003e /sys/block/md0/md/array_state\n echo 10 \u003e /sys/block/md0/md/new_level\n```\n\nmddev_init() can only be called once per mddev, no need to test if bioset\nhas been initialized anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:54.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d37fe37dfa0833a8768740f0575e0ffd793cb4a"
},
{
"url": "https://git.kernel.org/stable/c/381a3ce1c0ffed647c9b913e142b099c7e9d5afc"
}
],
"title": "md: init bioset in mddev_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68368",
"datePublished": "2025-12-24T10:32:54.765Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2025-12-24T10:32:54.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54029 (GCVE-0-2023-54029)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:43
VLAI?
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-01-05T10:43:29.297Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54029",
"datePublished": "2025-12-24T10:55:57.443Z",
"dateRejected": "2026-01-05T10:43:29.297Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2026-01-05T10:43:29.297Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68371 (GCVE-0-2025-68371)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
scsi: smartpqi: Fix device resources accessed after device removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix device resources accessed after device removal
Correct possible race conditions during device removal.
Previously, a scheduled work item to reset a LUN could still execute
after the device was removed, leading to use-after-free and other
resource access issues.
This race condition occurs because the abort handler may schedule a LUN
reset concurrently with device removal via sdev_destroy(), leading to
use-after-free and improper access to freed resources.
- Check in the device reset handler if the device is still present in
the controller's SCSI device list before running; if not, the reset
is skipped.
- Cancel any pending TMF work that has not started in sdev_destroy().
- Ensure device freeing in sdev_destroy() is done while holding the
LUN reset mutex to avoid races with ongoing resets.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2
(git)
Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 6d2390653d82cad0e1ba2676e536dd99678f6ef1 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < eccc02ba1747501d92bb2049e3ce378ba372f641 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 1a5c5a2f88e839af5320216a02ffb075b668596a (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < b518e86d1a70a88f6592a7c396cf1b93493d1aab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "6d2390653d82cad0e1ba2676e536dd99678f6ef1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "eccc02ba1747501d92bb2049e3ce378ba372f641",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "1a5c5a2f88e839af5320216a02ffb075b668596a",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "b518e86d1a70a88f6592a7c396cf1b93493d1aab",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix device resources accessed after device removal\n\nCorrect possible race conditions during device removal.\n\nPreviously, a scheduled work item to reset a LUN could still execute\nafter the device was removed, leading to use-after-free and other\nresource access issues.\n\nThis race condition occurs because the abort handler may schedule a LUN\nreset concurrently with device removal via sdev_destroy(), leading to\nuse-after-free and improper access to freed resources.\n\n - Check in the device reset handler if the device is still present in\n the controller\u0027s SCSI device list before running; if not, the reset\n is skipped.\n\n - Cancel any pending TMF work that has not started in sdev_destroy().\n\n - Ensure device freeing in sdev_destroy() is done while holding the\n LUN reset mutex to avoid races with ongoing resets."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:07.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2"
},
{
"url": "https://git.kernel.org/stable/c/6d2390653d82cad0e1ba2676e536dd99678f6ef1"
},
{
"url": "https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641"
},
{
"url": "https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1"
},
{
"url": "https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a"
},
{
"url": "https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab"
}
],
"title": "scsi: smartpqi: Fix device resources accessed after device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68371",
"datePublished": "2025-12-24T10:33:01.896Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-01-11T16:30:07.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53867 (GCVE-0-2023-53867)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ceph: fix potential use-after-free bug when trimming caps
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix potential use-after-free bug when trimming caps
When trimming the caps and just after the 'session->s_cap_lock' is
released in ceph_iterate_session_caps() the cap maybe removed by
another thread, and when using the stale cap memory in the callbacks
it will trigger use-after-free crash.
We need to check the existence of the cap just after the 'ci->i_ceph_lock'
being acquired. And do nothing if it's already removed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2f2dc053404febedc9c273452d9d518fb31fde72 , < 2b2515b8095cf2149bef44383a99d5b5677f1831
(git)
Affected: 2f2dc053404febedc9c273452d9d518fb31fde72 , < 448875a73e16ba7d81dec9274ce9d33a12d092fb (git) Affected: 2f2dc053404febedc9c273452d9d518fb31fde72 , < ae6e935618d99cdba11eab4714092e7e5f13cf7e (git) Affected: 2f2dc053404febedc9c273452d9d518fb31fde72 , < aaf67de78807c59c35bafb5003d4fb457c764800 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/caps.c",
"fs/ceph/debugfs.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h",
"fs/ceph/super.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b2515b8095cf2149bef44383a99d5b5677f1831",
"status": "affected",
"version": "2f2dc053404febedc9c273452d9d518fb31fde72",
"versionType": "git"
},
{
"lessThan": "448875a73e16ba7d81dec9274ce9d33a12d092fb",
"status": "affected",
"version": "2f2dc053404febedc9c273452d9d518fb31fde72",
"versionType": "git"
},
{
"lessThan": "ae6e935618d99cdba11eab4714092e7e5f13cf7e",
"status": "affected",
"version": "2f2dc053404febedc9c273452d9d518fb31fde72",
"versionType": "git"
},
{
"lessThan": "aaf67de78807c59c35bafb5003d4fb457c764800",
"status": "affected",
"version": "2f2dc053404febedc9c273452d9d518fb31fde72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/caps.c",
"fs/ceph/debugfs.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h",
"fs/ceph/super.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix potential use-after-free bug when trimming caps\n\nWhen trimming the caps and just after the \u0027session-\u003es_cap_lock\u0027 is\nreleased in ceph_iterate_session_caps() the cap maybe removed by\nanother thread, and when using the stale cap memory in the callbacks\nit will trigger use-after-free crash.\n\nWe need to check the existence of the cap just after the \u0027ci-\u003ei_ceph_lock\u0027\nbeing acquired. And do nothing if it\u0027s already removed."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:19.509Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b2515b8095cf2149bef44383a99d5b5677f1831"
},
{
"url": "https://git.kernel.org/stable/c/448875a73e16ba7d81dec9274ce9d33a12d092fb"
},
{
"url": "https://git.kernel.org/stable/c/ae6e935618d99cdba11eab4714092e7e5f13cf7e"
},
{
"url": "https://git.kernel.org/stable/c/aaf67de78807c59c35bafb5003d4fb457c764800"
}
],
"title": "ceph: fix potential use-after-free bug when trimming caps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53867",
"datePublished": "2025-12-24T10:55:25.430Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2026-01-05T10:33:19.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54014 (GCVE-0-2023-54014)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
Klocwork reported warning of rport maybe NULL and will be dereferenced.
rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
Check valid rport returned by fc_bsg_to_rport().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < f35bd94b4e11c41de90cd0fa72c9062e8196822f
(git)
Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < ccd3bc595bda67db5a347b9050c2df28f292d3fb (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < 1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639 (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < 921d6844625527a92d1178262a633cc88a8e61bd (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < 1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < e466930717ef18c112585a39fc6174d8eb441df5 (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < ced5460eae772e847debbc0b65ef93aedab92d3f (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < af73f23a27206ffb3c477cac75b5fcf03410556e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f35bd94b4e11c41de90cd0fa72c9062e8196822f",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "ccd3bc595bda67db5a347b9050c2df28f292d3fb",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "921d6844625527a92d1178262a633cc88a8e61bd",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "e466930717ef18c112585a39fc6174d8eb441df5",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "ced5460eae772e847debbc0b65ef93aedab92d3f",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "af73f23a27206ffb3c477cac75b5fcf03410556e",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()\n\nKlocwork reported warning of rport maybe NULL and will be dereferenced.\nrport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.\n\nCheck valid rport returned by fc_bsg_to_rport()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:27.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f35bd94b4e11c41de90cd0fa72c9062e8196822f"
},
{
"url": "https://git.kernel.org/stable/c/ccd3bc595bda67db5a347b9050c2df28f292d3fb"
},
{
"url": "https://git.kernel.org/stable/c/1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639"
},
{
"url": "https://git.kernel.org/stable/c/921d6844625527a92d1178262a633cc88a8e61bd"
},
{
"url": "https://git.kernel.org/stable/c/1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf"
},
{
"url": "https://git.kernel.org/stable/c/e466930717ef18c112585a39fc6174d8eb441df5"
},
{
"url": "https://git.kernel.org/stable/c/ced5460eae772e847debbc0b65ef93aedab92d3f"
},
{
"url": "https://git.kernel.org/stable/c/af73f23a27206ffb3c477cac75b5fcf03410556e"
}
],
"title": "scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54014",
"datePublished": "2025-12-24T10:55:46.255Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:27.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68351 (GCVE-0-2025-68351)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
exfat: fix refcount leak in exfat_find
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix refcount leak in exfat_find
Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.
Function `exfat_get_dentry_set` would increase the reference counter of
`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called
after `exfat_get_dentry_set` to ensure refcount consistency. This patch
relocate two checks to avoid possible leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
13940cef95491472760ca261b6713692ece9b946 , < d009ff8959d28d2a33aeb96a5f7e7161c421d78f
(git)
Affected: 13940cef95491472760ca261b6713692ece9b946 , < 9aee8de970f18c2aaaa348e3de86c38e2d956c1d (git) Affected: 92075758782c5edb4c67d0da9e47586a624c22f7 (git) Affected: 0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d (git) Affected: 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d009ff8959d28d2a33aeb96a5f7e7161c421d78f",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"lessThan": "9aee8de970f18c2aaaa348e3de86c38e2d956c1d",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"status": "affected",
"version": "92075758782c5edb4c67d0da9e47586a624c22f7",
"versionType": "git"
},
{
"status": "affected",
"version": "0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d",
"versionType": "git"
},
{
"status": "affected",
"version": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es-\u003ebh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:42.683Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f"
},
{
"url": "https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d"
}
],
"title": "exfat: fix refcount leak in exfat_find",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68351",
"datePublished": "2025-12-24T10:32:42.683Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2025-12-24T10:32:42.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50703 (GCVE-0-2022-50703)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
There are two refcount leak bugs in qcom_smsm_probe():
(1) The 'local_node' is escaped out from for_each_child_of_node() as
the break of iteration, we should call of_node_put() for it in error
path or when it is not used anymore.
(2) The 'node' is escaped out from for_each_available_child_of_node()
as the 'goto', we should call of_node_put() for it in goto target.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c97c4090ff72297a878a37715bd301624b71c885 , < 1bbe75d466e5118b7d49ef4a346c3ce5742da4e8
(git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43 (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 42df28994eba7b56c762f7bbe7efd5611a1cd15b (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 1e3ed59370c712df436791efed120f0c082aa9bc (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 39781c98ad46b4e85053345dff797240c1ed7935 (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 96e0028debdd07a6d582f0dfadf9a3ec2b5fffff (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 8fb6112bd49c0e49f2cf51604231d85ff00284bb (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < af8f6f39b8afd772fda4f8e61823ef8c021bf382 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/smsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bbe75d466e5118b7d49ef4a346c3ce5742da4e8",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "42df28994eba7b56c762f7bbe7efd5611a1cd15b",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "1e3ed59370c712df436791efed120f0c082aa9bc",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "39781c98ad46b4e85053345dff797240c1ed7935",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "96e0028debdd07a6d582f0dfadf9a3ec2b5fffff",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "8fb6112bd49c0e49f2cf51604231d85ff00284bb",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "af8f6f39b8afd772fda4f8e61823ef8c021bf382",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/smsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()\n\nThere are two refcount leak bugs in qcom_smsm_probe():\n\n(1) The \u0027local_node\u0027 is escaped out from for_each_child_of_node() as\nthe break of iteration, we should call of_node_put() for it in error\npath or when it is not used anymore.\n(2) The \u0027node\u0027 is escaped out from for_each_available_child_of_node()\nas the \u0027goto\u0027, we should call of_node_put() for it in goto target."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:18.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bbe75d466e5118b7d49ef4a346c3ce5742da4e8"
},
{
"url": "https://git.kernel.org/stable/c/bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43"
},
{
"url": "https://git.kernel.org/stable/c/42df28994eba7b56c762f7bbe7efd5611a1cd15b"
},
{
"url": "https://git.kernel.org/stable/c/1e3ed59370c712df436791efed120f0c082aa9bc"
},
{
"url": "https://git.kernel.org/stable/c/39781c98ad46b4e85053345dff797240c1ed7935"
},
{
"url": "https://git.kernel.org/stable/c/96e0028debdd07a6d582f0dfadf9a3ec2b5fffff"
},
{
"url": "https://git.kernel.org/stable/c/8fb6112bd49c0e49f2cf51604231d85ff00284bb"
},
{
"url": "https://git.kernel.org/stable/c/ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d"
},
{
"url": "https://git.kernel.org/stable/c/af8f6f39b8afd772fda4f8e61823ef8c021bf382"
}
],
"title": "soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50703",
"datePublished": "2025-12-24T10:55:18.548Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:18.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50705 (GCVE-0-2022-50705)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
io_uring/rw: defer fsnotify calls to task context
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rw: defer fsnotify calls to task context
We can't call these off the kiocb completion as that might be off
soft/hard irq context. Defer the calls to when we process the
task_work for this request. That avoids valid complaints like:
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_usage_bug kernel/locking/lockdep.c:3961 [inline]
valid_state kernel/locking/lockdep.c:3973 [inline]
mark_lock_irq kernel/locking/lockdep.c:4176 [inline]
mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632
mark_lock kernel/locking/lockdep.c:4596 [inline]
mark_usage kernel/locking/lockdep.c:4527 [inline]
__lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007
lock_acquire kernel/locking/lockdep.c:5666 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
__fs_reclaim_acquire mm/page_alloc.c:4674 [inline]
fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688
might_alloc include/linux/sched/mm.h:271 [inline]
slab_pre_alloc_hook mm/slab.h:700 [inline]
slab_alloc mm/slab.c:3278 [inline]
__kmem_cache_alloc_lru mm/slab.c:3471 [inline]
kmem_cache_alloc+0x39/0x520 mm/slab.c:3491
fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]
fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]
fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948
send_to_group fs/notify/fsnotify.c:360 [inline]
fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570
__fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230
fsnotify_parent include/linux/fsnotify.h:77 [inline]
fsnotify_file include/linux/fsnotify.h:99 [inline]
fsnotify_access include/linux/fsnotify.h:309 [inline]
__io_complete_rw_common+0x485/0x720 io_uring/rw.c:195
io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228
iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]
iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178
bio_endio+0x5f9/0x780 block/bio.c:1564
req_bio_endio block/blk-mq.c:695 [inline]
blk_update_request+0x3fc/0x1300 block/blk-mq.c:825
scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541
scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971
scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438
blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022
__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
df1ec53252d5b5b26ea49e30438741c9a6d89857 , < 89a410dbd0f159ddd308f19d6eb682fc753e4771
(git)
Affected: f63cf5192fe3418ad5ae1a4412eba5694b145f79 , < 2a853c206e553dd9c0a55c22858fd6a446d93e15 (git) Affected: f63cf5192fe3418ad5ae1a4412eba5694b145f79 , < b000145e9907809406d8164c3b2b8861d95aecd1 (git) Affected: dfbe550c8235b7e98284db37eeeddfd3b4b19b00 (git) Affected: b436d1e92662adecafff4c95baae6352289c2d80 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89a410dbd0f159ddd308f19d6eb682fc753e4771",
"status": "affected",
"version": "df1ec53252d5b5b26ea49e30438741c9a6d89857",
"versionType": "git"
},
{
"lessThan": "2a853c206e553dd9c0a55c22858fd6a446d93e15",
"status": "affected",
"version": "f63cf5192fe3418ad5ae1a4412eba5694b145f79",
"versionType": "git"
},
{
"lessThan": "b000145e9907809406d8164c3b2b8861d95aecd1",
"status": "affected",
"version": "f63cf5192fe3418ad5ae1a4412eba5694b145f79",
"versionType": "git"
},
{
"status": "affected",
"version": "dfbe550c8235b7e98284db37eeeddfd3b4b19b00",
"versionType": "git"
},
{
"status": "affected",
"version": "b436d1e92662adecafff4c95baae6352289c2d80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.90",
"versionStartIncluding": "5.15.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: defer fsnotify calls to task context\n\nWe can\u0027t call these off the kiocb completion as that might be off\nsoft/hard irq context. Defer the calls to when we process the\ntask_work for this request. That avoids valid complaints like:\n\nstack backtrace:\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_usage_bug kernel/locking/lockdep.c:3961 [inline]\n valid_state kernel/locking/lockdep.c:3973 [inline]\n mark_lock_irq kernel/locking/lockdep.c:4176 [inline]\n mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632\n mark_lock kernel/locking/lockdep.c:4596 [inline]\n mark_usage kernel/locking/lockdep.c:4527 [inline]\n __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007\n lock_acquire kernel/locking/lockdep.c:5666 [inline]\n lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n __fs_reclaim_acquire mm/page_alloc.c:4674 [inline]\n fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688\n might_alloc include/linux/sched/mm.h:271 [inline]\n slab_pre_alloc_hook mm/slab.h:700 [inline]\n slab_alloc mm/slab.c:3278 [inline]\n __kmem_cache_alloc_lru mm/slab.c:3471 [inline]\n kmem_cache_alloc+0x39/0x520 mm/slab.c:3491\n fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]\n fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]\n fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948\n send_to_group fs/notify/fsnotify.c:360 [inline]\n fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570\n __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230\n fsnotify_parent include/linux/fsnotify.h:77 [inline]\n fsnotify_file include/linux/fsnotify.h:99 [inline]\n fsnotify_access include/linux/fsnotify.h:309 [inline]\n __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195\n io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228\n iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]\n iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178\n bio_endio+0x5f9/0x780 block/bio.c:1564\n req_bio_endio block/blk-mq.c:695 [inline]\n blk_update_request+0x3fc/0x1300 block/blk-mq.c:825\n scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541\n scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971\n scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438\n blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022\n __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571\n invoke_softirq kernel/softirq.c:445 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:662\n common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:20.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89a410dbd0f159ddd308f19d6eb682fc753e4771"
},
{
"url": "https://git.kernel.org/stable/c/2a853c206e553dd9c0a55c22858fd6a446d93e15"
},
{
"url": "https://git.kernel.org/stable/c/b000145e9907809406d8164c3b2b8861d95aecd1"
}
],
"title": "io_uring/rw: defer fsnotify calls to task context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50705",
"datePublished": "2025-12-24T10:55:20.020Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:20.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54018 (GCVE-0-2023-54018)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
Add check for the return value of alloc_ordered_workqueue as it may return
NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and
`hdmi_hpd.c`.
Patchwork: https://patchwork.freedesktop.org/patch/517211/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < b479485b24da1d572a0ce875537af31b02d2f915
(git)
Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < 392f7eb3946ab3780b931af723033e19f82c9134 (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09 (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < 1bab31a0969ca4ac90907a5d3b44af104229eafd (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < 9a01ecc312e764ec4527ad49105a3ca799f1860c (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < e55f93d674314f2fb69eba0dc24acfdf72805611 (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < afe4cb96153a0d8003e4e4ebd91b5c543e10df84 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b479485b24da1d572a0ce875537af31b02d2f915",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "392f7eb3946ab3780b931af723033e19f82c9134",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "1bab31a0969ca4ac90907a5d3b44af104229eafd",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "9a01ecc312e764ec4527ad49105a3ca799f1860c",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "e55f93d674314f2fb69eba0dc24acfdf72805611",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "afe4cb96153a0d8003e4e4ebd91b5c543e10df84",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue as it may return\nNULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and\n`hdmi_hpd.c`.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517211/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:49.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b479485b24da1d572a0ce875537af31b02d2f915"
},
{
"url": "https://git.kernel.org/stable/c/392f7eb3946ab3780b931af723033e19f82c9134"
},
{
"url": "https://git.kernel.org/stable/c/fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09"
},
{
"url": "https://git.kernel.org/stable/c/1bab31a0969ca4ac90907a5d3b44af104229eafd"
},
{
"url": "https://git.kernel.org/stable/c/9a01ecc312e764ec4527ad49105a3ca799f1860c"
},
{
"url": "https://git.kernel.org/stable/c/e55f93d674314f2fb69eba0dc24acfdf72805611"
},
{
"url": "https://git.kernel.org/stable/c/ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f"
},
{
"url": "https://git.kernel.org/stable/c/afe4cb96153a0d8003e4e4ebd91b5c543e10df84"
}
],
"title": "drm/msm/hdmi: Add missing check for alloc_ordered_workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54018",
"datePublished": "2025-12-24T10:55:49.081Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:49.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68352 (GCVE-0-2025-68352)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
spi: ch341: fix out-of-bounds memory access in ch341_transfer_one
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: ch341: fix out-of-bounds memory access in ch341_transfer_one
Discovered by Atuin - Automated Vulnerability Discovery Engine.
The 'len' variable is calculated as 'min(32, trans->len + 1)',
which includes the 1-byte command header.
When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len'
as the length is incorrect because:
1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size
'trans->len', i.e., 'len - 1' in this context).
2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is
CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1
overflows the buffer.
Fix this by copying 'len - 1' bytes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8846739f52afa07e63395c80227dc544f54bd7b1 , < cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974
(git)
Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < ea1e43966cd03098fcd5f0d72e6c2901d45fa08d (git) Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 81841da1f30f66a850cc8796d99ba330aad9d696 (git) Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 545d1287e40a55242f6ab68bcc1ba3b74088b1bc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ch341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "ea1e43966cd03098fcd5f0d72e6c2901d45fa08d",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "81841da1f30f66a850cc8796d99ba330aad9d696",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "545d1287e40a55242f6ab68bcc1ba3b74088b1bc",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ch341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix out-of-bounds memory access in ch341_transfer_one\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nThe \u0027len\u0027 variable is calculated as \u0027min(32, trans-\u003elen + 1)\u0027,\nwhich includes the 1-byte command header.\n\nWhen copying data from \u0027trans-\u003etx_buf\u0027 to \u0027ch341-\u003etx_buf + 1\u0027, using \u0027len\u0027\nas the length is incorrect because:\n\n1. It causes an out-of-bounds read from \u0027trans-\u003etx_buf\u0027 (which has size\n \u0027trans-\u003elen\u0027, i.e., \u0027len - 1\u0027 in this context).\n2. It can cause an out-of-bounds write to \u0027ch341-\u003etx_buf\u0027 if \u0027len\u0027 is\n CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341-\u003etx_buf + 1\n overflows the buffer.\n\nFix this by copying \u0027len - 1\u0027 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:43.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974"
},
{
"url": "https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d"
},
{
"url": "https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696"
},
{
"url": "https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc"
}
],
"title": "spi: ch341: fix out-of-bounds memory access in ch341_transfer_one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68352",
"datePublished": "2025-12-24T10:32:43.366Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2025-12-24T10:32:43.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54006 (GCVE-0-2023-54006)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
af_unix: Fix data-race around unix_tot_inflight.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-race around unix_tot_inflight.
unix_tot_inflight is changed under spin_lock(unix_gc_lock), but
unix_release_sock() reads it locklessly.
Let's use READ_ONCE() for unix_tot_inflight.
Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix:
annote lockless accesses to unix_tot_inflight & gc_in_progress")
BUG: KCSAN: data-race in unix_inflight / unix_release_sock
write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:
unix_inflight+0x130/0x180 net/unix/scm.c:64
unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123
unix_scm_to_skb net/unix/af_unix.c:1832 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:747
____sys_sendmsg+0x4e4/0x610 net/socket.c:2493
___sys_sendmsg+0xc6/0x140 net/socket.c:2547
__sys_sendmsg+0x94/0x140 net/socket.c:2576
__do_sys_sendmsg net/socket.c:2585 [inline]
__se_sys_sendmsg net/socket.c:2583 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2583
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:
unix_release_sock+0x608/0x910 net/unix/af_unix.c:671
unix_release+0x59/0x80 net/unix/af_unix.c:1058
__sock_release+0x7d/0x170 net/socket.c:653
sock_close+0x19/0x30 net/socket.c:1385
__fput+0x179/0x5e0 fs/file_table.c:321
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x116/0x1a0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0x00000000 -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 31b46d5e7c4e295bd112960614a66a177a057dca
(git)
Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 20aa8325464d8905450089eed96ca102a074d853 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < cf29b42766ad4af2ae6a449f583796951551b48d (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < e5edc6e44a882c0458878ab10eaddfe60ac34e57 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 2d8933ca863e252fb09ad0be483255e3dfeb1f54 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < afc284a4a781defbb12b2a40427fae34c3d20e17 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < ade32bd8a738d7497ffe9743c46728db26740f78 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31b46d5e7c4e295bd112960614a66a177a057dca",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "20aa8325464d8905450089eed96ca102a074d853",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "cf29b42766ad4af2ae6a449f583796951551b48d",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "e5edc6e44a882c0458878ab10eaddfe60ac34e57",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "2d8933ca863e252fb09ad0be483255e3dfeb1f54",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "afc284a4a781defbb12b2a40427fae34c3d20e17",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "ade32bd8a738d7497ffe9743c46728db26740f78",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-race around unix_tot_inflight.\n\nunix_tot_inflight is changed under spin_lock(unix_gc_lock), but\nunix_release_sock() reads it locklessly.\n\nLet\u0027s use READ_ONCE() for unix_tot_inflight.\n\nNote that the writer side was marked by commit 9d6d7f1cb67c (\"af_unix:\nannote lockless accesses to unix_tot_inflight \u0026 gc_in_progress\")\n\nBUG: KCSAN: data-race in unix_inflight / unix_release_sock\n\nwrite (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:\n unix_inflight+0x130/0x180 net/unix/scm.c:64\n unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1832 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:747\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2547\n __sys_sendmsg+0x94/0x140 net/socket.c:2576\n __do_sys_sendmsg net/socket.c:2585 [inline]\n __se_sys_sendmsg net/socket.c:2583 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:\n unix_release_sock+0x608/0x910 net/unix/af_unix.c:671\n unix_release+0x59/0x80 net/unix/af_unix.c:1058\n __sock_release+0x7d/0x170 net/socket.c:653\n sock_close+0x19/0x30 net/socket.c:1385\n __fput+0x179/0x5e0 fs/file_table.c:321\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x116/0x1a0 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]\n syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297\n do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0x00000000 -\u003e 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:40.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31b46d5e7c4e295bd112960614a66a177a057dca"
},
{
"url": "https://git.kernel.org/stable/c/20aa8325464d8905450089eed96ca102a074d853"
},
{
"url": "https://git.kernel.org/stable/c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840"
},
{
"url": "https://git.kernel.org/stable/c/cf29b42766ad4af2ae6a449f583796951551b48d"
},
{
"url": "https://git.kernel.org/stable/c/e5edc6e44a882c0458878ab10eaddfe60ac34e57"
},
{
"url": "https://git.kernel.org/stable/c/2d8933ca863e252fb09ad0be483255e3dfeb1f54"
},
{
"url": "https://git.kernel.org/stable/c/afc284a4a781defbb12b2a40427fae34c3d20e17"
},
{
"url": "https://git.kernel.org/stable/c/ade32bd8a738d7497ffe9743c46728db26740f78"
}
],
"title": "af_unix: Fix data-race around unix_tot_inflight.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54006",
"datePublished": "2025-12-24T10:55:40.534Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:40.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54008 (GCVE-0-2023-54008)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
virtio_vdpa: build affinity masks conditionally
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_vdpa: build affinity masks conditionally
We try to build affinity mask via create_affinity_masks()
unconditionally which may lead several issues:
- the affinity mask is not used for parent without affinity support
(only VDUSE support the affinity now)
- the logic of create_affinity_masks() might not work for devices
other than block. For example it's not rare in the networking device
where the number of queues could exceed the number of CPUs. Such
case breaks the current affinity logic which is based on
group_cpus_evenly() who assumes the number of CPUs are not less than
the number of groups. This can trigger a warning[1]:
if (ret >= 0)
WARN_ON(nr_present + nr_others < numgrps);
Fixing this by only build the affinity masks only when
- Driver passes affinity descriptor, driver like virtio-blk can make
sure to limit the number of queues when it exceeds the number of CPUs
- Parent support affinity setting config ops
This help to avoid the warning. More optimizations could be done on
top.
[1]
[ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0
[ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79
[ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0
[ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc
[ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293
[ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000
[ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030
[ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0
[ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800
[ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041
[ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000
[ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0
[ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 682.146701] Call Trace:
[ 682.146703] <TASK>
[ 682.146705] ? __warn+0x7b/0x130
[ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0
[ 682.146712] ? report_bug+0x1c8/0x1e0
[ 682.146717] ? handle_bug+0x3c/0x70
[ 682.146721] ? exc_invalid_op+0x14/0x70
[ 682.146723] ? asm_exc_invalid_op+0x16/0x20
[ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0
[ 682.146729] ? group_cpus_evenly+0x15c/0x1c0
[ 682.146731] create_affinity_masks+0xaf/0x1a0
[ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0
[ 682.146738] ? __pfx_default_calc_sets+0x10/0x10
[ 682.146742] virtnet_find_vqs+0x1f0/0x370
[ 682.146747] virtnet_probe+0x501/0xcd0
[ 682.146749] ? vp_modern_get_status+0x12/0x20
[ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0
[ 682.146754] virtio_dev_probe+0x1af/0x260
[ 682.146759] really_probe+0x1a5/0x410
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3dad56823b5332ffdbe1867b2d7b50fbacea124a , < 5f2592243ccd5bb5341f59be409ccfdd586841f3
(git)
Affected: 3dad56823b5332ffdbe1867b2d7b50fbacea124a , < 628b53fc66ca1910a3cb53c3c7e44e59750c3668 (git) Affected: 3dad56823b5332ffdbe1867b2d7b50fbacea124a , < ae15aceaa98ad9499763923f7890e345d9f46b60 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f2592243ccd5bb5341f59be409ccfdd586841f3",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
},
{
"lessThan": "628b53fc66ca1910a3cb53c3c7e44e59750c3668",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
},
{
"lessThan": "ae15aceaa98ad9499763923f7890e345d9f46b60",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_vdpa: build affinity masks conditionally\n\nWe try to build affinity mask via create_affinity_masks()\nunconditionally which may lead several issues:\n\n- the affinity mask is not used for parent without affinity support\n (only VDUSE support the affinity now)\n- the logic of create_affinity_masks() might not work for devices\n other than block. For example it\u0027s not rare in the networking device\n where the number of queues could exceed the number of CPUs. Such\n case breaks the current affinity logic which is based on\n group_cpus_evenly() who assumes the number of CPUs are not less than\n the number of groups. This can trigger a warning[1]:\n\n\tif (ret \u003e= 0)\n\t\tWARN_ON(nr_present + nr_others \u003c numgrps);\n\nFixing this by only build the affinity masks only when\n\n- Driver passes affinity descriptor, driver like virtio-blk can make\n sure to limit the number of queues when it exceeds the number of CPUs\n- Parent support affinity setting config ops\n\nThis help to avoid the warning. More optimizations could be done on\ntop.\n\n[1]\n[ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0\n[ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79\n[ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n[ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0\n[ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 \u003c0f\u003e 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc\n[ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293\n[ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000\n[ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030\n[ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0\n[ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800\n[ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041\n[ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000\n[ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0\n[ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 682.146701] Call Trace:\n[ 682.146703] \u003cTASK\u003e\n[ 682.146705] ? __warn+0x7b/0x130\n[ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0\n[ 682.146712] ? report_bug+0x1c8/0x1e0\n[ 682.146717] ? handle_bug+0x3c/0x70\n[ 682.146721] ? exc_invalid_op+0x14/0x70\n[ 682.146723] ? asm_exc_invalid_op+0x16/0x20\n[ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0\n[ 682.146729] ? group_cpus_evenly+0x15c/0x1c0\n[ 682.146731] create_affinity_masks+0xaf/0x1a0\n[ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0\n[ 682.146738] ? __pfx_default_calc_sets+0x10/0x10\n[ 682.146742] virtnet_find_vqs+0x1f0/0x370\n[ 682.146747] virtnet_probe+0x501/0xcd0\n[ 682.146749] ? vp_modern_get_status+0x12/0x20\n[ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0\n[ 682.146754] virtio_dev_probe+0x1af/0x260\n[ 682.146759] really_probe+0x1a5/0x410"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:41.982Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f2592243ccd5bb5341f59be409ccfdd586841f3"
},
{
"url": "https://git.kernel.org/stable/c/628b53fc66ca1910a3cb53c3c7e44e59750c3668"
},
{
"url": "https://git.kernel.org/stable/c/ae15aceaa98ad9499763923f7890e345d9f46b60"
}
],
"title": "virtio_vdpa: build affinity masks conditionally",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54008",
"datePublished": "2025-12-24T10:55:41.982Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:41.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68367 (GCVE-0-2025-68367)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
Summary
In the Linux kernel, the following vulnerability has been resolved:
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 583d36523f56d8e9ddfa0bec20743a6faefc9b74
(git)
Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 61abf8c3162d155b4fd0fb251f08557093363a0a (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 230621ffdb361d15cd3ef92d8b4fa8d314f4fad4 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 388391dd1cc567fcf0b372b63d414c119d23e911 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 48a7d427eb65922b3f17fbe00e2bbc7cb9eac381 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "583d36523f56d8e9ddfa0bec20743a6faefc9b74",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "61abf8c3162d155b4fd0fb251f08557093363a0a",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "230621ffdb361d15cd3ef92d8b4fa8d314f4fad4",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "388391dd1cc567fcf0b372b63d414c119d23e911",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "48a7d427eb65922b3f17fbe00e2bbc7cb9eac381",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\n\nThe following warning appears when running syzkaller, and this issue also\nexists in the mainline code.\n\n ------------[ cut here ]------------\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\n Modules linked in:\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\n FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 80000000\n Call Trace:\n \u003cTASK\u003e\n input_register_handler+0xb3/0x210\n mac_hid_start_emulation+0x1c5/0x290\n mac_hid_toggle_emumouse+0x20a/0x240\n proc_sys_call_handler+0x4c2/0x6e0\n new_sync_write+0x1b1/0x2d0\n vfs_write+0x709/0x950\n ksys_write+0x12a/0x250\n do_syscall_64+0x5a/0x110\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe WARNING occurs when two processes concurrently write to the mac-hid\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\nBoth processes read old_val=0, then both try to register the input handler,\nleading to a double list_add of the same handler.\n\n CPU0 CPU1\n ------------------------- -------------------------\n vfs_write() //write 1 vfs_write() //write 1\n proc_sys_write() proc_sys_write()\n mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()\n old_val = *valp // old_val=0\n old_val = *valp // old_val=0\n mutex_lock_killable()\n proc_dointvec() // *valp=1\n mac_hid_start_emulation()\n input_register_handler()\n mutex_unlock()\n mutex_lock_killable()\n proc_dointvec()\n mac_hid_start_emulation()\n input_register_handler() //Trigger Warning\n mutex_unlock()\n\nFix this by moving the old_val read inside the mutex lock region."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:04.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/583d36523f56d8e9ddfa0bec20743a6faefc9b74"
},
{
"url": "https://git.kernel.org/stable/c/61abf8c3162d155b4fd0fb251f08557093363a0a"
},
{
"url": "https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4"
},
{
"url": "https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911"
},
{
"url": "https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381"
},
{
"url": "https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f"
}
],
"title": "macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68367",
"datePublished": "2025-12-24T10:32:54.084Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-01-11T16:30:04.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68734 (GCVE-0-2025-68734)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:58 – Updated: 2025-12-24 10:58
VLAI?
EPSS
Title
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
setup_instance() fails with an error code. Fix that by freeing the urb
before freeing the hw structure. Also change the error paths to use the
goto ladder style.
Compile tested only. Issue found using a prototype static analysis tool.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69f52adb2d534afc41fcc658f155e01f0b322f9e , < 475032fa2bb82ffb592c321885e917e39f47357f
(git)
Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < adb7577e23a431fc53aa1b6107733c0d751015fb (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < b70c24827e11fdc71465f9207e974526fb457bb9 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 3f7c72bc73c4e542fde14cce017549d8a0b61a3c (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 03695541b3349bc40bf5d6563d44d6147fb20260 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 6dce43433e0635e7b00346bc937b69ce48ea71bb (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < ea7936304ed74ab7f965d17f942a173ce91a5ca8 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 3f978e3f1570155a1327ffa25f60968bc7b9398f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "475032fa2bb82ffb592c321885e917e39f47357f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "adb7577e23a431fc53aa1b6107733c0d751015fb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "b70c24827e11fdc71465f9207e974526fb457bb9",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f7c72bc73c4e542fde14cce017549d8a0b61a3c",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "03695541b3349bc40bf5d6563d44d6147fb20260",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "6dce43433e0635e7b00346bc937b69ce48ea71bb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "ea7936304ed74ab7f965d17f942a173ce91a5ca8",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f978e3f1570155a1327ffa25f60968bc7b9398f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()\n\nIn hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when\nsetup_instance() fails with an error code. Fix that by freeing the urb\nbefore freeing the hw structure. Also change the error paths to use the\ngoto ladder style.\n\nCompile tested only. Issue found using a prototype static analysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:58:49.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f"
},
{
"url": "https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb"
},
{
"url": "https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9"
},
{
"url": "https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c"
},
{
"url": "https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260"
},
{
"url": "https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb"
},
{
"url": "https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8"
},
{
"url": "https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f"
}
],
"title": "isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68734",
"datePublished": "2025-12-24T10:58:49.938Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:58:49.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50698 (GCVE-0-2022-50698)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
If clk_hw_register() fails, the corresponding clk should not be
unregistered.
To handle errors from loops, clean up partial iterations before doing the
goto. So add a clk_hw_unregister().
Then use a while (--i >= 0) loop in the unwind section.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
78013a1cf2971684775f6956d5666237ac53a1aa , < 4993c1511d66326f1037bc5156b024a6a96d23ef
(git)
Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176 (git) Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < ec692f0b51006de1138cd1f82cae625f0d2888d1 (git) Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < cefce8bee0e988f9a005fe40705b98a25cfb7f9d (git) Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < abb4e4349afe7eecdb0499582f1c777031e3a7c8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/da7219.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4993c1511d66326f1037bc5156b024a6a96d23ef",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "ec692f0b51006de1138cd1f82cae625f0d2888d1",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "cefce8bee0e988f9a005fe40705b98a25cfb7f9d",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "abb4e4349afe7eecdb0499582f1c777031e3a7c8",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/da7219.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: da7219: Fix an error handling path in da7219_register_dai_clks()\n\nIf clk_hw_register() fails, the corresponding clk should not be\nunregistered.\n\nTo handle errors from loops, clean up partial iterations before doing the\ngoto. So add a clk_hw_unregister().\nThen use a while (--i \u003e= 0) loop in the unwind section."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:14.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4993c1511d66326f1037bc5156b024a6a96d23ef"
},
{
"url": "https://git.kernel.org/stable/c/f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176"
},
{
"url": "https://git.kernel.org/stable/c/ec692f0b51006de1138cd1f82cae625f0d2888d1"
},
{
"url": "https://git.kernel.org/stable/c/cefce8bee0e988f9a005fe40705b98a25cfb7f9d"
},
{
"url": "https://git.kernel.org/stable/c/abb4e4349afe7eecdb0499582f1c777031e3a7c8"
}
],
"title": "ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50698",
"datePublished": "2025-12-24T10:55:14.740Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:14.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68376 (GCVE-0-2025-68376)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
coresight: ETR: Fix ETR buffer use-after-free issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: ETR: Fix ETR buffer use-after-free issue
When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed
and enabled again, currently sysfs_buf will point to the newly
allocated memory(buf_new) and free the old memory(buf_old). But the
etr_buf that is being used by the ETR remains pointed to buf_old, not
updated to buf_new. In this case, it will result in a memory
use-after-free issue.
Fix this by checking ETR's mode before updating and releasing buf_old,
if the mode is CS_MODE_SYSFS, then skip updating and releasing it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bd2767ec3df2775bc336f441f9068a989ccb919d , < 70acbc9c77686b7a521af6d7a543dcd9c324cf07
(git)
Affected: bd2767ec3df2775bc336f441f9068a989ccb919d , < cda077a19f5c8d6ec61e5b97deca203d95e3a422 (git) Affected: bd2767ec3df2775bc336f441f9068a989ccb919d , < 35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3 (git) Affected: fdd3ceb0001da6768bede9779a0190a42e65c404 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-tmc-etr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70acbc9c77686b7a521af6d7a543dcd9c324cf07",
"status": "affected",
"version": "bd2767ec3df2775bc336f441f9068a989ccb919d",
"versionType": "git"
},
{
"lessThan": "cda077a19f5c8d6ec61e5b97deca203d95e3a422",
"status": "affected",
"version": "bd2767ec3df2775bc336f441f9068a989ccb919d",
"versionType": "git"
},
{
"lessThan": "35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3",
"status": "affected",
"version": "bd2767ec3df2775bc336f441f9068a989ccb919d",
"versionType": "git"
},
{
"status": "affected",
"version": "fdd3ceb0001da6768bede9779a0190a42e65c404",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-tmc-etr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: ETR: Fix ETR buffer use-after-free issue\n\nWhen ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed\nand enabled again, currently sysfs_buf will point to the newly\nallocated memory(buf_new) and free the old memory(buf_old). But the\netr_buf that is being used by the ETR remains pointed to buf_old, not\nupdated to buf_new. In this case, it will result in a memory\nuse-after-free issue.\n\nFix this by checking ETR\u0027s mode before updating and releasing buf_old,\nif the mode is CS_MODE_SYSFS, then skip updating and releasing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:05.503Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70acbc9c77686b7a521af6d7a543dcd9c324cf07"
},
{
"url": "https://git.kernel.org/stable/c/cda077a19f5c8d6ec61e5b97deca203d95e3a422"
},
{
"url": "https://git.kernel.org/stable/c/35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3"
}
],
"title": "coresight: ETR: Fix ETR buffer use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68376",
"datePublished": "2025-12-24T10:33:05.503Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2025-12-24T10:33:05.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53998 (GCVE-0-2023-53998)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
hwrng: virtio - Fix race on data_avail and actual data
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: virtio - Fix race on data_avail and actual data
The virtio rng device kicks off a new entropy request whenever the
data available reaches zero. When a new request occurs at the end
of a read operation, that is, when the result of that request is
only needed by the next reader, then there is a race between the
writing of the new data and the next reader.
This is because there is no synchronisation whatsoever between the
writer and the reader.
Fix this by writing data_avail with smp_store_release and reading
it with smp_load_acquire when we first enter read. The subsequent
reads are safe because they're either protected by the first load
acquire, or by the completion mechanism.
Also remove the redundant zeroing of data_idx in random_recv_done
(data_idx must already be zero at this point) and data_avail in
request_entropy (ditto).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7f510ec195781c857ab76366a3e1c59e1caae42 , < 241ef15776a7c8505008db689175b320d345ecd3
(git)
Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 77471e4912d3960dafe141e268c44be8024fe4dc (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < c76d991b6f01a5d931e7053a73bc9524975a5215 (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 22c30022cde6e2c88612b3a499223cfa912f1bc7 (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 318657b4c2077289659f1cd9e2a34f6a3b208e3e (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 2fc91f156b3f3446a1bce80cf4adedcbf41271c2 (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < ac52578d6e8d300dd50f790f29a24169b1edd26c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/virtio-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "241ef15776a7c8505008db689175b320d345ecd3",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "77471e4912d3960dafe141e268c44be8024fe4dc",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "c76d991b6f01a5d931e7053a73bc9524975a5215",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "22c30022cde6e2c88612b3a499223cfa912f1bc7",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "318657b4c2077289659f1cd9e2a34f6a3b208e3e",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "2fc91f156b3f3446a1bce80cf4adedcbf41271c2",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "ac52578d6e8d300dd50f790f29a24169b1edd26c",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/virtio-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: virtio - Fix race on data_avail and actual data\n\nThe virtio rng device kicks off a new entropy request whenever the\ndata available reaches zero. When a new request occurs at the end\nof a read operation, that is, when the result of that request is\nonly needed by the next reader, then there is a race between the\nwriting of the new data and the next reader.\n\nThis is because there is no synchronisation whatsoever between the\nwriter and the reader.\n\nFix this by writing data_avail with smp_store_release and reading\nit with smp_load_acquire when we first enter read. The subsequent\nreads are safe because they\u0027re either protected by the first load\nacquire, or by the completion mechanism.\n\nAlso remove the redundant zeroing of data_idx in random_recv_done\n(data_idx must already be zero at this point) and data_avail in\nrequest_entropy (ditto)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:34.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3"
},
{
"url": "https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d"
},
{
"url": "https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc"
},
{
"url": "https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215"
},
{
"url": "https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7"
},
{
"url": "https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e"
},
{
"url": "https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2"
},
{
"url": "https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c"
}
],
"title": "hwrng: virtio - Fix race on data_avail and actual data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53998",
"datePublished": "2025-12-24T10:55:34.856Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:34.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68379 (GCVE-0-2025-68379)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
A NULL pointer dereference can occur in rxe_srq_chk_attr() when
ibv_modify_srq() is invoked twice in succession under certain error
conditions. The first call may fail in rxe_queue_resize(), which leads
rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
triggers a crash (null deref) when accessing
srq->rq.queue->buf->index_mask.
Call Trace:
<TASK>
rxe_modify_srq+0x170/0x480 [rdma_rxe]
? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
? tryinc_node_nr_active+0xe6/0x150
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
? __pfx___raw_spin_lock_irqsave+0x10/0x10
? __pfx_do_vfs_ioctl+0x10/0x10
? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
__x64_sys_ioctl+0x138/0x1c0
do_syscall_64+0x82/0x250
? fdget_pos+0x58/0x4c0
? ksys_write+0xf3/0x1c0
? __pfx_ksys_write+0x10/0x10
? do_syscall_64+0xc8/0x250
? __pfx_vm_mmap_pgoff+0x10/0x10
? fget+0x173/0x230
? fput+0x2a/0x80
? ksys_mmap_pgoff+0x224/0x4c0
? do_syscall_64+0xc8/0x250
? do_user_addr_fault+0x37b/0xfe0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 58aca869babd48cb9c3d6ee9e1452c4b9f5266a6
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5dbeb421e137824aa9bd8358bdfc926a3965fc0d (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bc4c14a3863cc0e03698caec9a0cdabd779776ee (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 503a5e4690ae14c18570141bc0dcf7501a8419b0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58aca869babd48cb9c3d6ee9e1452c4b9f5266a6",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5dbeb421e137824aa9bd8358bdfc926a3965fc0d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bc4c14a3863cc0e03698caec9a0cdabd779776ee",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "503a5e4690ae14c18570141bc0dcf7501a8419b0",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure\n\nA NULL pointer dereference can occur in rxe_srq_chk_attr() when\nibv_modify_srq() is invoked twice in succession under certain error\nconditions. The first call may fail in rxe_queue_resize(), which leads\nrxe_srq_from_attr() to set srq-\u003erq.queue = NULL. The second call then\ntriggers a crash (null deref) when accessing\nsrq-\u003erq.queue-\u003ebuf-\u003eindex_mask.\n\nCall Trace:\n\u003cTASK\u003e\nrxe_modify_srq+0x170/0x480 [rdma_rxe]\n? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]\n? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]\n? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]\nib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]\n? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]\n? tryinc_node_nr_active+0xe6/0x150\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\nib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]\n? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]\n? __pfx___raw_spin_lock_irqsave+0x10/0x10\n? __pfx_do_vfs_ioctl+0x10/0x10\n? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0\n? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10\nib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]\n? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]\n__x64_sys_ioctl+0x138/0x1c0\ndo_syscall_64+0x82/0x250\n? fdget_pos+0x58/0x4c0\n? ksys_write+0xf3/0x1c0\n? __pfx_ksys_write+0x10/0x10\n? do_syscall_64+0xc8/0x250\n? __pfx_vm_mmap_pgoff+0x10/0x10\n? fget+0x173/0x230\n? fput+0x2a/0x80\n? ksys_mmap_pgoff+0x224/0x4c0\n? do_syscall_64+0xc8/0x250\n? do_user_addr_fault+0x37b/0xfe0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:09.611Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58aca869babd48cb9c3d6ee9e1452c4b9f5266a6"
},
{
"url": "https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7"
},
{
"url": "https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d"
},
{
"url": "https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee"
},
{
"url": "https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0"
}
],
"title": "RDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68379",
"datePublished": "2025-12-24T10:33:07.538Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-01-11T16:30:09.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50707 (GCVE-0-2022-50707)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()
'vc_ctrl_req' is alloced in virtio_crypto_alg_skcipher_close_session(),
and should be freed in the invalid ctrl_status->status error handling
case. Otherwise there is a memory leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4ee475e76b5ea8061970a7c867ffa5eedeb39580 , < 79026a2d0a1b080257773d22a493f9bcab8c65be
(git)
Affected: 0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a , < 67fb59ff1384e338679c0eb7a43c83ce8868c9fa (git) Affected: 0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a , < 0871df190fe6723464efe0f493d476411616f553 (git) Affected: 0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a , < b1d65f717cd6305a396a8738e022c6f7c65cfbe8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/virtio/virtio_crypto_skcipher_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79026a2d0a1b080257773d22a493f9bcab8c65be",
"status": "affected",
"version": "4ee475e76b5ea8061970a7c867ffa5eedeb39580",
"versionType": "git"
},
{
"lessThan": "67fb59ff1384e338679c0eb7a43c83ce8868c9fa",
"status": "affected",
"version": "0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a",
"versionType": "git"
},
{
"lessThan": "0871df190fe6723464efe0f493d476411616f553",
"status": "affected",
"version": "0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a",
"versionType": "git"
},
{
"lessThan": "b1d65f717cd6305a396a8738e022c6f7c65cfbe8",
"status": "affected",
"version": "0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/virtio/virtio_crypto_skcipher_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()\n\n\u0027vc_ctrl_req\u0027 is alloced in virtio_crypto_alg_skcipher_close_session(),\nand should be freed in the invalid ctrl_status-\u003estatus error handling\ncase. Otherwise there is a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:21.547Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79026a2d0a1b080257773d22a493f9bcab8c65be"
},
{
"url": "https://git.kernel.org/stable/c/67fb59ff1384e338679c0eb7a43c83ce8868c9fa"
},
{
"url": "https://git.kernel.org/stable/c/0871df190fe6723464efe0f493d476411616f553"
},
{
"url": "https://git.kernel.org/stable/c/b1d65f717cd6305a396a8738e022c6f7c65cfbe8"
}
],
"title": "virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50707",
"datePublished": "2025-12-24T10:55:21.547Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:21.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50701 (GCVE-0-2022-50701)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
SDIO may need addtional 511 bytes to align bus operation. If the tailroom
of this skb is not big enough, we would access invalid memory region.
For low level operation, increase skb size to keep valid memory access in
SDIO host.
Error message:
[69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0
[69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451
[69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1
[69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]
[69.951] Call Trace:
[69.951] <TASK>
[69.952] dump_stack_lvl+0x49/0x63
[69.952] print_report+0x171/0x4a8
[69.952] kasan_report+0xb4/0x130
[69.952] kasan_check_range+0x149/0x1e0
[69.952] memcpy+0x24/0x70
[69.952] sg_copy_buffer+0xe9/0x1a0
[69.952] sg_copy_to_buffer+0x12/0x20
[69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]
[69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]
[69.952] process_one_work+0x7ee/0x1320
[69.952] worker_thread+0x53c/0x1240
[69.952] kthread+0x2b8/0x370
[69.952] ret_from_fork+0x1f/0x30
[69.952] </TASK>
[69.952] Allocated by task 854:
[69.952] kasan_save_stack+0x26/0x50
[69.952] kasan_set_track+0x25/0x30
[69.952] kasan_save_alloc_info+0x1b/0x30
[69.952] __kasan_kmalloc+0x87/0xa0
[69.952] __kmalloc_node_track_caller+0x63/0x150
[69.952] kmalloc_reserve+0x31/0xd0
[69.952] __alloc_skb+0xfc/0x2b0
[69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]
[69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]
[69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]
[69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]
[69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]
[69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]
[69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]
[69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]
[69.953] process_one_work+0x7ee/0x1320
[69.953] worker_thread+0x53c/0x1240
[69.953] kthread+0x2b8/0x370
[69.953] ret_from_fork+0x1f/0x30
[69.953] The buggy address belongs to the object at ffff88811c9ce800
which belongs to the cache kmalloc-2k of size 2048
[69.953] The buggy address is located 0 bytes to the right of
2048-byte region [ffff88811c9ce800, ffff88811c9cf000)
[69.953] Memory state around the buggy address:
[69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[69.953] ^
[69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
764dee47e2c1ed828c8a51cbf58f89b5e3ded11b , < 8b5174a7f25d03df0ffa171ff86de383a89e8e89
(git)
Affected: 764dee47e2c1ed828c8a51cbf58f89b5e3ded11b , < 0b358e36433d2c46a65488a146bf8b4623fc5bbb (git) Affected: 764dee47e2c1ed828c8a51cbf58f89b5e3ded11b , < aec4cf2ea0797e28f18f8dbe01943a56d987fe56 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/sdio_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b5174a7f25d03df0ffa171ff86de383a89e8e89",
"status": "affected",
"version": "764dee47e2c1ed828c8a51cbf58f89b5e3ded11b",
"versionType": "git"
},
{
"lessThan": "0b358e36433d2c46a65488a146bf8b4623fc5bbb",
"status": "affected",
"version": "764dee47e2c1ed828c8a51cbf58f89b5e3ded11b",
"versionType": "git"
},
{
"lessThan": "aec4cf2ea0797e28f18f8dbe01943a56d987fe56",
"status": "affected",
"version": "764dee47e2c1ed828c8a51cbf58f89b5e3ded11b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/sdio_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host\n\nSDIO may need addtional 511 bytes to align bus operation. If the tailroom\nof this skb is not big enough, we would access invalid memory region.\nFor low level operation, increase skb size to keep valid memory access in\nSDIO host.\n\nError message:\n[69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0\n[69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451\n[69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1\n[69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]\n[69.951] Call Trace:\n[69.951] \u003cTASK\u003e\n[69.952] dump_stack_lvl+0x49/0x63\n[69.952] print_report+0x171/0x4a8\n[69.952] kasan_report+0xb4/0x130\n[69.952] kasan_check_range+0x149/0x1e0\n[69.952] memcpy+0x24/0x70\n[69.952] sg_copy_buffer+0xe9/0x1a0\n[69.952] sg_copy_to_buffer+0x12/0x20\n[69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]\n[69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]\n[69.952] process_one_work+0x7ee/0x1320\n[69.952] worker_thread+0x53c/0x1240\n[69.952] kthread+0x2b8/0x370\n[69.952] ret_from_fork+0x1f/0x30\n[69.952] \u003c/TASK\u003e\n\n[69.952] Allocated by task 854:\n[69.952] kasan_save_stack+0x26/0x50\n[69.952] kasan_set_track+0x25/0x30\n[69.952] kasan_save_alloc_info+0x1b/0x30\n[69.952] __kasan_kmalloc+0x87/0xa0\n[69.952] __kmalloc_node_track_caller+0x63/0x150\n[69.952] kmalloc_reserve+0x31/0xd0\n[69.952] __alloc_skb+0xfc/0x2b0\n[69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]\n[69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]\n[69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]\n[69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]\n[69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]\n[69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]\n[69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]\n[69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]\n[69.953] process_one_work+0x7ee/0x1320\n[69.953] worker_thread+0x53c/0x1240\n[69.953] kthread+0x2b8/0x370\n[69.953] ret_from_fork+0x1f/0x30\n[69.953] The buggy address belongs to the object at ffff88811c9ce800\n which belongs to the cache kmalloc-2k of size 2048\n[69.953] The buggy address is located 0 bytes to the right of\n 2048-byte region [ffff88811c9ce800, ffff88811c9cf000)\n\n[69.953] Memory state around the buggy address:\n[69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[69.953] \u003effff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[69.953] ^\n[69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:17.090Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b5174a7f25d03df0ffa171ff86de383a89e8e89"
},
{
"url": "https://git.kernel.org/stable/c/0b358e36433d2c46a65488a146bf8b4623fc5bbb"
},
{
"url": "https://git.kernel.org/stable/c/aec4cf2ea0797e28f18f8dbe01943a56d987fe56"
}
],
"title": "wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50701",
"datePublished": "2025-12-24T10:55:17.090Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:17.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54032 (GCVE-0-2023-54032)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
btrfs: fix race when deleting quota root from the dirty cow roots list
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race when deleting quota root from the dirty cow roots list
When disabling quotas we are deleting the quota root from the list
fs_info->dirty_cowonly_roots without taking the lock that protects it,
which is struct btrfs_fs_info::trans_lock. This unsynchronized list
manipulation may cause chaos if there's another concurrent manipulation
of this list, such as when adding a root to it with
ctree.c:add_root_to_dirty_list().
This can result in all sorts of weird failures caused by a race, such as
the following crash:
[337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI
[337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.279928] Code: 85 38 06 00 (...)
[337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206
[337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000
[337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070
[337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b
[337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600
[337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48
[337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000
[337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0
[337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[337571.282874] Call Trace:
[337571.283101] <TASK>
[337571.283327] ? __die_body+0x1b/0x60
[337571.283570] ? die_addr+0x39/0x60
[337571.283796] ? exc_general_protection+0x22e/0x430
[337571.284022] ? asm_exc_general_protection+0x22/0x30
[337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]
[337571.284803] ? _raw_spin_unlock+0x15/0x30
[337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]
[337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]
[337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]
[337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410
[337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]
[337571.286358] ? mod_objcg_state+0xd2/0x360
[337571.286577] ? refill_obj_stock+0xb0/0x160
[337571.286798] ? seq_release+0x25/0x30
[337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0
[337571.287235] ? percpu_counter_add_batch+0x2e/0xa0
[337571.287455] ? __x64_sys_ioctl+0x88/0xc0
[337571.287675] __x64_sys_ioctl+0x88/0xc0
[337571.287901] do_syscall_64+0x38/0x90
[337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[337571.288352] RIP: 0033:0x7f478aaffe9b
So fix this by locking struct btrfs_fs_info::trans_lock before deleting
the quota root from that list.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bed92eae26ccf280d1a2168b7509447b56675a27 , < 365f318da7384cbac5de6b9c098914888a4d63e7
(git)
Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 6da229754099518cfa27cbfcd0fd042618785fad (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 679c34821ab7cd93c8ccb96fbf57fc44848a78bc (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 6819bb0b8552dcc5f82ca606c8911b8c67e0628f (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 7ba0da31dd4a8fd24d416016c538a95a5664ff02 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < a53d78d9a8551e72c46ded23e8b0a56e55d32032 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < a5cdc4012efa808e07d073c11dc2f366b5394ad3 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "365f318da7384cbac5de6b9c098914888a4d63e7",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "6da229754099518cfa27cbfcd0fd042618785fad",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "679c34821ab7cd93c8ccb96fbf57fc44848a78bc",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "6819bb0b8552dcc5f82ca606c8911b8c67e0628f",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "7ba0da31dd4a8fd24d416016c538a95a5664ff02",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "a53d78d9a8551e72c46ded23e8b0a56e55d32032",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "a5cdc4012efa808e07d073c11dc2f366b5394ad3",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the dirty cow roots list\n\nWhen disabling quotas we are deleting the quota root from the list\nfs_info-\u003edirty_cowonly_roots without taking the lock that protects it,\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\nmanipulation may cause chaos if there\u0027s another concurrent manipulation\nof this list, such as when adding a root to it with\nctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.279928] Code: 85 38 06 00 (...)\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [337571.282874] Call Trace:\n [337571.283101] \u003cTASK\u003e\n [337571.283327] ? __die_body+0x1b/0x60\n [337571.283570] ? die_addr+0x39/0x60\n [337571.283796] ? exc_general_protection+0x22e/0x430\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\n [337571.286358] ? mod_objcg_state+0xd2/0x360\n [337571.286577] ? refill_obj_stock+0xb0/0x160\n [337571.286798] ? seq_release+0x25/0x30\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\n [337571.287901] do_syscall_64+0x38/0x90\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe quota root from that list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:59.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7"
},
{
"url": "https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad"
},
{
"url": "https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc"
},
{
"url": "https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f"
},
{
"url": "https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02"
},
{
"url": "https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032"
},
{
"url": "https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3"
},
{
"url": "https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79"
}
],
"title": "btrfs: fix race when deleting quota root from the dirty cow roots list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54032",
"datePublished": "2025-12-24T10:55:59.609Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:59.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54033 (GCVE-0-2023-54033)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
The LRU and LRU_PERCPU maps allocate a new element on update before locking the
target hash table bucket. Right after that the maps try to lock the bucket.
If this fails, then maps return -EBUSY to the caller without releasing the
allocated element. This makes the element untracked: it doesn't belong to
either of free lists, and it doesn't belong to the hash table, so can't be
re-used; this eventually leads to the permanent -ENOMEM on LRU map updates,
which is unexpected. Fix this by returning the element to the local free list
if bucket locking fails.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 79ea1a12fb9a8275b6e19d4ca625dd872dedcbb9
(git)
Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 1a9e80f757bbb1562d82e350afce2bb2f712cc3d (git) Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 965e9cccbe6b9c7b379908cebcb5e3a47f20dd5e (git) Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < b34ffb0c6d23583830f9327864b9c1f486003305 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79ea1a12fb9a8275b6e19d4ca625dd872dedcbb9",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
},
{
"lessThan": "1a9e80f757bbb1562d82e350afce2bb2f712cc3d",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
},
{
"lessThan": "965e9cccbe6b9c7b379908cebcb5e3a47f20dd5e",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
},
{
"lessThan": "b34ffb0c6d23583830f9327864b9c1f486003305",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.115",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix a memory leak in the LRU and LRU_PERCPU hash maps\n\nThe LRU and LRU_PERCPU maps allocate a new element on update before locking the\ntarget hash table bucket. Right after that the maps try to lock the bucket.\nIf this fails, then maps return -EBUSY to the caller without releasing the\nallocated element. This makes the element untracked: it doesn\u0027t belong to\neither of free lists, and it doesn\u0027t belong to the hash table, so can\u0027t be\nre-used; this eventually leads to the permanent -ENOMEM on LRU map updates,\nwhich is unexpected. Fix this by returning the element to the local free list\nif bucket locking fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:00.579Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79ea1a12fb9a8275b6e19d4ca625dd872dedcbb9"
},
{
"url": "https://git.kernel.org/stable/c/1a9e80f757bbb1562d82e350afce2bb2f712cc3d"
},
{
"url": "https://git.kernel.org/stable/c/965e9cccbe6b9c7b379908cebcb5e3a47f20dd5e"
},
{
"url": "https://git.kernel.org/stable/c/b34ffb0c6d23583830f9327864b9c1f486003305"
}
],
"title": "bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54033",
"datePublished": "2025-12-24T10:56:00.579Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:56:00.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68732 (GCVE-0-2025-68732)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
gpu: host1x: Fix race in syncpt alloc/free
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix race in syncpt alloc/free
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5ba33fb9690566c382624637125827b5512e766 , < 4aeaece518fa4436af93d1d8b786200d9656ff4b
(git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 6245cce711e2cdb2cc75c0bb8632952e36f8c972 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < d138f73ffb0c57ded473c577719e6e551b7b1f27 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 79197c6007f2afbfd7bcf5b9b80ccabf8483d774 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < c7d393267c497502fa737607f435f05dfe6e3d9b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4aeaece518fa4436af93d1d8b786200d9656ff4b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "6245cce711e2cdb2cc75c0bb8632952e36f8c972",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4e6e07ce0197aecfb6c4a62862acc93b3efedeb7",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "d138f73ffb0c57ded473c577719e6e551b7b1f27",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "79197c6007f2afbfd7bcf5b9b80ccabf8483d774",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "c7d393267c497502fa737607f435f05dfe6e3d9b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:15.916Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4b"
},
{
"url": "https://git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972"
},
{
"url": "https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7"
},
{
"url": "https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27"
},
{
"url": "https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774"
},
{
"url": "https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b"
}
],
"title": "gpu: host1x: Fix race in syncpt alloc/free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68732",
"datePublished": "2025-12-24T10:33:14.664Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-01-11T16:30:15.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68369 (GCVE-0-2025-68369)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
ntfs3: init run lock for extend inode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: init run lock for extend inode
After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.
Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.
Add the run_lock initialization when loading $Extend.
syzbot reported:
INFO: trying to register non-static key.
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
__lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78d46f5276ed3589aaaa435580068c5b62efc921 , < 433d1f7c628c3cbdd7efce064d6c7acd072cf6c4
(git)
Affected: 17249b2a65274f73ed68bcd1604e08a60fd8a278 , < 907bf69c6b6ce5d038eec7a599d67b45b62624bc (git) Affected: 37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 , < 6e17555728bc469d484c59db4a0abc65c19bc315 (git) Affected: 57534db1bbc4ca772393bb7d92e69d5e7b9051cf , < 19164d8228317f3f1fe2662a9ba587cfe3b2d29e (git) Affected: 4e8011ffec79717e5fdac43a7e79faf811a384b7 , < ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076 (git) Affected: 4e8011ffec79717e5fdac43a7e79faf811a384b7 , < be99c62ac7e7af514e4b13f83c891a3cccefaa48 (git) Affected: 63eb6730ce0604d3eacf036c2f68ea70b068317c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "433d1f7c628c3cbdd7efce064d6c7acd072cf6c4",
"status": "affected",
"version": "78d46f5276ed3589aaaa435580068c5b62efc921",
"versionType": "git"
},
{
"lessThan": "907bf69c6b6ce5d038eec7a599d67b45b62624bc",
"status": "affected",
"version": "17249b2a65274f73ed68bcd1604e08a60fd8a278",
"versionType": "git"
},
{
"lessThan": "6e17555728bc469d484c59db4a0abc65c19bc315",
"status": "affected",
"version": "37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7",
"versionType": "git"
},
{
"lessThan": "19164d8228317f3f1fe2662a9ba587cfe3b2d29e",
"status": "affected",
"version": "57534db1bbc4ca772393bb7d92e69d5e7b9051cf",
"versionType": "git"
},
{
"lessThan": "ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
},
{
"lessThan": "be99c62ac7e7af514e4b13f83c891a3cccefaa48",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
},
{
"status": "affected",
"version": "63eb6730ce0604d3eacf036c2f68ea70b068317c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.197",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: init run lock for extend inode\n\nAfter setting the inode mode of $Extend to a regular file, executing the\ntruncate system call will enter the do_truncate() routine, causing the\nrun_lock uninitialized error reported by syzbot.\n\nPrior to patch 4e8011ffec79, if the inode mode of $Extend was not set to\na regular file, the do_truncate() routine would not be entered.\n\nAdd the run_lock initialization when loading $Extend.\n\nsyzbot reported:\nINFO: trying to register non-static key.\nCall Trace:\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984\n register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299\n __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590\n ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860\n ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387\n ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:05.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/433d1f7c628c3cbdd7efce064d6c7acd072cf6c4"
},
{
"url": "https://git.kernel.org/stable/c/907bf69c6b6ce5d038eec7a599d67b45b62624bc"
},
{
"url": "https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315"
},
{
"url": "https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e"
},
{
"url": "https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076"
},
{
"url": "https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48"
}
],
"title": "ntfs3: init run lock for extend inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68369",
"datePublished": "2025-12-24T10:32:55.440Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-01-11T16:30:05.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68363 (GCVE-0-2025-68363)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
The bpf_skb_check_mtu helper needs to use skb->transport_header when
the BPF_MTU_CHK_SEGS flag is used:
bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)
The transport_header is not always set. There is a WARN_ON_ONCE
report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +
bpf_prog_test_run is used:
WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071
skb_gso_validate_network_len
bpf_skb_check_mtu
bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch
bpf_test_run
bpf_prog_test_run_skb
For a normal ingress skb (not test_run), skb_reset_transport_header
is performed but there is plan to avoid setting it as described in
commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").
This patch fixes the bpf helper by checking
skb_transport_header_was_set(). The check is done just before
skb->transport_header is used, to avoid breaking the existing bpf prog.
The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34b2021cc61642d61c3cf943d9e71925b827941b , < b3171a5e4622e915e94599a55f4964078bdec27e
(git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 97b876fa88322625228792cf7a5fd77531815a80 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 30ce906557a21adef4cba5901c8e995dc18263a9 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 1c30e4afc5507f0069cc09bd561e510e4d97fbf7 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < d946f3c98328171fa50ddb908593cf833587f725 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3171a5e4622e915e94599a55f4964078bdec27e",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "97b876fa88322625228792cf7a5fd77531815a80",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "30ce906557a21adef4cba5901c8e995dc18263a9",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "1c30e4afc5507f0069cc09bd561e510e4d97fbf7",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "d946f3c98328171fa50ddb908593cf833587f725",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb-\u003etransport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, \u0026mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb-\u003egso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb-\u003etransport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:58.261Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e"
},
{
"url": "https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80"
},
{
"url": "https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9"
},
{
"url": "https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7"
},
{
"url": "https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5"
},
{
"url": "https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725"
}
],
"title": "bpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68363",
"datePublished": "2025-12-24T10:32:51.236Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-01-11T16:29:58.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50702 (GCVE-0-2022-50702)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()
Inject fault while probing module, if device_register() fails in
vdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is
not decreased to 0, the name allocated in dev_set_name() is leaked.
Fix this by calling put_device(), so that name can be freed in
callback function kobject_cleanup().
(vdpa_sim_net)
unreferenced object 0xffff88807eebc370 (size 16):
comm "modprobe", pid 3848, jiffies 4362982860 (age 18.153s)
hex dump (first 16 bytes):
76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk.
backtrace:
[<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150
[<ffffffff81731d53>] kstrdup+0x33/0x60
[<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110
[<ffffffff82d87aab>] dev_set_name+0xab/0xe0
[<ffffffff82d91a23>] device_add+0xe3/0x1a80
[<ffffffffa0270013>] 0xffffffffa0270013
[<ffffffff81001c27>] do_one_initcall+0x87/0x2e0
[<ffffffff813739cb>] do_init_module+0x1ab/0x640
[<ffffffff81379d20>] load_module+0x5d00/0x77f0
[<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0
[<ffffffff83c4d505>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
(vdpa_sim_blk)
unreferenced object 0xffff8881070c1250 (size 16):
comm "modprobe", pid 6844, jiffies 4364069319 (age 17.572s)
hex dump (first 16 bytes):
76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk.
backtrace:
[<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150
[<ffffffff81731d53>] kstrdup+0x33/0x60
[<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110
[<ffffffff82d87aab>] dev_set_name+0xab/0xe0
[<ffffffff82d91a23>] device_add+0xe3/0x1a80
[<ffffffffa0220013>] 0xffffffffa0220013
[<ffffffff81001c27>] do_one_initcall+0x87/0x2e0
[<ffffffff813739cb>] do_init_module+0x1ab/0x640
[<ffffffff81379d20>] load_module+0x5d00/0x77f0
[<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0
[<ffffffff83c4d505>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a3c06ae158dd6fa8336157c31d9234689d068d02 , < 586e6fd7d581f987f7d0d2592edf0b26397e783e
(git)
Affected: a3c06ae158dd6fa8336157c31d9234689d068d02 , < 5be953e353fe421f2983e1fd37f07fba97edbffc (git) Affected: a3c06ae158dd6fa8336157c31d9234689d068d02 , < 337c24d817e28dd454ca22f1063dfad20822426e (git) Affected: a3c06ae158dd6fa8336157c31d9234689d068d02 , < aeca7ff254843d49a8739f07f7dab1341450111d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_sim/vdpa_sim_blk.c",
"drivers/vdpa/vdpa_sim/vdpa_sim_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "586e6fd7d581f987f7d0d2592edf0b26397e783e",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
},
{
"lessThan": "5be953e353fe421f2983e1fd37f07fba97edbffc",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
},
{
"lessThan": "337c24d817e28dd454ca22f1063dfad20822426e",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
},
{
"lessThan": "aeca7ff254843d49a8739f07f7dab1341450111d",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_sim/vdpa_sim_blk.c",
"drivers/vdpa/vdpa_sim/vdpa_sim_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()\n\nInject fault while probing module, if device_register() fails in\nvdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is\nnot decreased to 0, the name allocated in dev_set_name() is leaked.\nFix this by calling put_device(), so that name can be freed in\ncallback function kobject_cleanup().\n\n(vdpa_sim_net)\nunreferenced object 0xffff88807eebc370 (size 16):\n comm \"modprobe\", pid 3848, jiffies 4362982860 (age 18.153s)\n hex dump (first 16 bytes):\n 76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk.\n backtrace:\n [\u003cffffffff8174f19e\u003e] __kmalloc_node_track_caller+0x4e/0x150\n [\u003cffffffff81731d53\u003e] kstrdup+0x33/0x60\n [\u003cffffffff83a5d421\u003e] kobject_set_name_vargs+0x41/0x110\n [\u003cffffffff82d87aab\u003e] dev_set_name+0xab/0xe0\n [\u003cffffffff82d91a23\u003e] device_add+0xe3/0x1a80\n [\u003cffffffffa0270013\u003e] 0xffffffffa0270013\n [\u003cffffffff81001c27\u003e] do_one_initcall+0x87/0x2e0\n [\u003cffffffff813739cb\u003e] do_init_module+0x1ab/0x640\n [\u003cffffffff81379d20\u003e] load_module+0x5d00/0x77f0\n [\u003cffffffff8137bc40\u003e] __do_sys_finit_module+0x110/0x1b0\n [\u003cffffffff83c4d505\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n(vdpa_sim_blk)\nunreferenced object 0xffff8881070c1250 (size 16):\n comm \"modprobe\", pid 6844, jiffies 4364069319 (age 17.572s)\n hex dump (first 16 bytes):\n 76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk.\n backtrace:\n [\u003cffffffff8174f19e\u003e] __kmalloc_node_track_caller+0x4e/0x150\n [\u003cffffffff81731d53\u003e] kstrdup+0x33/0x60\n [\u003cffffffff83a5d421\u003e] kobject_set_name_vargs+0x41/0x110\n [\u003cffffffff82d87aab\u003e] dev_set_name+0xab/0xe0\n [\u003cffffffff82d91a23\u003e] device_add+0xe3/0x1a80\n [\u003cffffffffa0220013\u003e] 0xffffffffa0220013\n [\u003cffffffff81001c27\u003e] do_one_initcall+0x87/0x2e0\n [\u003cffffffff813739cb\u003e] do_init_module+0x1ab/0x640\n [\u003cffffffff81379d20\u003e] load_module+0x5d00/0x77f0\n [\u003cffffffff8137bc40\u003e] __do_sys_finit_module+0x110/0x1b0\n [\u003cffffffff83c4d505\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:17.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/586e6fd7d581f987f7d0d2592edf0b26397e783e"
},
{
"url": "https://git.kernel.org/stable/c/5be953e353fe421f2983e1fd37f07fba97edbffc"
},
{
"url": "https://git.kernel.org/stable/c/337c24d817e28dd454ca22f1063dfad20822426e"
},
{
"url": "https://git.kernel.org/stable/c/aeca7ff254843d49a8739f07f7dab1341450111d"
}
],
"title": "vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50702",
"datePublished": "2025-12-24T10:55:17.831Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:17.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68353 (GCVE-0-2025-68353)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
net: vxlan: prevent NULL deref in vxlan_xmit_one
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vxlan: prevent NULL deref in vxlan_xmit_one
Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in
vxlan_xmit_one, e.g. if the iface is brought down. This can lead to the
following NULL dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:vxlan_xmit_one+0xbb3/0x1580
Call Trace:
vxlan_xmit+0x429/0x610
dev_hard_start_xmit+0x55/0xa0
__dev_queue_xmit+0x6d0/0x7f0
ip_finish_output2+0x24b/0x590
ip_output+0x63/0x110
Mentioned commits changed the code path in vxlan_xmit_one and as a side
effect the sock4/6 pointer validity checks in vxlan(6)_get_route were
lost. Fix this by adding back checks.
Since both commits being fixed were released in the same version (v6.7)
and are strongly related, bundle the fixes in a single commit.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ac26aafdc8c7271414e2e7c0b2cb266a26591bc",
"status": "affected",
"version": "6f19b2c136d98a84d79030b53e23d405edfdc783",
"versionType": "git"
},
{
"lessThan": "1f73a56f986005f0bc64ed23873930e2ee4f5911",
"status": "affected",
"version": "6f19b2c136d98a84d79030b53e23d405edfdc783",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: prevent NULL deref in vxlan_xmit_one\n\nNeither sock4 nor sock6 pointers are guaranteed to be non-NULL in\nvxlan_xmit_one, e.g. if the iface is brought down. This can lead to the\nfollowing NULL dereference:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:vxlan_xmit_one+0xbb3/0x1580\n Call Trace:\n vxlan_xmit+0x429/0x610\n dev_hard_start_xmit+0x55/0xa0\n __dev_queue_xmit+0x6d0/0x7f0\n ip_finish_output2+0x24b/0x590\n ip_output+0x63/0x110\n\nMentioned commits changed the code path in vxlan_xmit_one and as a side\neffect the sock4/6 pointer validity checks in vxlan(6)_get_route were\nlost. Fix this by adding back checks.\n\nSince both commits being fixed were released in the same version (v6.7)\nand are strongly related, bundle the fixes in a single commit."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:44.068Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ac26aafdc8c7271414e2e7c0b2cb266a26591bc"
},
{
"url": "https://git.kernel.org/stable/c/1f73a56f986005f0bc64ed23873930e2ee4f5911"
}
],
"title": "net: vxlan: prevent NULL deref in vxlan_xmit_one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68353",
"datePublished": "2025-12-24T10:32:44.068Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2025-12-24T10:32:44.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54024 (GCVE-0-2023-54024)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
KVM: Destroy target device if coalesced MMIO unregistration fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Destroy target device if coalesced MMIO unregistration fails
Destroy and free the target coalesced MMIO device if unregistering said
device fails. As clearly noted in the code, kvm_io_bus_unregister_dev()
does not destroy the target device.
BUG: memory leak
unreferenced object 0xffff888112a54880 (size 64):
comm "syz-executor.2", pid 5258, jiffies 4297861402 (age 14.129s)
hex dump (first 32 bytes):
38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g.....
e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g.....
backtrace:
[<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline]
[<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline]
[<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150
[<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323
[<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline]
[<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline]
[<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696
[<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713
[<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
[<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290
[<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: leak checking failed
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d1bc32d6477ff96a32695ea4be8144e4513ab2d , < 10c2a20d73e99463e69b7e92706791656adc16d7
(git)
Affected: 2a20592baff59c5351c5200ec667e1a2aa22af85 , < 76a9886e1b61ce5592df5ae78a19ed30399ae189 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < 999439fd5da5a76253e2f2c37b94204f47d75491 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < fb436dd6914325075f07d19851ab277b7a693ae7 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < b1cb1fac22abf102ffeb29dd3eeca208a3869d54 (git) Affected: 168e82f640ed1891a700bdb43e37da354b2ab63c (git) Affected: 50cbad42bfea8c052b7ca590bd4126cdc898713c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/coalesced_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10c2a20d73e99463e69b7e92706791656adc16d7",
"status": "affected",
"version": "7d1bc32d6477ff96a32695ea4be8144e4513ab2d",
"versionType": "git"
},
{
"lessThan": "76a9886e1b61ce5592df5ae78a19ed30399ae189",
"status": "affected",
"version": "2a20592baff59c5351c5200ec667e1a2aa22af85",
"versionType": "git"
},
{
"lessThan": "999439fd5da5a76253e2f2c37b94204f47d75491",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"lessThan": "ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"lessThan": "fb436dd6914325075f07d19851ab277b7a693ae7",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"lessThan": "b1cb1fac22abf102ffeb29dd3eeca208a3869d54",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"status": "affected",
"version": "168e82f640ed1891a700bdb43e37da354b2ab63c",
"versionType": "git"
},
{
"status": "affected",
"version": "50cbad42bfea8c052b7ca590bd4126cdc898713c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/coalesced_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Destroy target device if coalesced MMIO unregistration fails\n\nDestroy and free the target coalesced MMIO device if unregistering said\ndevice fails. As clearly noted in the code, kvm_io_bus_unregister_dev()\ndoes not destroy the target device.\n\n BUG: memory leak\n unreferenced object 0xffff888112a54880 (size 64):\n comm \"syz-executor.2\", pid 5258, jiffies 4297861402 (age 14.129s)\n hex dump (first 32 bytes):\n 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g.....\n e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g.....\n backtrace:\n [\u003c0000000006995a8a\u003e] kmalloc include/linux/slab.h:556 [inline]\n [\u003c0000000006995a8a\u003e] kzalloc include/linux/slab.h:690 [inline]\n [\u003c0000000006995a8a\u003e] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150\n [\u003c00000000022550c2\u003e] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323\n [\u003c000000008a75102f\u003e] vfs_ioctl fs/ioctl.c:46 [inline]\n [\u003c000000008a75102f\u003e] file_ioctl fs/ioctl.c:509 [inline]\n [\u003c000000008a75102f\u003e] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696\n [\u003c0000000080e3f669\u003e] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713\n [\u003c0000000059ef4888\u003e] __do_sys_ioctl fs/ioctl.c:720 [inline]\n [\u003c0000000059ef4888\u003e] __se_sys_ioctl fs/ioctl.c:718 [inline]\n [\u003c0000000059ef4888\u003e] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718\n [\u003c000000006444fa05\u003e] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290\n [\u003c000000009a4ed50b\u003e] entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\n BUG: leak checking failed"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:53.718Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10c2a20d73e99463e69b7e92706791656adc16d7"
},
{
"url": "https://git.kernel.org/stable/c/76a9886e1b61ce5592df5ae78a19ed30399ae189"
},
{
"url": "https://git.kernel.org/stable/c/999439fd5da5a76253e2f2c37b94204f47d75491"
},
{
"url": "https://git.kernel.org/stable/c/ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066"
},
{
"url": "https://git.kernel.org/stable/c/fb436dd6914325075f07d19851ab277b7a693ae7"
},
{
"url": "https://git.kernel.org/stable/c/b1cb1fac22abf102ffeb29dd3eeca208a3869d54"
}
],
"title": "KVM: Destroy target device if coalesced MMIO unregistration fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54024",
"datePublished": "2025-12-24T10:55:53.718Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:53.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50699 (GCVE-0-2022-50699)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
Summary
In the Linux kernel, the following vulnerability has been resolved:
selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
The following warning was triggered on a hardware environment:
SELinux: Converting 162 SID table entries...
BUG: sleeping function called from invalid context at
__might_sleep+0x60/0x74 0x0
in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar
CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1
Call trace:
dump_backtrace+0x0/0x1c8
show_stack+0x18/0x28
dump_stack+0xe8/0x15c
___might_sleep+0x168/0x17c
__might_sleep+0x60/0x74
__kmalloc_track_caller+0xa0/0x7dc
kstrdup+0x54/0xac
convert_context+0x48/0x2e4
sidtab_context_to_sid+0x1c4/0x36c
security_context_to_sid_core+0x168/0x238
security_context_to_sid_default+0x14/0x24
inode_doinit_use_xattr+0x164/0x1e4
inode_doinit_with_dentry+0x1c0/0x488
selinux_d_instantiate+0x20/0x34
security_d_instantiate+0x70/0xbc
d_splice_alias+0x4c/0x3c0
ext4_lookup+0x1d8/0x200 [ext4]
__lookup_slow+0x12c/0x1e4
walk_component+0x100/0x200
path_lookupat+0x88/0x118
filename_lookup+0x98/0x130
user_path_at_empty+0x48/0x60
vfs_statx+0x84/0x140
vfs_fstatat+0x20/0x30
__se_sys_newfstatat+0x30/0x74
__arm64_sys_newfstatat+0x1c/0x2c
el0_svc_common.constprop.0+0x100/0x184
do_el0_svc+0x1c/0x2c
el0_svc+0x20/0x34
el0_sync_handler+0x80/0x17c
el0_sync+0x13c/0x140
SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is
not valid (left unmapped).
It was found that within a critical section of spin_lock_irqsave in
sidtab_context_to_sid(), convert_context() (hooked by
sidtab_convert_params.func) might cause the process to sleep via
allocating memory with GFP_KERNEL, which is problematic.
As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func
has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.
Therefore, fix this problem by adding a gfp_t argument for
convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC
properly in individual callers.
[PM: wrap long BUG() output lines, tweak subject line]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 2723875e9d677401d775a03a72abab7e9538c20c
(git)
Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 3006766d247bc93a25b34e92fff2f75bda597e2e (git) Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 277378631d26477451424cc73982b977961f3d8b (git) Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < abe3c631447dcd1ba7af972fe6f054bee6f136fa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/selinux/ss/services.c",
"security/selinux/ss/sidtab.c",
"security/selinux/ss/sidtab.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2723875e9d677401d775a03a72abab7e9538c20c",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
},
{
"lessThan": "3006766d247bc93a25b34e92fff2f75bda597e2e",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
},
{
"lessThan": "277378631d26477451424cc73982b977961f3d8b",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
},
{
"lessThan": "abe3c631447dcd1ba7af972fe6f054bee6f136fa",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/selinux/ss/services.c",
"security/selinux/ss/sidtab.c",
"security/selinux/ss/sidtab.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()\n\nThe following warning was triggered on a hardware environment:\n\n SELinux: Converting 162 SID table entries...\n BUG: sleeping function called from invalid context at\n __might_sleep+0x60/0x74 0x0\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar\n CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1\n Call trace:\n dump_backtrace+0x0/0x1c8\n show_stack+0x18/0x28\n dump_stack+0xe8/0x15c\n ___might_sleep+0x168/0x17c\n __might_sleep+0x60/0x74\n __kmalloc_track_caller+0xa0/0x7dc\n kstrdup+0x54/0xac\n convert_context+0x48/0x2e4\n sidtab_context_to_sid+0x1c4/0x36c\n security_context_to_sid_core+0x168/0x238\n security_context_to_sid_default+0x14/0x24\n inode_doinit_use_xattr+0x164/0x1e4\n inode_doinit_with_dentry+0x1c0/0x488\n selinux_d_instantiate+0x20/0x34\n security_d_instantiate+0x70/0xbc\n d_splice_alias+0x4c/0x3c0\n ext4_lookup+0x1d8/0x200 [ext4]\n __lookup_slow+0x12c/0x1e4\n walk_component+0x100/0x200\n path_lookupat+0x88/0x118\n filename_lookup+0x98/0x130\n user_path_at_empty+0x48/0x60\n vfs_statx+0x84/0x140\n vfs_fstatat+0x20/0x30\n __se_sys_newfstatat+0x30/0x74\n __arm64_sys_newfstatat+0x1c/0x2c\n el0_svc_common.constprop.0+0x100/0x184\n do_el0_svc+0x1c/0x2c\n el0_svc+0x20/0x34\n el0_sync_handler+0x80/0x17c\n el0_sync+0x13c/0x140\n SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is\n not valid (left unmapped).\n\nIt was found that within a critical section of spin_lock_irqsave in\nsidtab_context_to_sid(), convert_context() (hooked by\nsidtab_convert_params.func) might cause the process to sleep via\nallocating memory with GFP_KERNEL, which is problematic.\n\nAs Ondrej pointed out [1], convert_context()/sidtab_convert_params.func\nhas another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.\nTherefore, fix this problem by adding a gfp_t argument for\nconvert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC\nproperly in individual callers.\n\n[PM: wrap long BUG() output lines, tweak subject line]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:15.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c"
},
{
"url": "https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e"
},
{
"url": "https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b"
},
{
"url": "https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa"
}
],
"title": "selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50699",
"datePublished": "2025-12-24T10:55:15.468Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:15.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68365 (GCVE-0-2025-68365)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
fs/ntfs3: Initialize allocated memory before use
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Initialize allocated memory before use
KMSAN reports: Multiple uninitialized values detected:
- KMSAN: uninit-value in ntfs_read_hdr (3)
- KMSAN: uninit-value in bcmp (3)
Memory is allocated by __getname(), which is a wrapper for
kmem_cache_alloc(). This memory is used before being properly
cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to
properly allocate and clear memory before use.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "192e8ce302f14ac66259231dd10cede19858d742",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "a8a3ca23bbd9d849308a7921a049330dc6c91398",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Initialize allocated memory before use\n\nKMSAN reports: Multiple uninitialized values detected:\n\n- KMSAN: uninit-value in ntfs_read_hdr (3)\n- KMSAN: uninit-value in bcmp (3)\n\nMemory is allocated by __getname(), which is a wrapper for\nkmem_cache_alloc(). This memory is used before being properly\ncleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to\nproperly allocate and clear memory before use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:52.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742"
},
{
"url": "https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398"
}
],
"title": "fs/ntfs3: Initialize allocated memory before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68365",
"datePublished": "2025-12-24T10:32:52.728Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2025-12-24T10:32:52.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54026 (GCVE-0-2023-54026)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
opp: Fix use-after-free in lazy_opp_tables after probe deferral
Summary
In the Linux kernel, the following vulnerability has been resolved:
opp: Fix use-after-free in lazy_opp_tables after probe deferral
When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns
-EPROBE_DEFER, the opp_table is freed again, to wait until all the
interconnect paths are available.
However, if the OPP table is using required-opps then it may already
have been added to the global lazy_opp_tables list. The error path
does not remove the opp_table from the list again.
This can cause crashes later when the provider of the required-opps
is added, since we will iterate over OPP tables that have already been
freed. E.g.:
Unable to handle kernel NULL pointer dereference when read
CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3
PC is at _of_add_opp_table_v2 (include/linux/of.h:949
drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404
drivers/opp/of.c:1032) -> lazy_link_required_opp_table()
Fix this by calling _of_clear_opp_table() to remove the opp_table from
the list and clear other allocated resources. While at it, also add the
missing mutex_destroy() calls in the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < 39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc
(git)
Affected: 7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < 76ab057de777723ec924654502d1a260ba7d7d54 (git) Affected: 7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < c05e76d6b249e5254c31994eedd06dd3cc90dee0 (git) Affected: 7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < b2a2ab039bd58f51355e33d7d3fc64605d7f870d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/opp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
},
{
"lessThan": "76ab057de777723ec924654502d1a260ba7d7d54",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
},
{
"lessThan": "c05e76d6b249e5254c31994eedd06dd3cc90dee0",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
},
{
"lessThan": "b2a2ab039bd58f51355e33d7d3fc64605d7f870d",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/opp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopp: Fix use-after-free in lazy_opp_tables after probe deferral\n\nWhen dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns\n-EPROBE_DEFER, the opp_table is freed again, to wait until all the\ninterconnect paths are available.\n\nHowever, if the OPP table is using required-opps then it may already\nhave been added to the global lazy_opp_tables list. The error path\ndoes not remove the opp_table from the list again.\n\nThis can cause crashes later when the provider of the required-opps\nis added, since we will iterate over OPP tables that have already been\nfreed. E.g.:\n\n Unable to handle kernel NULL pointer dereference when read\n CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3\n PC is at _of_add_opp_table_v2 (include/linux/of.h:949\n drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404\n drivers/opp/of.c:1032) -\u003e lazy_link_required_opp_table()\n\nFix this by calling _of_clear_opp_table() to remove the opp_table from\nthe list and clear other allocated resources. While at it, also add the\nmissing mutex_destroy() calls in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:55.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc"
},
{
"url": "https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54"
},
{
"url": "https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0"
},
{
"url": "https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d"
}
],
"title": "opp: Fix use-after-free in lazy_opp_tables after probe deferral",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54026",
"datePublished": "2025-12-24T10:55:55.182Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:55.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54036 (GCVE-0-2023-54036)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU
The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)
when it's connected to a bluetooth audio device. The busy bluetooth
traffic generates lots of C2H (card to host) messages, which are not
freed correctly.
To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()
inside the loop where skb_dequeue() is called.
The RTL8192EU leaks memory because the C2H messages are added to the
queue and left there forever. (This was fine in the past because it
probably wasn't sending any C2H messages until commit e542e66b7c2e
("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit
it sends a C2H message when the TX rate changes.)
To fix this, delete the check for rf_paths > 1 and the goto. Let the
function process the C2H messages from RTL8192EU like the ones from
the other chips.
Theoretically the RTL8188FU could also leak like RTL8723BU, but it
most likely doesn't send C2H messages frequently enough.
This change was tested with RTL8723BU by Erhard F. I tested it with
RTL8188FU and RTL8192EU.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < 430f9f9bec53a75f9ccc53e156a66f13fc098b83
(git)
Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < 35fb0e275af1aa1ca0a9784417e90f988aaf8e78 (git) Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < 93c3f34ec02fc81188d328287d4fddd498ccddea (git) Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < f39a86b4efd270947ee252cc32a30b0aef492d65 (git) Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < b39f662ce1648db0b9de32e6a849b098480793cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "430f9f9bec53a75f9ccc53e156a66f13fc098b83",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "35fb0e275af1aa1ca0a9784417e90f988aaf8e78",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "93c3f34ec02fc81188d328287d4fddd498ccddea",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "f39a86b4efd270947ee252cc32a30b0aef492d65",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "b39f662ce1648db0b9de32e6a849b098480793cb",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU\n\nThe wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)\nwhen it\u0027s connected to a bluetooth audio device. The busy bluetooth\ntraffic generates lots of C2H (card to host) messages, which are not\nfreed correctly.\n\nTo fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()\ninside the loop where skb_dequeue() is called.\n\nThe RTL8192EU leaks memory because the C2H messages are added to the\nqueue and left there forever. (This was fine in the past because it\nprobably wasn\u0027t sending any C2H messages until commit e542e66b7c2e\n(\"wifi: rtl8xxxu: gen2: Turn on the rate control\"). Since that commit\nit sends a C2H message when the TX rate changes.)\n\nTo fix this, delete the check for rf_paths \u003e 1 and the goto. Let the\nfunction process the C2H messages from RTL8192EU like the ones from\nthe other chips.\n\nTheoretically the RTL8188FU could also leak like RTL8723BU, but it\nmost likely doesn\u0027t send C2H messages frequently enough.\n\nThis change was tested with RTL8723BU by Erhard F. I tested it with\nRTL8188FU and RTL8192EU."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:03.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83"
},
{
"url": "https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78"
},
{
"url": "https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea"
},
{
"url": "https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65"
},
{
"url": "https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb"
}
],
"title": "wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54036",
"datePublished": "2025-12-24T10:56:03.215Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:56:03.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68377 (GCVE-0-2025-68377)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
ns: initialize ns_list_node for initial namespaces
Summary
In the Linux kernel, the following vulnerability has been resolved:
ns: initialize ns_list_node for initial namespaces
Make sure that the list is always initialized for initial namespaces.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/ns_common.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e31c902d785411eb4a246fba2e8a32aa59d33ce2",
"status": "affected",
"version": "885fc8ac0a4dc70f5d87b80b0977292870e35c60",
"versionType": "git"
},
{
"lessThan": "3dd50c58664e2684bd610a57bf3ab713cbb0ea91",
"status": "affected",
"version": "885fc8ac0a4dc70f5d87b80b0977292870e35c60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/ns_common.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nns: initialize ns_list_node for initial namespaces\n\nMake sure that the list is always initialized for initial namespaces."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:06.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e31c902d785411eb4a246fba2e8a32aa59d33ce2"
},
{
"url": "https://git.kernel.org/stable/c/3dd50c58664e2684bd610a57bf3ab713cbb0ea91"
}
],
"title": "ns: initialize ns_list_node for initial namespaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68377",
"datePublished": "2025-12-24T10:33:06.174Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2025-12-24T10:33:06.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68346 (GCVE-0-2025-68346)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ALSA: dice: fix buffer overflow in detect_stream_formats()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: dice: fix buffer overflow in detect_stream_formats()
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4
(git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 932aa1e80b022419cf9710e970739b7a8794f27c (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 324f3e03e8a85931ce0880654e3c3eb38b0f0bba (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "932aa1e80b022419cf9710e970739b7a8794f27c",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "324f3e03e8a85931ce0880654e3c3eb38b0f0bba",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:51.119Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4"
},
{
"url": "https://git.kernel.org/stable/c/dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0"
},
{
"url": "https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6"
},
{
"url": "https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c"
},
{
"url": "https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9"
},
{
"url": "https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba"
}
],
"title": "ALSA: dice: fix buffer overflow in detect_stream_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68346",
"datePublished": "2025-12-24T10:32:39.101Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-11T16:29:51.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54030 (GCVE-0-2023-54030)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
io_uring/net: don't overflow multishot recv
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: don't overflow multishot recv
Don't allow overflowing multishot recv CQEs, it might get out of
hand, hurt performance, and in the worst case scenario OOM the task.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e2db9837be7d24a2a74eb3f3906d0872bee8907",
"status": "affected",
"version": "b3fdea6ecb55c3ceea866ff66486927e51a982b3",
"versionType": "git"
},
{
"lessThan": "b2e74db55dd93d6db22a813c9a775b5dbf87c560",
"status": "affected",
"version": "b3fdea6ecb55c3ceea866ff66486927e51a982b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: don\u0027t overflow multishot recv\n\nDon\u0027t allow overflowing multishot recv CQEs, it might get out of\nhand, hurt performance, and in the worst case scenario OOM the task."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:58.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e2db9837be7d24a2a74eb3f3906d0872bee8907"
},
{
"url": "https://git.kernel.org/stable/c/b2e74db55dd93d6db22a813c9a775b5dbf87c560"
}
],
"title": "io_uring/net: don\u0027t overflow multishot recv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54030",
"datePublished": "2025-12-24T10:55:58.124Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:58.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54019 (GCVE-0-2023-54019)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
sched/psi: use kernfs polling functions for PSI trigger polling
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/psi: use kernfs polling functions for PSI trigger polling
Destroying psi trigger in cgroup_file_release causes UAF issues when
a cgroup is removed from under a polling process. This is happening
because cgroup removal causes a call to cgroup_file_release while the
actual file is still alive. Destroying the trigger at this point would
also destroy its waitqueue head and if there is still a polling process
on that file accessing the waitqueue, it will step on the freed pointer:
do_select
vfs_poll
do_rmdir
cgroup_rmdir
kernfs_drain_open_files
cgroup_file_release
cgroup_pressure_release
psi_trigger_destroy
wake_up_pollfree(&t->event_wait)
// vfs_poll is unblocked
synchronize_rcu
kfree(t)
poll_freewait -> UAF access to the trigger's waitqueue head
Patch [1] fixed this issue for epoll() case using wake_up_pollfree(),
however the same issue exists for synchronous poll() case.
The root cause of this issue is that the lifecycles of the psi trigger's
waitqueue and of the file associated with the trigger are different. Fix
this by using kernfs_generic_poll function when polling on cgroup-specific
psi triggers. It internally uses kernfs_open_node->poll waitqueue head
with its lifecycle tied to the file's lifecycle. This also renders the
fix in [1] obsolete, so revert it.
[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < 92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a
(git)
Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < d124ab17024cc85a1079b7810a018a497ebc13da (git) Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < aff037078ecaecf34a7c2afab1341815f90fba5e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/psi.h",
"include/linux/psi_types.h",
"kernel/cgroup/cgroup.c",
"kernel/sched/psi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a",
"status": "affected",
"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
"versionType": "git"
},
{
"lessThan": "d124ab17024cc85a1079b7810a018a497ebc13da",
"status": "affected",
"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
"versionType": "git"
},
{
"lessThan": "aff037078ecaecf34a7c2afab1341815f90fba5e",
"status": "affected",
"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/psi.h",
"include/linux/psi_types.h",
"kernel/cgroup/cgroup.c",
"kernel/sched/psi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n vfs_poll\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n wake_up_pollfree(\u0026t-\u003eevent_wait)\n// vfs_poll is unblocked\n synchronize_rcu\n kfree(t)\n poll_freewait -\u003e UAF access to the trigger\u0027s waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger\u0027s\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node-\u003epoll waitqueue head\nwith its lifecycle tied to the file\u0027s lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:49.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"
},
{
"url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"
},
{
"url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"
}
],
"title": "sched/psi: use kernfs polling functions for PSI trigger polling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54019",
"datePublished": "2025-12-24T10:55:49.840Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:49.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54037 (GCVE-0-2023-54037)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
ice: prevent NULL pointer deref during reload
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: prevent NULL pointer deref during reload
Calling ethtool during reload can lead to call trace, because VSI isn't
configured for some time, but netdev is alive.
To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors
to 0 after freeing and add a check for ::tx/rx_rings in ring related
ethtool ops.
Add proper unroll of filters in ice_start_eth().
Reproduction:
$watch -n 0.1 -d 'ethtool -g enp24s0f0np0'
$devlink dev reload pci/0000:18:00.0 action driver_reinit
Call trace before fix:
[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000
[66303.926259] #PF: supervisor read access in kernel mode
[66303.926286] #PF: error_code(0x0000) - not-present page
[66303.926311] PGD 0 P4D 0
[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI
[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1
[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018
[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice]
[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48
[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246
[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48
[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000
[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000
[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000
[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50
[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000
[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0
[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[66303.927060] PKRU: 55555554
[66303.927075] Call Trace:
[66303.927094] <TASK>
[66303.927111] ? __die+0x23/0x70
[66303.927140] ? page_fault_oops+0x171/0x4e0
[66303.927176] ? exc_page_fault+0x7f/0x180
[66303.927209] ? asm_exc_page_fault+0x26/0x30
[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice]
[66303.927433] rings_prepare_data+0x62/0x80
[66303.927469] ethnl_default_doit+0xe2/0x350
[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140
[66303.927538] genl_rcv_msg+0x1b1/0x2c0
[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10
[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10
[66303.927615] netlink_rcv_skb+0x58/0x110
[66303.927644] genl_rcv+0x28/0x40
[66303.927665] netlink_unicast+0x19e/0x290
[66303.927691] netlink_sendmsg+0x254/0x4d0
[66303.927717] sock_sendmsg+0x93/0xa0
[66303.927743] __sys_sendto+0x126/0x170
[66303.927780] __x64_sys_sendto+0x24/0x30
[66303.928593] do_syscall_64+0x5d/0x90
[66303.929370] ? __count_memcg_events+0x60/0xa0
[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30
[66303.930920] ? handle_mm_fault+0x9e/0x350
[66303.931688] ? do_user_addr_fault+0x258/0x740
[66303.932452] ? exc_page_fault+0x7f/0x180
[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_base.c",
"drivers/net/ethernet/intel/ice/ice_ethtool.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b",
"status": "affected",
"version": "5b246e533d0177775c64b40a2af1e62aff5d279b",
"versionType": "git"
},
{
"lessThan": "b3e7b3a6ee92ab927f750a6b19615ce88ece808f",
"status": "affected",
"version": "5b246e533d0177775c64b40a2af1e62aff5d279b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_base.c",
"drivers/net/ethernet/intel/ice/ice_ethtool.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: prevent NULL pointer deref during reload\n\nCalling ethtool during reload can lead to call trace, because VSI isn\u0027t\nconfigured for some time, but netdev is alive.\n\nTo fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors\nto 0 after freeing and add a check for ::tx/rx_rings in ring related\nethtool ops.\n\nAdd proper unroll of filters in ice_start_eth().\n\nReproduction:\n$watch -n 0.1 -d \u0027ethtool -g enp24s0f0np0\u0027\n$devlink dev reload pci/0000:18:00.0 action driver_reinit\n\nCall trace before fix:\n[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[66303.926259] #PF: supervisor read access in kernel mode\n[66303.926286] #PF: error_code(0x0000) - not-present page\n[66303.926311] PGD 0 P4D 0\n[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI\n[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1\n[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018\n[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice]\n[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 \u003c48\u003e 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48\n[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246\n[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48\n[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000\n[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000\n[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000\n[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50\n[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000\n[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0\n[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[66303.927060] PKRU: 55555554\n[66303.927075] Call Trace:\n[66303.927094] \u003cTASK\u003e\n[66303.927111] ? __die+0x23/0x70\n[66303.927140] ? page_fault_oops+0x171/0x4e0\n[66303.927176] ? exc_page_fault+0x7f/0x180\n[66303.927209] ? asm_exc_page_fault+0x26/0x30\n[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice]\n[66303.927433] rings_prepare_data+0x62/0x80\n[66303.927469] ethnl_default_doit+0xe2/0x350\n[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140\n[66303.927538] genl_rcv_msg+0x1b1/0x2c0\n[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10\n[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10\n[66303.927615] netlink_rcv_skb+0x58/0x110\n[66303.927644] genl_rcv+0x28/0x40\n[66303.927665] netlink_unicast+0x19e/0x290\n[66303.927691] netlink_sendmsg+0x254/0x4d0\n[66303.927717] sock_sendmsg+0x93/0xa0\n[66303.927743] __sys_sendto+0x126/0x170\n[66303.927780] __x64_sys_sendto+0x24/0x30\n[66303.928593] do_syscall_64+0x5d/0x90\n[66303.929370] ? __count_memcg_events+0x60/0xa0\n[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30\n[66303.930920] ? handle_mm_fault+0x9e/0x350\n[66303.931688] ? do_user_addr_fault+0x258/0x740\n[66303.932452] ? exc_page_fault+0x7f/0x180\n[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:03.906Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b"
},
{
"url": "https://git.kernel.org/stable/c/b3e7b3a6ee92ab927f750a6b19615ce88ece808f"
}
],
"title": "ice: prevent NULL pointer deref during reload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54037",
"datePublished": "2025-12-24T10:56:03.906Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:03.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54012 (GCVE-0-2023-54012)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net: fix stack overflow when LRO is disabled for virtual interfaces
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix stack overflow when LRO is disabled for virtual interfaces
When the virtual interface's feature is updated, it synchronizes the
updated feature for its own lower interface.
This propagation logic should be worked as the iteration, not recursively.
But it works recursively due to the netdev notification unexpectedly.
This problem occurs when it disables LRO only for the team and bonding
interface type.
team0
|
+------+------+-----+-----+
| | | | |
team1 team2 team3 ... team200
If team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE
event to its own lower interfaces(team1 ~ team200).
It is worked by netdev_sync_lower_features().
So, the NETDEV_FEAT_CHANGE notification logic of each lower interface
work iteratively.
But generated NETDEV_FEAT_CHANGE event is also sent to the upper
interface too.
upper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own
lower interfaces again.
lower and upper interfaces receive this event and generate this
event again and again.
So, the stack overflow occurs.
But it is not the infinite loop issue.
Because the netdev_sync_lower_features() updates features before
generating the NETDEV_FEAT_CHANGE event.
Already synchronized lower interfaces skip notification logic.
So, it is just the problem that iteration logic is changed to the
recursive unexpectedly due to the notification mechanism.
Reproducer:
ip link add team0 type team
ethtool -K team0 lro on
for i in {1..200}
do
ip link add team$i master team0 type team
ethtool -K team$i lro on
done
ethtool -K team0 lro off
In order to fix it, the notifier_ctx member of bonding/team is introduced.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fd867d51f889aec11cca235ebb008578780d052d , < 9ea0c5f90a27b5b884d880e146e0f65f3052e401
(git)
Affected: fd867d51f889aec11cca235ebb008578780d052d , < 4bb955c4d2830a58c08e2a48ab75d75368e3ff36 (git) Affected: fd867d51f889aec11cca235ebb008578780d052d , < cf3b5cd7127cc10c5b12400c545f263f0e5e715c (git) Affected: fd867d51f889aec11cca235ebb008578780d052d , < ed66e6327a69fec95034cda2ac5b6a57b8b3b622 (git) Affected: fd867d51f889aec11cca235ebb008578780d052d , < 6bf00bb3dc7e5b9fb05488e11616e65d64e975fa (git) Affected: fd867d51f889aec11cca235ebb008578780d052d , < ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/team/team.c",
"include/linux/if_team.h",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ea0c5f90a27b5b884d880e146e0f65f3052e401",
"status": "affected",
"version": "fd867d51f889aec11cca235ebb008578780d052d",
"versionType": "git"
},
{
"lessThan": "4bb955c4d2830a58c08e2a48ab75d75368e3ff36",
"status": "affected",
"version": "fd867d51f889aec11cca235ebb008578780d052d",
"versionType": "git"
},
{
"lessThan": "cf3b5cd7127cc10c5b12400c545f263f0e5e715c",
"status": "affected",
"version": "fd867d51f889aec11cca235ebb008578780d052d",
"versionType": "git"
},
{
"lessThan": "ed66e6327a69fec95034cda2ac5b6a57b8b3b622",
"status": "affected",
"version": "fd867d51f889aec11cca235ebb008578780d052d",
"versionType": "git"
},
{
"lessThan": "6bf00bb3dc7e5b9fb05488e11616e65d64e975fa",
"status": "affected",
"version": "fd867d51f889aec11cca235ebb008578780d052d",
"versionType": "git"
},
{
"lessThan": "ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6",
"status": "affected",
"version": "fd867d51f889aec11cca235ebb008578780d052d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/team/team.c",
"include/linux/if_team.h",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix stack overflow when LRO is disabled for virtual interfaces\n\nWhen the virtual interface\u0027s feature is updated, it synchronizes the\nupdated feature for its own lower interface.\nThis propagation logic should be worked as the iteration, not recursively.\nBut it works recursively due to the netdev notification unexpectedly.\nThis problem occurs when it disables LRO only for the team and bonding\ninterface type.\n\n team0\n |\n +------+------+-----+-----+\n | | | | |\nteam1 team2 team3 ... team200\n\nIf team0\u0027s LRO feature is updated, it generates the NETDEV_FEAT_CHANGE\nevent to its own lower interfaces(team1 ~ team200).\nIt is worked by netdev_sync_lower_features().\nSo, the NETDEV_FEAT_CHANGE notification logic of each lower interface\nwork iteratively.\nBut generated NETDEV_FEAT_CHANGE event is also sent to the upper\ninterface too.\nupper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own\nlower interfaces again.\nlower and upper interfaces receive this event and generate this\nevent again and again.\nSo, the stack overflow occurs.\n\nBut it is not the infinite loop issue.\nBecause the netdev_sync_lower_features() updates features before\ngenerating the NETDEV_FEAT_CHANGE event.\nAlready synchronized lower interfaces skip notification logic.\nSo, it is just the problem that iteration logic is changed to the\nrecursive unexpectedly due to the notification mechanism.\n\nReproducer:\n\nip link add team0 type team\nethtool -K team0 lro on\nfor i in {1..200}\ndo\n ip link add team$i master team0 type team\n ethtool -K team$i lro on\ndone\n\nethtool -K team0 lro off\n\nIn order to fix it, the notifier_ctx member of bonding/team is introduced."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:44.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ea0c5f90a27b5b884d880e146e0f65f3052e401"
},
{
"url": "https://git.kernel.org/stable/c/4bb955c4d2830a58c08e2a48ab75d75368e3ff36"
},
{
"url": "https://git.kernel.org/stable/c/cf3b5cd7127cc10c5b12400c545f263f0e5e715c"
},
{
"url": "https://git.kernel.org/stable/c/ed66e6327a69fec95034cda2ac5b6a57b8b3b622"
},
{
"url": "https://git.kernel.org/stable/c/6bf00bb3dc7e5b9fb05488e11616e65d64e975fa"
},
{
"url": "https://git.kernel.org/stable/c/ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6"
}
],
"title": "net: fix stack overflow when LRO is disabled for virtual interfaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54012",
"datePublished": "2025-12-24T10:55:44.835Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2025-12-24T10:55:44.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54022 (GCVE-0-2023-54022)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
The allocation and initialization errors at alloc_midi_urbs() that is
called at MIDI 2.0 / UMP device are supposed to be handled at the
caller side by invoking free_midi_urbs(). However, free_midi_urbs()
loops only for ep->num_urbs entries, and since ep->num_entries wasn't
updated yet at the allocation / init error in alloc_midi_urbs(), this
entry won't be released.
The intention of free_midi_urbs() is to release the whole elements, so
change the loop size to NUM_URBS to scan over all elements for fixing
the missed releases.
Also, the call of free_midi_urbs() is missing at
snd_usb_midi_v2_open(). Although it'll be released later at
reopen/close or disconnection, it's better to release immediately at
the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f819b343aa95d24d5f7d6e06660c7f62591abc5f",
"status": "affected",
"version": "ff49d1df79aef7580fe3ac99d17c3f886655d080",
"versionType": "git"
},
{
"lessThan": "b1757fa30ef14f254f4719bf6f7d54a4c8207216",
"status": "affected",
"version": "ff49d1df79aef7580fe3ac99d17c3f886655d080",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential memory leaks at error path for UMP open\n\nThe allocation and initialization errors at alloc_midi_urbs() that is\ncalled at MIDI 2.0 / UMP device are supposed to be handled at the\ncaller side by invoking free_midi_urbs(). However, free_midi_urbs()\nloops only for ep-\u003enum_urbs entries, and since ep-\u003enum_entries wasn\u0027t\nupdated yet at the allocation / init error in alloc_midi_urbs(), this\nentry won\u0027t be released.\n\nThe intention of free_midi_urbs() is to release the whole elements, so\nchange the loop size to NUM_URBS to scan over all elements for fixing\nthe missed releases.\n\nAlso, the call of free_midi_urbs() is missing at\nsnd_usb_midi_v2_open(). Although it\u0027ll be released later at\nreopen/close or disconnection, it\u0027s better to release immediately at\nthe error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:52.045Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f819b343aa95d24d5f7d6e06660c7f62591abc5f"
},
{
"url": "https://git.kernel.org/stable/c/b1757fa30ef14f254f4719bf6f7d54a4c8207216"
}
],
"title": "ALSA: usb-audio: Fix potential memory leaks at error path for UMP open",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54022",
"datePublished": "2025-12-24T10:55:52.045Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:52.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53992 (GCVE-0-2023-53992)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
wifi: cfg80211: ocb: don't leave if not joined
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: ocb: don't leave if not joined
If there's no OCB state, don't ask the driver/mac80211 to
leave, since that's just confusing. Since set/clear the
chandef state, that's a simple check.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6e0bd6c35b021dc73a81ebd1ef79761233c48b50 , < d7b0fe3487d203c04ee1bda91a63bd4dd398c350
(git)
Affected: 6e0bd6c35b021dc73a81ebd1ef79761233c48b50 , < 94332210902967b7d63294b43428c8ed075b20e6 (git) Affected: 6e0bd6c35b021dc73a81ebd1ef79761233c48b50 , < abc76cf552e13cfa88a204b362a86b0e08e95228 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7b0fe3487d203c04ee1bda91a63bd4dd398c350",
"status": "affected",
"version": "6e0bd6c35b021dc73a81ebd1ef79761233c48b50",
"versionType": "git"
},
{
"lessThan": "94332210902967b7d63294b43428c8ed075b20e6",
"status": "affected",
"version": "6e0bd6c35b021dc73a81ebd1ef79761233c48b50",
"versionType": "git"
},
{
"lessThan": "abc76cf552e13cfa88a204b362a86b0e08e95228",
"status": "affected",
"version": "6e0bd6c35b021dc73a81ebd1ef79761233c48b50",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: ocb: don\u0027t leave if not joined\n\nIf there\u0027s no OCB state, don\u0027t ask the driver/mac80211 to\nleave, since that\u0027s just confusing. Since set/clear the\nchandef state, that\u0027s a simple check."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:22.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7b0fe3487d203c04ee1bda91a63bd4dd398c350"
},
{
"url": "https://git.kernel.org/stable/c/94332210902967b7d63294b43428c8ed075b20e6"
},
{
"url": "https://git.kernel.org/stable/c/abc76cf552e13cfa88a204b362a86b0e08e95228"
}
],
"title": "wifi: cfg80211: ocb: don\u0027t leave if not joined",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53992",
"datePublished": "2025-12-24T10:55:30.549Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2026-01-05T10:33:22.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68359 (GCVE-0-2025-68359)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
btrfs: fix double free of qgroup record after failure to add delayed ref head
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free of qgroup record after failure to add delayed ref head
In the previous code it was possible to incur into a double kfree()
scenario when calling add_delayed_ref_head(). This could happen if the
record was reported to already exist in the
btrfs_qgroup_trace_extent_nolock() call, but then there was an error
later on add_delayed_ref_head(). In this case, since
add_delayed_ref_head() returned an error, the caller went to free the
record. Since add_delayed_ref_head() couldn't set this kfree'd pointer
to NULL, then kfree() would have acted on a non-NULL 'record' object
which was pointing to memory already freed by the callee.
The problem comes from the fact that the responsibility to kfree the
object is on both the caller and the callee at the same time. Hence, the
fix for this is to shift the ownership of the 'qrecord' object out of
the add_delayed_ref_head(). That is, we will never attempt to kfree()
the given object inside of this function, and will expect the caller to
act on the 'qrecord' object on its own. The only exception where the
'qrecord' object cannot be kfree'd is if it was inserted into the
tracing logic, for which we already have the 'qrecord_inserted_ret'
boolean to account for this. Hence, the caller has to kfree the object
only if add_delayed_ref_head() reports not to have inserted it on the
tracing logic.
As a side-effect of the above, we must guarantee that
'qrecord_inserted_ret' is properly initialized at the start of the
function, not at the end, and then set when an actual insert
happens. This way we avoid 'qrecord_inserted_ret' having an invalid
value on an early exit.
The documentation from the add_delayed_ref_head() has also been updated
to reflect on the exact ownership of the 'qrecord' object.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6ef8fbce010421bf742b12b8f8f2b2d2ff154845 , < 7617680769e3119dfb3b43a2b7c287ce2242211c
(git)
Affected: 6ef8fbce010421bf742b12b8f8f2b2d2ff154845 , < 364685c4c2d9c9f4408d95451bcf42fdeebc3ebb (git) Affected: 6ef8fbce010421bf742b12b8f8f2b2d2ff154845 , < 725e46298876a2cc1f1c3fb22ba69d29102c3ddf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-ref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7617680769e3119dfb3b43a2b7c287ce2242211c",
"status": "affected",
"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845",
"versionType": "git"
},
{
"lessThan": "364685c4c2d9c9f4408d95451bcf42fdeebc3ebb",
"status": "affected",
"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845",
"versionType": "git"
},
{
"lessThan": "725e46298876a2cc1f1c3fb22ba69d29102c3ddf",
"status": "affected",
"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-ref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of qgroup record after failure to add delayed ref head\n\nIn the previous code it was possible to incur into a double kfree()\nscenario when calling add_delayed_ref_head(). This could happen if the\nrecord was reported to already exist in the\nbtrfs_qgroup_trace_extent_nolock() call, but then there was an error\nlater on add_delayed_ref_head(). In this case, since\nadd_delayed_ref_head() returned an error, the caller went to free the\nrecord. Since add_delayed_ref_head() couldn\u0027t set this kfree\u0027d pointer\nto NULL, then kfree() would have acted on a non-NULL \u0027record\u0027 object\nwhich was pointing to memory already freed by the callee.\n\nThe problem comes from the fact that the responsibility to kfree the\nobject is on both the caller and the callee at the same time. Hence, the\nfix for this is to shift the ownership of the \u0027qrecord\u0027 object out of\nthe add_delayed_ref_head(). That is, we will never attempt to kfree()\nthe given object inside of this function, and will expect the caller to\nact on the \u0027qrecord\u0027 object on its own. The only exception where the\n\u0027qrecord\u0027 object cannot be kfree\u0027d is if it was inserted into the\ntracing logic, for which we already have the \u0027qrecord_inserted_ret\u0027\nboolean to account for this. Hence, the caller has to kfree the object\nonly if add_delayed_ref_head() reports not to have inserted it on the\ntracing logic.\n\nAs a side-effect of the above, we must guarantee that\n\u0027qrecord_inserted_ret\u0027 is properly initialized at the start of the\nfunction, not at the end, and then set when an actual insert\nhappens. This way we avoid \u0027qrecord_inserted_ret\u0027 having an invalid\nvalue on an early exit.\n\nThe documentation from the add_delayed_ref_head() has also been updated\nto reflect on the exact ownership of the \u0027qrecord\u0027 object."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:48.456Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c"
},
{
"url": "https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb"
},
{
"url": "https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf"
}
],
"title": "btrfs: fix double free of qgroup record after failure to add delayed ref head",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68359",
"datePublished": "2025-12-24T10:32:48.456Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2025-12-24T10:32:48.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50708 (GCVE-0-2022-50708)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When
hsi_register_port_event() gets some error and returns a negetive value,
the HSI client's port should be released with hsi_release_port().
Fix it by calling hsi_release_port() when hsi_register_port_event() fails.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb , < 78b0ef14896f843c45372f9bbdb6f6070f977eaf
(git)
Affected: dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb , < e78b45b3eeee1cec77c794fcbf0512537c20b1dc (git) Affected: dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb , < b28dbcb379e6a7f80262c2732a57681b1ee548ca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hsi/clients/ssi_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78b0ef14896f843c45372f9bbdb6f6070f977eaf",
"status": "affected",
"version": "dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb",
"versionType": "git"
},
{
"lessThan": "e78b45b3eeee1cec77c794fcbf0512537c20b1dc",
"status": "affected",
"version": "dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb",
"versionType": "git"
},
{
"lessThan": "b28dbcb379e6a7f80262c2732a57681b1ee548ca",
"status": "affected",
"version": "dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hsi/clients/ssi_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: fix potential resource leak in ssip_pn_open()\n\nssip_pn_open() claims the HSI client\u0027s port with hsi_claim_port(). When\nhsi_register_port_event() gets some error and returns a negetive value,\nthe HSI client\u0027s port should be released with hsi_release_port().\n\nFix it by calling hsi_release_port() when hsi_register_port_event() fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:56.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78b0ef14896f843c45372f9bbdb6f6070f977eaf"
},
{
"url": "https://git.kernel.org/stable/c/e78b45b3eeee1cec77c794fcbf0512537c20b1dc"
},
{
"url": "https://git.kernel.org/stable/c/b28dbcb379e6a7f80262c2732a57681b1ee548ca"
}
],
"title": "HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50708",
"datePublished": "2025-12-24T10:55:22.234Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2026-01-02T15:03:56.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54020 (GCVE-0-2023-54020)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
dmaengine: sf-pdma: pdma_desc memory leak fix
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: sf-pdma: pdma_desc memory leak fix
Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
allocate a new sf_pdma_desc each time it is called.
The driver previously recycled descs, by checking the in_use flag, only
allocating additional descs if the existing one was in use. This logic
was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
support for a DMA channel"), but sf_pdma_free_desc() was not changed to
handle the new behaviour.
As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
descriptor is leaked, over time leading to memory starvation:
unreferenced object 0xffffffe008447300 (size 192):
comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
hex dump (first 32 bytes):
00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
backtrace:
[<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
[<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
[<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
in_use flag.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5ab2782c944e324008ef5d658f2494a9f0e3c5ac , < ad222c9af25e3f074c180e389b3477dce42afc4f
(git)
Affected: b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc , < 03fece43fa109beba7cc9948c02f5e2d1205d607 (git) Affected: b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc , < 8bd5040bd43f2b5ba3c898b09a3197a0c7ace126 (git) Affected: b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc , < b02e07015a5ac7bbc029da931ae17914b8ae0339 (git) Affected: b9b4992f897be9b0b9e3a3b956cab6b75ccc3f11 (git) Affected: 4c7350b1dd8a192af844de32fc99b9e34c876fda (git) Affected: a93b3f1e11971a91b6441b6d47488f4492cc113f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/sf-pdma/sf-pdma.c",
"drivers/dma/sf-pdma/sf-pdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad222c9af25e3f074c180e389b3477dce42afc4f",
"status": "affected",
"version": "5ab2782c944e324008ef5d658f2494a9f0e3c5ac",
"versionType": "git"
},
{
"lessThan": "03fece43fa109beba7cc9948c02f5e2d1205d607",
"status": "affected",
"version": "b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc",
"versionType": "git"
},
{
"lessThan": "8bd5040bd43f2b5ba3c898b09a3197a0c7ace126",
"status": "affected",
"version": "b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc",
"versionType": "git"
},
{
"lessThan": "b02e07015a5ac7bbc029da931ae17914b8ae0339",
"status": "affected",
"version": "b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc",
"versionType": "git"
},
{
"status": "affected",
"version": "b9b4992f897be9b0b9e3a3b956cab6b75ccc3f11",
"versionType": "git"
},
{
"status": "affected",
"version": "4c7350b1dd8a192af844de32fc99b9e34c876fda",
"versionType": "git"
},
{
"status": "affected",
"version": "a93b3f1e11971a91b6441b6d47488f4492cc113f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/sf-pdma/sf-pdma.c",
"drivers/dma/sf-pdma/sf-pdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: sf-pdma: pdma_desc memory leak fix\n\nCommit b2cc5c465c2c (\"dmaengine: sf-pdma: Add multithread support for a\nDMA channel\") changed sf_pdma_prep_dma_memcpy() to unconditionally\nallocate a new sf_pdma_desc each time it is called.\n\nThe driver previously recycled descs, by checking the in_use flag, only\nallocating additional descs if the existing one was in use. This logic\nwas removed in commit b2cc5c465c2c (\"dmaengine: sf-pdma: Add multithread\nsupport for a DMA channel\"), but sf_pdma_free_desc() was not changed to\nhandle the new behaviour.\n\nAs a result, each time sf_pdma_prep_dma_memcpy() is called, the previous\ndescriptor is leaked, over time leading to memory starvation:\n\n unreferenced object 0xffffffe008447300 (size 192):\n comm \"irq/39-mchp_dsc\", pid 343, jiffies 4294906910 (age 981.200s)\n hex dump (first 32 bytes):\n 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................\n 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............\n backtrace:\n [\u003c00000000064a04f4\u003e] kmemleak_alloc+0x1e/0x28\n [\u003c00000000018927a7\u003e] kmem_cache_alloc+0x11e/0x178\n [\u003c000000002aea8d16\u003e] sf_pdma_prep_dma_memcpy+0x40/0x112\n\nAdd the missing kfree() to sf_pdma_free_desc(), and remove the redundant\nin_use flag."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:50.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad222c9af25e3f074c180e389b3477dce42afc4f"
},
{
"url": "https://git.kernel.org/stable/c/03fece43fa109beba7cc9948c02f5e2d1205d607"
},
{
"url": "https://git.kernel.org/stable/c/8bd5040bd43f2b5ba3c898b09a3197a0c7ace126"
},
{
"url": "https://git.kernel.org/stable/c/b02e07015a5ac7bbc029da931ae17914b8ae0339"
}
],
"title": "dmaengine: sf-pdma: pdma_desc memory leak fix",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54020",
"datePublished": "2025-12-24T10:55:50.583Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:50.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54015 (GCVE-0-2023-54015)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
In case devcom allocation is failed, mlx5 is always freeing the priv.
However, this priv might have been allocated by a different thread,
and freeing it might lead to use-after-free bugs.
Fix it by freeing the priv only in case it was allocated by the
running thread.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fadd59fc50d010145f251db583c7ccef37393d19 , < 3dfc1004d9afbf689087ae1eafd88f55481984c7
(git)
Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < d4d10a6df1529b3f446cdada5c25e065f4712756 (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < 1e755065368000205e6683fa924b2654e99f573b (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < eaa365c10459052cbe3e44caa4ad760cb93bd435 (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < a3a516caef2c5be2f4d171890a8b3415bfab4e5e (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < af87194352cad882d787d06fb7efa714acd95427 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3dfc1004d9afbf689087ae1eafd88f55481984c7",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "d4d10a6df1529b3f446cdada5c25e065f4712756",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "1e755065368000205e6683fa924b2654e99f573b",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "eaa365c10459052cbe3e44caa4ad760cb93bd435",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "a3a516caef2c5be2f4d171890a8b3415bfab4e5e",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "af87194352cad882d787d06fb7efa714acd95427",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Devcom, fix error flow in mlx5_devcom_register_device\n\nIn case devcom allocation is failed, mlx5 is always freeing the priv.\nHowever, this priv might have been allocated by a different thread,\nand freeing it might lead to use-after-free bugs.\nFix it by freeing the priv only in case it was allocated by the\nrunning thread."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:47.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3dfc1004d9afbf689087ae1eafd88f55481984c7"
},
{
"url": "https://git.kernel.org/stable/c/d4d10a6df1529b3f446cdada5c25e065f4712756"
},
{
"url": "https://git.kernel.org/stable/c/1e755065368000205e6683fa924b2654e99f573b"
},
{
"url": "https://git.kernel.org/stable/c/eaa365c10459052cbe3e44caa4ad760cb93bd435"
},
{
"url": "https://git.kernel.org/stable/c/a3a516caef2c5be2f4d171890a8b3415bfab4e5e"
},
{
"url": "https://git.kernel.org/stable/c/af87194352cad882d787d06fb7efa714acd95427"
}
],
"title": "net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54015",
"datePublished": "2025-12-24T10:55:47.030Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2025-12-24T10:55:47.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68347 (GCVE-0-2025-68347)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).
Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < 16620f0617400746984362c3d6ac547eeae1d35f
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6275fd726d53a8ec724f20201cf3bd862711e17b (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 161291bac551821bba98eb4ea84c82338578d1b0 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < cdda0d06f8650e33255f79839f188bbece44117c (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16620f0617400746984362c3d6ac547eeae1d35f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6275fd726d53a8ec724f20201cf3bd862711e17b",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "161291bac551821bba98eb4ea84c82338578d1b0",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "cdda0d06f8650e33255f79839f188bbece44117c",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "210d77cca3d0494ed30a5c628b20c1d95fa04fb1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:52.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16620f0617400746984362c3d6ac547eeae1d35f"
},
{
"url": "https://git.kernel.org/stable/c/ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe"
},
{
"url": "https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b"
},
{
"url": "https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0"
},
{
"url": "https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c"
},
{
"url": "https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1"
}
],
"title": "ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68347",
"datePublished": "2025-12-24T10:32:39.804Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-11T16:29:52.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68357 (GCVE-0-2025-68357)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
iomap: allocate s_dio_done_wq for async reads as well
Summary
In the Linux kernel, the following vulnerability has been resolved:
iomap: allocate s_dio_done_wq for async reads as well
Since commit 222f2c7c6d14 ("iomap: always run error completions in user
context"), read error completions are deferred to s_dio_done_wq. This
means the workqueue also needs to be allocated for async reads.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b5f35085f8159894a0963e2c877527a885201ac , < 51297686e00f4d5d941b0f20f12b2f12879d753c
(git)
Affected: 74c0c1af04ee6982b47237b1c12cff63ffb14460 , < c67775cf0da2407f113c1229e350758f4dca0f51 (git) Affected: ddb4873286e03e193c5a3bebb5fc6fa820e9ee3a , < 7fd8720dff2d9c70cf5a1a13b7513af01952ec02 (git) Affected: e3676761efb20564297250f000cbbd2187de2601 (git) Affected: 53e0fb84cf657acfcfb7bd35da1e43911848a3a3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/iomap/direct-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51297686e00f4d5d941b0f20f12b2f12879d753c",
"status": "affected",
"version": "3b5f35085f8159894a0963e2c877527a885201ac",
"versionType": "git"
},
{
"lessThan": "c67775cf0da2407f113c1229e350758f4dca0f51",
"status": "affected",
"version": "74c0c1af04ee6982b47237b1c12cff63ffb14460",
"versionType": "git"
},
{
"lessThan": "7fd8720dff2d9c70cf5a1a13b7513af01952ec02",
"status": "affected",
"version": "ddb4873286e03e193c5a3bebb5fc6fa820e9ee3a",
"versionType": "git"
},
{
"status": "affected",
"version": "e3676761efb20564297250f000cbbd2187de2601",
"versionType": "git"
},
{
"status": "affected",
"version": "53e0fb84cf657acfcfb7bd35da1e43911848a3a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/iomap/direct-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: allocate s_dio_done_wq for async reads as well\n\nSince commit 222f2c7c6d14 (\"iomap: always run error completions in user\ncontext\"), read error completions are deferred to s_dio_done_wq. This\nmeans the workqueue also needs to be allocated for async reads."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:55.922Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51297686e00f4d5d941b0f20f12b2f12879d753c"
},
{
"url": "https://git.kernel.org/stable/c/c67775cf0da2407f113c1229e350758f4dca0f51"
},
{
"url": "https://git.kernel.org/stable/c/7fd8720dff2d9c70cf5a1a13b7513af01952ec02"
}
],
"title": "iomap: allocate s_dio_done_wq for async reads as well",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68357",
"datePublished": "2025-12-24T10:32:46.974Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2026-01-11T16:29:55.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68725 (GCVE-0-2025-68725)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
bpf: Do not let BPF test infra emit invalid GSO types to stack
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Do not let BPF test infra emit invalid GSO types to stack
Yinhao et al. reported that their fuzzer tool was able to trigger a
skb_warn_bad_offload() from netif_skb_features() -> gso_features_check().
When a BPF program - triggered via BPF test infra - pushes the packet
to the loopback device via bpf_clone_redirect() then mentioned offload
warning can be seen. GSO-related features are then rightfully disabled.
We get into this situation due to convert___skb_to_skb() setting
gso_segs and gso_size but not gso_type. Technically, it makes sense
that this warning triggers since the GSO properties are malformed due
to the gso_type. Potentially, the gso_type could be marked non-trustworthy
through setting it at least to SKB_GSO_DODGY without any other specific
assumptions, but that also feels wrong given we should not go further
into the GSO engine in the first place.
The checks were added in 121d57af308d ("gso: validate gso_type in GSO
handlers") because there were malicious (syzbot) senders that combine
a protocol with a non-matching gso_type. If we would want to drop such
packets, gso_features_check() currently only returns feature flags via
netif_skb_features(), so one location for potentially dropping such skbs
could be validate_xmit_unreadable_skb(), but then otoh it would be
an additional check in the fast-path for a very corner case. Given
bpf_clone_redirect() is the only place where BPF test infra could emit
such packets, lets reject them right there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbea4c63b5385588cb44ab21f91e55e33c719a54",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "04a899573fb87273a656f178b5f920c505f68875",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -\u003e gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:09.610Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54"
},
{
"url": "https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875"
}
],
"title": "bpf: Do not let BPF test infra emit invalid GSO types to stack",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68725",
"datePublished": "2025-12-24T10:33:09.610Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2025-12-24T10:33:09.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68356 (GCVE-0-2025-68356)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
gfs2: Prevent recursive memory reclaim
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Prevent recursive memory reclaim
Function new_inode() returns a new inode with inode->i_mapping->gfp_mask
set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so
allocations in that address space can recurse into filesystem memory
reclaim. We don't want that to happen because it can consume a
significant amount of stack memory.
Worse than that is that it can also deadlock: for example, in several
places, gfs2_unstuff_dinode() is called inside filesystem transactions.
This calls filemap_grab_folio(), which can allocate a new folio, which
can trigger memory reclaim. If memory reclaim recurses into the
filesystem and starts another transaction, a deadlock will ensue.
To fix these kinds of problems, prevent memory reclaim from recursing
into filesystem code by making sure that the gfp_mask of inode address
spaces doesn't include __GFP_FS.
The "meta" and resource group address spaces were already using GFP_NOFS
as their gfp_mask (which doesn't include __GFP_FS). The default value
of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To
avoid being overly limiting, use the default value and only knock off
the __GFP_FS flag. I'm not sure if this will actually make a
difference, but it also shouldn't hurt.
This patch is loosely based on commit ad22c7a043c2 ("xfs: prevent stack
overflows from page cache allocation").
Fixes xfstest generic/273.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < edb2b255618621dc83d0ec23150e16b2c697077f
(git)
Affected: dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < 9c0960ed112398bdb6c60ccf6e6b583bc59acede (git) Affected: dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < 49e7347f4644d031306d56cb4d51e467cbdcbc69 (git) Affected: dc0b9435238c1a68150c798c9c7a1b5d7414cbb9 , < 2c5f4a53476e3cab70adc77b38942c066bd2c17c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/glock.c",
"fs/gfs2/inode.c",
"fs/gfs2/inode.h",
"fs/gfs2/ops_fstype.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "edb2b255618621dc83d0ec23150e16b2c697077f",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
},
{
"lessThan": "9c0960ed112398bdb6c60ccf6e6b583bc59acede",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
},
{
"lessThan": "49e7347f4644d031306d56cb4d51e467cbdcbc69",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
},
{
"lessThan": "2c5f4a53476e3cab70adc77b38942c066bd2c17c",
"status": "affected",
"version": "dc0b9435238c1a68150c798c9c7a1b5d7414cbb9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/glock.c",
"fs/gfs2/inode.c",
"fs/gfs2/inode.h",
"fs/gfs2/ops_fstype.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Prevent recursive memory reclaim\n\nFunction new_inode() returns a new inode with inode-\u003ei_mapping-\u003egfp_mask\nset to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so\nallocations in that address space can recurse into filesystem memory\nreclaim. We don\u0027t want that to happen because it can consume a\nsignificant amount of stack memory.\n\nWorse than that is that it can also deadlock: for example, in several\nplaces, gfs2_unstuff_dinode() is called inside filesystem transactions.\nThis calls filemap_grab_folio(), which can allocate a new folio, which\ncan trigger memory reclaim. If memory reclaim recurses into the\nfilesystem and starts another transaction, a deadlock will ensue.\n\nTo fix these kinds of problems, prevent memory reclaim from recursing\ninto filesystem code by making sure that the gfp_mask of inode address\nspaces doesn\u0027t include __GFP_FS.\n\nThe \"meta\" and resource group address spaces were already using GFP_NOFS\nas their gfp_mask (which doesn\u0027t include __GFP_FS). The default value\nof GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To\navoid being overly limiting, use the default value and only knock off\nthe __GFP_FS flag. I\u0027m not sure if this will actually make a\ndifference, but it also shouldn\u0027t hurt.\n\nThis patch is loosely based on commit ad22c7a043c2 (\"xfs: prevent stack\noverflows from page cache allocation\").\n\nFixes xfstest generic/273."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:46.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/edb2b255618621dc83d0ec23150e16b2c697077f"
},
{
"url": "https://git.kernel.org/stable/c/9c0960ed112398bdb6c60ccf6e6b583bc59acede"
},
{
"url": "https://git.kernel.org/stable/c/49e7347f4644d031306d56cb4d51e467cbdcbc69"
},
{
"url": "https://git.kernel.org/stable/c/2c5f4a53476e3cab70adc77b38942c066bd2c17c"
}
],
"title": "gfs2: Prevent recursive memory reclaim",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68356",
"datePublished": "2025-12-24T10:32:46.275Z",
"dateReserved": "2025-12-16T14:48:05.301Z",
"dateUpdated": "2025-12-24T10:32:46.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68360 (GCVE-0-2025-68360)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks
MT7996 driver can use both wed and wed_hif2 devices to offload traffic
from/to the wireless NIC. In the current codebase we assume to always
use the primary wed device in wed callbacks resulting in the following
crash if the hw runs wed_hif2 (e.g. 6GHz link).
[ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a
[ 297.464928] Mem abort info:
[ 297.467722] ESR = 0x0000000096000005
[ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits
[ 297.476766] SET = 0, FnV = 0
[ 297.479809] EA = 0, S1PTW = 0
[ 297.482940] FSC = 0x05: level 1 translation fault
[ 297.487809] Data abort info:
[ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000
[ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000
[ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP
[ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0
[ 297.723908] Tainted: [O]=OOT_MODULE
[ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)
[ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]
[ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]
[ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80
[ 297.757126] sp : ffffffc080fe3ae0
[ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7
[ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00
[ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018
[ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000
[ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000
[ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da
[ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200
[ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002
[ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000
[ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8
[ 297.831686] Call trace:
[ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76]
[ 297.839254] mtk_wed_flow_remove+0x58/0x80
[ 297.843342] mtk_flow_offload_cmd+0x434/0x574
[ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40
[ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]
[ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]
[ 297.864463] process_one_work+0x174/0x300
[ 297.868465] worker_thread+0x278/0x430
[ 297.872204] kthread+0xd8/0xdc
[ 297.875251] ret_from_fork+0x10/0x20
[ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)
[ 297.884901] ---[ end trace 0000000000000000 ]---
Fix the issue detecting the proper wed reference to use running wed
callabacks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
83eafc9251d6d30574b629ac637c56d168fcbdd9 , < ab94ecb997fd1bbc501a0116c7aad51556b67c86
(git)
Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < d582d0e988d696698c94edf097062bb987ae592c (git) Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < 385aab8fccd7a8746b9f1a17f3c1e38498a14bc7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76.h",
"drivers/net/wireless/mediatek/mt76/mt7996/mmio.c",
"drivers/net/wireless/mediatek/mt76/wed.c",
"include/linux/soc/mediatek/mtk_wed.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab94ecb997fd1bbc501a0116c7aad51556b67c86",
"status": "affected",
"version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
"versionType": "git"
},
{
"lessThan": "d582d0e988d696698c94edf097062bb987ae592c",
"status": "affected",
"version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
"versionType": "git"
},
{
"lessThan": "385aab8fccd7a8746b9f1a17f3c1e38498a14bc7",
"status": "affected",
"version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76.h",
"drivers/net/wireless/mediatek/mt76/mt7996/mmio.c",
"drivers/net/wireless/mediatek/mt76/wed.c",
"include/linux/soc/mediatek/mtk_wed.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks\n\nMT7996 driver can use both wed and wed_hif2 devices to offload traffic\nfrom/to the wireless NIC. In the current codebase we assume to always\nuse the primary wed device in wed callbacks resulting in the following\ncrash if the hw runs wed_hif2 (e.g. 6GHz link).\n\n[ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a\n[ 297.464928] Mem abort info:\n[ 297.467722] ESR = 0x0000000096000005\n[ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 297.476766] SET = 0, FnV = 0\n[ 297.479809] EA = 0, S1PTW = 0\n[ 297.482940] FSC = 0x05: level 1 translation fault\n[ 297.487809] Data abort info:\n[ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000\n[ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000\n[ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP\n[ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0\n[ 297.723908] Tainted: [O]=OOT_MODULE\n[ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)\n[ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]\n[ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80\n[ 297.757126] sp : ffffffc080fe3ae0\n[ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7\n[ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00\n[ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018\n[ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000\n[ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000\n[ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da\n[ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200\n[ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002\n[ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000\n[ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8\n[ 297.831686] Call trace:\n[ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[ 297.839254] mtk_wed_flow_remove+0x58/0x80\n[ 297.843342] mtk_flow_offload_cmd+0x434/0x574\n[ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40\n[ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]\n[ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]\n[ 297.864463] process_one_work+0x174/0x300\n[ 297.868465] worker_thread+0x278/0x430\n[ 297.872204] kthread+0xd8/0xdc\n[ 297.875251] ret_from_fork+0x10/0x20\n[ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)\n[ 297.884901] ---[ end trace 0000000000000000 ]---\n\nFix the issue detecting the proper wed reference to use running wed\ncallabacks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:49.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86"
},
{
"url": "https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c"
},
{
"url": "https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7"
}
],
"title": "wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68360",
"datePublished": "2025-12-24T10:32:49.121Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2025-12-24T10:32:49.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68729 (GCVE-0-2025-68729)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
wifi: ath12k: Fix MSDU buffer types handling in RX error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Fix MSDU buffer types handling in RX error path
Currently, packets received on the REO exception ring from
unassociated peers are of MSDU buffer type, while the driver expects
link descriptor type packets. These packets are not parsed further due
to a return check on packet type in ath12k_hal_desc_reo_parse_err(),
but the associated skb is not freed. This may lead to kernel
crashes and buffer leaks.
Hence to fix, update the RX error handler to explicitly drop
MSDU buffer type packets received on the REO exception ring.
This prevents further processing of invalid packets and ensures
stability in the RX error handling path.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 5ff5a9d71cdc49c3400f30583a784ad0a17d01ec
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < ab0554f51e5f2b9506e8a09e8accd02f00056729 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp_rx.c",
"drivers/net/wireless/ath/ath12k/hal_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ff5a9d71cdc49c3400f30583a784ad0a17d01ec",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "ab0554f51e5f2b9506e8a09e8accd02f00056729",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp_rx.c",
"drivers/net/wireless/ath/ath12k/hal_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix MSDU buffer types handling in RX error path\n\nCurrently, packets received on the REO exception ring from\nunassociated peers are of MSDU buffer type, while the driver expects\nlink descriptor type packets. These packets are not parsed further due\nto a return check on packet type in ath12k_hal_desc_reo_parse_err(),\nbut the associated skb is not freed. This may lead to kernel\ncrashes and buffer leaks.\n\nHence to fix, update the RX error handler to explicitly drop\nMSDU buffer type packets received on the REO exception ring.\nThis prevents further processing of invalid packets and ensures\nstability in the RX error handling path.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:12.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec"
},
{
"url": "https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729"
},
{
"url": "https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981"
}
],
"title": "wifi: ath12k: Fix MSDU buffer types handling in RX error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68729",
"datePublished": "2025-12-24T10:33:12.515Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:33:12.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54042 (GCVE-0-2023-54042)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
powerpc/64s: Fix VAS mm use after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: Fix VAS mm use after free
The refcount on mm is dropped before the coprocessor is detached.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < f7d92313002b2d543500cc417d8079aaed1fb0a8
(git)
Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < 4e82f92c349ea603736ade1e814861c0182a55ad (git) Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < db8657fdd53c5e3069149d7f957cb60e63027bb2 (git) Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < 421cd1544480f2458042fe7f4913a2069c4d7251 (git) Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < b4bda59b47879cce38a6ec5a01cd3cac702b5331 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/powernv/vas-window.c",
"arch/powerpc/platforms/pseries/vas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7d92313002b2d543500cc417d8079aaed1fb0a8",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "4e82f92c349ea603736ade1e814861c0182a55ad",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "db8657fdd53c5e3069149d7f957cb60e63027bb2",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "421cd1544480f2458042fe7f4913a2069c4d7251",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "b4bda59b47879cce38a6ec5a01cd3cac702b5331",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/powernv/vas-window.c",
"arch/powerpc/platforms/pseries/vas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix VAS mm use after free\n\nThe refcount on mm is dropped before the coprocessor is detached."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:07.565Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7d92313002b2d543500cc417d8079aaed1fb0a8"
},
{
"url": "https://git.kernel.org/stable/c/4e82f92c349ea603736ade1e814861c0182a55ad"
},
{
"url": "https://git.kernel.org/stable/c/db8657fdd53c5e3069149d7f957cb60e63027bb2"
},
{
"url": "https://git.kernel.org/stable/c/421cd1544480f2458042fe7f4913a2069c4d7251"
},
{
"url": "https://git.kernel.org/stable/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331"
}
],
"title": "powerpc/64s: Fix VAS mm use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54042",
"datePublished": "2025-12-24T10:56:07.565Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:07.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68380 (GCVE-0-2025-68380)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
wifi: ath11k: fix peer HE MCS assignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to
firmware as receive MCS while peer's receive MCS sent as transmit MCS,
which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not
supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff
is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it
needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping
done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61fe43e7216df6e9a912d831aafc7142fa20f280 , < 92791290e4f6a1de25d35af792ab8918a70737f6
(git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4304bd7a334e981f189b9973056a58f84cc2b482 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 097c870b91817779e5a312c6539099a884b1fe2b (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 381096a417b7019896e93e86f4c585c592bf98e2 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 6b1a0da75932353f66e710976ca85a7131f647ff (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4a013ca2d490c73c40588d62712ffaa432046a04 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92791290e4f6a1de25d35af792ab8918a70737f6",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4304bd7a334e981f189b9973056a58f84cc2b482",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "097c870b91817779e5a312c6539099a884b1fe2b",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "381096a417b7019896e93e86f4c585c592bf98e2",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "6b1a0da75932353f66e710976ca85a7131f647ff",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4a013ca2d490c73c40588d62712ffaa432046a04",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer\u0027s transmit MCS is sent to\nfirmware as receive MCS while peer\u0027s receive MCS sent as transmit MCS,\nwhich goes against firmwire\u0027s definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs-\u003erx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t [...]\n\t Supported HE-MCS and NSS Set\n\t\t[...]\n\t Rx and Tx MCS Maps 160 MHz\n\t\t [...]\n\t Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs-\u003erx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer\u0027s receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:11.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6"
},
{
"url": "https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482"
},
{
"url": "https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b"
},
{
"url": "https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2"
},
{
"url": "https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff"
},
{
"url": "https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04"
}
],
"title": "wifi: ath11k: fix peer HE MCS assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68380",
"datePublished": "2025-12-24T10:33:08.266Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-01-11T16:30:11.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68370 (GCVE-0-2025-68370)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
coresight: tmc: add the handle of the event to the path
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: tmc: add the handle of the event to the path
The handle is essential for retrieving the AUX_EVENT of each CPU and is
required in perf mode. It has been added to the coresight_path so that
dependent devices can access it from the path when needed.
The existing bug can be reproduced with:
perf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null
Showing an oops as follows:
Unable to handle kernel paging request at virtual address 000f6e84934ed19e
Call trace:
tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P)
catu_enable_hw+0xbc/0x3d0 [coresight_catu]
catu_enable+0x70/0xe0 [coresight_catu]
coresight_enable_path+0xb0/0x258 [coresight]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
080ee83cc361451a7de7b5486c7f96ce454f7203 , < faa8f38f7ccb344ace2c1f364efc70e3a12d32f3
(git)
Affected: 080ee83cc361451a7de7b5486c7f96ce454f7203 , < d0c9effd82f2c19b92acd07d357fac5f392d549a (git) Affected: 080ee83cc361451a7de7b5486c7f96ce454f7203 , < aaa5abcc9d44d2c8484f779ab46d242d774cabcb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-etm-perf.c",
"drivers/hwtracing/coresight/coresight-tmc-etr.c",
"include/linux/coresight.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "faa8f38f7ccb344ace2c1f364efc70e3a12d32f3",
"status": "affected",
"version": "080ee83cc361451a7de7b5486c7f96ce454f7203",
"versionType": "git"
},
{
"lessThan": "d0c9effd82f2c19b92acd07d357fac5f392d549a",
"status": "affected",
"version": "080ee83cc361451a7de7b5486c7f96ce454f7203",
"versionType": "git"
},
{
"lessThan": "aaa5abcc9d44d2c8484f779ab46d242d774cabcb",
"status": "affected",
"version": "080ee83cc361451a7de7b5486c7f96ce454f7203",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-etm-perf.c",
"drivers/hwtracing/coresight/coresight-tmc-etr.c",
"include/linux/coresight.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc: add the handle of the event to the path\n\nThe handle is essential for retrieving the AUX_EVENT of each CPU and is\nrequired in perf mode. It has been added to the coresight_path so that\ndependent devices can access it from the path when needed.\n\nThe existing bug can be reproduced with:\nperf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null\n\nShowing an oops as follows:\nUnable to handle kernel paging request at virtual address 000f6e84934ed19e\n\nCall trace:\n tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P)\n catu_enable_hw+0xbc/0x3d0 [coresight_catu]\n catu_enable+0x70/0xe0 [coresight_catu]\n coresight_enable_path+0xb0/0x258 [coresight]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:56.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/faa8f38f7ccb344ace2c1f364efc70e3a12d32f3"
},
{
"url": "https://git.kernel.org/stable/c/d0c9effd82f2c19b92acd07d357fac5f392d549a"
},
{
"url": "https://git.kernel.org/stable/c/aaa5abcc9d44d2c8484f779ab46d242d774cabcb"
}
],
"title": "coresight: tmc: add the handle of the event to the path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68370",
"datePublished": "2025-12-24T10:32:56.149Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2025-12-24T10:32:56.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54013 (GCVE-0-2023-54013)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
interconnect: Fix locking for runpm vs reclaim
Summary
In the Linux kernel, the following vulnerability has been resolved:
interconnect: Fix locking for runpm vs reclaim
For cases where icc_bw_set() can be called in callbaths that could
deadlock against shrinker/reclaim, such as runpm resume, we need to
decouple the icc locking. Introduce a new icc_bw_lock for cases where
we need to serialize bw aggregation and update to decouple that from
paths that require memory allocation such as node/link creation/
destruction.
Fixes this lockdep splat:
======================================================
WARNING: possible circular locking dependency detected
6.2.0-rc8-debug+ #554 Not tainted
------------------------------------------------------
ring0/132 is trying to acquire lock:
ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234
but task is already holding lock:
ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (dma_fence_map){++++}-{0:0}:
__dma_fence_might_wait+0x74/0xc0
dma_resv_lockdep+0x1f4/0x2f4
do_one_initcall+0x104/0x2bc
kernel_init_freeable+0x344/0x34c
kernel_init+0x30/0x134
ret_from_fork+0x10/0x20
-> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:
fs_reclaim_acquire+0x80/0xa8
slab_pre_alloc_hook.constprop.0+0x40/0x25c
__kmem_cache_alloc_node+0x60/0x1cc
__kmalloc+0xd8/0x100
topology_parse_cpu_capacity+0x8c/0x178
get_cpu_for_node+0x88/0xc4
parse_cluster+0x1b0/0x28c
parse_cluster+0x8c/0x28c
init_cpu_topology+0x168/0x188
smp_prepare_cpus+0x24/0xf8
kernel_init_freeable+0x18c/0x34c
kernel_init+0x30/0x134
ret_from_fork+0x10/0x20
-> #2 (fs_reclaim){+.+.}-{0:0}:
__fs_reclaim_acquire+0x3c/0x48
fs_reclaim_acquire+0x54/0xa8
slab_pre_alloc_hook.constprop.0+0x40/0x25c
__kmem_cache_alloc_node+0x60/0x1cc
__kmalloc+0xd8/0x100
kzalloc.constprop.0+0x14/0x20
icc_node_create_nolock+0x4c/0xc4
icc_node_create+0x38/0x58
qcom_icc_rpmh_probe+0x1b8/0x248
platform_probe+0x70/0xc4
really_probe+0x158/0x290
__driver_probe_device+0xc8/0xe0
driver_probe_device+0x44/0x100
__driver_attach+0xf8/0x108
bus_for_each_dev+0x78/0xc4
driver_attach+0x2c/0x38
bus_add_driver+0xd0/0x1d8
driver_register+0xbc/0xf8
__platform_driver_register+0x30/0x3c
qnoc_driver_init+0x24/0x30
do_one_initcall+0x104/0x2bc
kernel_init_freeable+0x344/0x34c
kernel_init+0x30/0x134
ret_from_fork+0x10/0x20
-> #1 (icc_lock){+.+.}-{3:3}:
__mutex_lock+0xcc/0x3c8
mutex_lock_nested+0x30/0x44
icc_set_bw+0x88/0x2b4
_set_opp_bw+0x8c/0xd8
_set_opp+0x19c/0x300
dev_pm_opp_set_opp+0x84/0x94
a6xx_gmu_resume+0x18c/0x804
a6xx_pm_resume+0xf8/0x234
adreno_runtime_resume+0x2c/0x38
pm_generic_runtime_resume+0x30/0x44
__rpm_callback+0x15c/0x174
rpm_callback+0x78/0x7c
rpm_resume+0x318/0x524
__pm_runtime_resume+0x78/0xbc
adreno_load_gpu+0xc4/0x17c
msm_open+0x50/0x120
drm_file_alloc+0x17c/0x228
drm_open_helper+0x74/0x118
drm_open+0xa0/0x144
drm_stub_open+0xd4/0xe4
chrdev_open+0x1b8/0x1e4
do_dentry_open+0x2f8/0x38c
vfs_open+0x34/0x40
path_openat+0x64c/0x7b4
do_filp_open+0x54/0xc4
do_sys_openat2+0x9c/0x100
do_sys_open+0x50/0x7c
__arm64_sys_openat+0x28/0x34
invoke_syscall+0x8c/0x128
el0_svc_common.constprop.0+0xa0/0x11c
do_el0_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/interconnect/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f3a124696d43de3c837f87a9f767c56ee86cf2a",
"status": "affected",
"version": "11f1ceca7031deefc1a34236ab7b94360016b71d",
"versionType": "git"
},
{
"lessThan": "af42269c3523492d71ebbe11fefae2653e9cdc78",
"status": "affected",
"version": "11f1ceca7031deefc1a34236ab7b94360016b71d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/interconnect/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Fix locking for runpm vs reclaim\n\nFor cases where icc_bw_set() can be called in callbaths that could\ndeadlock against shrinker/reclaim, such as runpm resume, we need to\ndecouple the icc locking. Introduce a new icc_bw_lock for cases where\nwe need to serialize bw aggregation and update to decouple that from\npaths that require memory allocation such as node/link creation/\ndestruction.\n\nFixes this lockdep splat:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 6.2.0-rc8-debug+ #554 Not tainted\n ------------------------------------------------------\n ring0/132 is trying to acquire lock:\n ffffff80871916d0 (\u0026gmu-\u003elock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234\n\n but task is already holding lock:\n ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #4 (dma_fence_map){++++}-{0:0}:\n __dma_fence_might_wait+0x74/0xc0\n dma_resv_lockdep+0x1f4/0x2f4\n do_one_initcall+0x104/0x2bc\n kernel_init_freeable+0x344/0x34c\n kernel_init+0x30/0x134\n ret_from_fork+0x10/0x20\n\n -\u003e #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:\n fs_reclaim_acquire+0x80/0xa8\n slab_pre_alloc_hook.constprop.0+0x40/0x25c\n __kmem_cache_alloc_node+0x60/0x1cc\n __kmalloc+0xd8/0x100\n topology_parse_cpu_capacity+0x8c/0x178\n get_cpu_for_node+0x88/0xc4\n parse_cluster+0x1b0/0x28c\n parse_cluster+0x8c/0x28c\n init_cpu_topology+0x168/0x188\n smp_prepare_cpus+0x24/0xf8\n kernel_init_freeable+0x18c/0x34c\n kernel_init+0x30/0x134\n ret_from_fork+0x10/0x20\n\n -\u003e #2 (fs_reclaim){+.+.}-{0:0}:\n __fs_reclaim_acquire+0x3c/0x48\n fs_reclaim_acquire+0x54/0xa8\n slab_pre_alloc_hook.constprop.0+0x40/0x25c\n __kmem_cache_alloc_node+0x60/0x1cc\n __kmalloc+0xd8/0x100\n kzalloc.constprop.0+0x14/0x20\n icc_node_create_nolock+0x4c/0xc4\n icc_node_create+0x38/0x58\n qcom_icc_rpmh_probe+0x1b8/0x248\n platform_probe+0x70/0xc4\n really_probe+0x158/0x290\n __driver_probe_device+0xc8/0xe0\n driver_probe_device+0x44/0x100\n __driver_attach+0xf8/0x108\n bus_for_each_dev+0x78/0xc4\n driver_attach+0x2c/0x38\n bus_add_driver+0xd0/0x1d8\n driver_register+0xbc/0xf8\n __platform_driver_register+0x30/0x3c\n qnoc_driver_init+0x24/0x30\n do_one_initcall+0x104/0x2bc\n kernel_init_freeable+0x344/0x34c\n kernel_init+0x30/0x134\n ret_from_fork+0x10/0x20\n\n -\u003e #1 (icc_lock){+.+.}-{3:3}:\n __mutex_lock+0xcc/0x3c8\n mutex_lock_nested+0x30/0x44\n icc_set_bw+0x88/0x2b4\n _set_opp_bw+0x8c/0xd8\n _set_opp+0x19c/0x300\n dev_pm_opp_set_opp+0x84/0x94\n a6xx_gmu_resume+0x18c/0x804\n a6xx_pm_resume+0xf8/0x234\n adreno_runtime_resume+0x2c/0x38\n pm_generic_runtime_resume+0x30/0x44\n __rpm_callback+0x15c/0x174\n rpm_callback+0x78/0x7c\n rpm_resume+0x318/0x524\n __pm_runtime_resume+0x78/0xbc\n adreno_load_gpu+0xc4/0x17c\n msm_open+0x50/0x120\n drm_file_alloc+0x17c/0x228\n drm_open_helper+0x74/0x118\n drm_open+0xa0/0x144\n drm_stub_open+0xd4/0xe4\n chrdev_open+0x1b8/0x1e4\n do_dentry_open+0x2f8/0x38c\n vfs_open+0x34/0x40\n path_openat+0x64c/0x7b4\n do_filp_open+0x54/0xc4\n do_sys_openat2+0x9c/0x100\n do_sys_open+0x50/0x7c\n __arm64_sys_openat+0x28/0x34\n invoke_syscall+0x8c/0x128\n el0_svc_common.constprop.0+0xa0/0x11c\n do_el0_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:26.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f3a124696d43de3c837f87a9f767c56ee86cf2a"
},
{
"url": "https://git.kernel.org/stable/c/af42269c3523492d71ebbe11fefae2653e9cdc78"
}
],
"title": "interconnect: Fix locking for runpm vs reclaim",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54013",
"datePublished": "2025-12-24T10:55:45.518Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:26.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53988 (GCVE-0-2023-53988)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()
Here is a BUG report from syzbot:
BUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806
Read of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631
Call Trace:
memmove+0x25/0x60 mm/kasan/shadow.c:54
hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806
indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193
ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910
ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712
ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276
Before using the meta-data in struct INDEX_HDR, we need to
check index header valid or not. Otherwise, the corruptedi
(or malicious) fs image can cause out-of-bounds access which
could make kernel panic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
82cae269cfa953032fbb8980a7d554d60fb00b17 , < c58ea97aa94f033ee64a8cb6587d84a9849b6216
(git)
Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 9163a5b4ed290da4a7d23fa92533e0e81fd0166e (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 114204d25e1dffdd3a0c1cfbba219afd344f4b4f (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 4a034ece7e2877673d9085d6e7ed45e6ee40b761 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < ab84eee4c7ab929996602eda7832854c35a6dda2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fslog.c",
"fs/ntfs3/index.c",
"fs/ntfs3/ntfs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c58ea97aa94f033ee64a8cb6587d84a9849b6216",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "9163a5b4ed290da4a7d23fa92533e0e81fd0166e",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "114204d25e1dffdd3a0c1cfbba219afd344f4b4f",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "4a034ece7e2877673d9085d6e7ed45e6ee40b761",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "ab84eee4c7ab929996602eda7832854c35a6dda2",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fslog.c",
"fs/ntfs3/index.c",
"fs/ntfs3/ntfs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()\n\nHere is a BUG report from syzbot:\n\nBUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806\nRead of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631\n\nCall Trace:\n memmove+0x25/0x60 mm/kasan/shadow.c:54\n hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806\n indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193\n ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910\n ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712\n ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276\n\nBefore using the meta-data in struct INDEX_HDR, we need to\ncheck index header valid or not. Otherwise, the corruptedi\n(or malicious) fs image can cause out-of-bounds access which\ncould make kernel panic."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:27.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c58ea97aa94f033ee64a8cb6587d84a9849b6216"
},
{
"url": "https://git.kernel.org/stable/c/9163a5b4ed290da4a7d23fa92533e0e81fd0166e"
},
{
"url": "https://git.kernel.org/stable/c/114204d25e1dffdd3a0c1cfbba219afd344f4b4f"
},
{
"url": "https://git.kernel.org/stable/c/4a034ece7e2877673d9085d6e7ed45e6ee40b761"
},
{
"url": "https://git.kernel.org/stable/c/ab84eee4c7ab929996602eda7832854c35a6dda2"
}
],
"title": "fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53988",
"datePublished": "2025-12-24T10:55:27.762Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2025-12-24T10:55:27.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54004 (GCVE-0-2023-54004)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
Summary
In the Linux kernel, the following vulnerability has been resolved:
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using
IPPROTO_UDPLITE (0x88):
14:25:52 executing program 1:
r0 = socket$inet6(0xa, 0x80002, 0x88)
We had a similar report [1] for probably sk_memory_allocated_add()
in __sk_mem_raise_allocated(), and commit c915fe13cbaa ("udplite: fix
NULL pointer dereference") fixed it by setting .memory_allocated for
udplite_prot and udplitev6_prot.
To fix the variant, we need to set either .sysctl_wmem_offset or
.sysctl_rmem.
Now UDP and UDPLITE share the same value for .memory_allocated, so we
use the same .sysctl_wmem_offset for UDP and UDPLITE.
[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]
RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006
Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b
RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000
RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8
RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000
R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0
Call Trace:
<TASK>
__sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077
udp_rmem_schedule net/ipv4/udp.c:1539 [inline]
__udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581
__udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]
udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775
udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793
__udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]
__udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013
ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437
ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482
NF_HOOK include/linux/netfilter.h:303 [inline]
NF_HOOK include/linux/netfilter.h:297 [inline]
ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491
ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585
dst_input include/net/dst.h:468 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:303 [inline]
NF_HOOK include/linux/netfilter.h:297 [inline]
ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
netif_receive_skb_internal net/core/dev.c:5691 [inline]
netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750
tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553
tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989
tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035
call_write_iter include/linux/fs.h:1868 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7f21579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < cc56de054d828935aa37734b479f82fa34b5f9bd
(git)
Affected: 850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < 7e3ae83371a4809da6fa3f10ccc430eecef3034a (git) Affected: 850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < 5014b64e369bdf997935b132a1ac4d64b6e47ad4 (git) Affected: 850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < 387bd0a3af3bdd2b16f8dbef0c9fcccac63000a4 (git) Affected: 850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < 2a112f04629f7839e7cb509b27b8d3b735afe255 (git) Affected: 850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < f04c8eaf45e7dcdfccba936506b1ec592a369fb9 (git) Affected: 850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9 , < ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udplite.c",
"net/ipv6/udplite.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc56de054d828935aa37734b479f82fa34b5f9bd",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
},
{
"lessThan": "7e3ae83371a4809da6fa3f10ccc430eecef3034a",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
},
{
"lessThan": "5014b64e369bdf997935b132a1ac4d64b6e47ad4",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
},
{
"lessThan": "387bd0a3af3bdd2b16f8dbef0c9fcccac63000a4",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
},
{
"lessThan": "2a112f04629f7839e7cb509b27b8d3b735afe255",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
},
{
"lessThan": "f04c8eaf45e7dcdfccba936506b1ec592a369fb9",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
},
{
"lessThan": "ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665",
"status": "affected",
"version": "850cbaddb52dfd4e0c7cabe2c168dd34b44ae0b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udplite.c",
"net/ipv6/udplite.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().\n\nsyzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using\nIPPROTO_UDPLITE (0x88):\n\n 14:25:52 executing program 1:\n r0 = socket$inet6(0xa, 0x80002, 0x88)\n\nWe had a similar report [1] for probably sk_memory_allocated_add()\nin __sk_mem_raise_allocated(), and commit c915fe13cbaa (\"udplite: fix\nNULL pointer dereference\") fixed it by setting .memory_allocated for\nudplite_prot and udplitev6_prot.\n\nTo fix the variant, we need to set either .sysctl_wmem_offset or\n.sysctl_rmem.\n\nNow UDP and UDPLITE share the same value for .memory_allocated, so we\nuse the same .sysctl_wmem_offset for UDP and UDPLITE.\n\n[0]:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023\nRIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]\nRIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006\nCode: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 \u003c0f\u003e b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b\nRSP: 0018:ffffc90005d7f450 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000\nRDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8\nRBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000\nR13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40\nCS: 0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0\nCall Trace:\n \u003cTASK\u003e\n __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077\n udp_rmem_schedule net/ipv4/udp.c:1539 [inline]\n __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581\n __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]\n udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775\n udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793\n __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]\n __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013\n ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437\n ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482\n NF_HOOK include/linux/netfilter.h:303 [inline]\n NF_HOOK include/linux/netfilter.h:297 [inline]\n ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491\n ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585\n dst_input include/net/dst.h:468 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:303 [inline]\n NF_HOOK include/linux/netfilter.h:297 [inline]\n ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309\n __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491\n __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605\n netif_receive_skb_internal net/core/dev.c:5691 [inline]\n netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750\n tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553\n tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989\n tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035\n call_write_iter include/linux/fs.h:1868 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x945/0xd50 fs/read_write.c:584\n ksys_write+0x12b/0x250 fs/read_write.c:637\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\nRIP: 0023:0xf7f21579\nCode: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 \u003c5d\u003e 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:39.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc56de054d828935aa37734b479f82fa34b5f9bd"
},
{
"url": "https://git.kernel.org/stable/c/7e3ae83371a4809da6fa3f10ccc430eecef3034a"
},
{
"url": "https://git.kernel.org/stable/c/5014b64e369bdf997935b132a1ac4d64b6e47ad4"
},
{
"url": "https://git.kernel.org/stable/c/387bd0a3af3bdd2b16f8dbef0c9fcccac63000a4"
},
{
"url": "https://git.kernel.org/stable/c/2a112f04629f7839e7cb509b27b8d3b735afe255"
},
{
"url": "https://git.kernel.org/stable/c/f04c8eaf45e7dcdfccba936506b1ec592a369fb9"
},
{
"url": "https://git.kernel.org/stable/c/ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665"
}
],
"title": "udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54004",
"datePublished": "2025-12-24T10:55:39.149Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:39.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68726 (GCVE-0-2025-68726)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
crypto: aead - Fix reqsize handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: aead - Fix reqsize handling
Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg")
introduced cra_reqsize field in crypto_alg struct to replace type
specific reqsize fields. It looks like this was introduced specifically
for ahash and acomp from the commit description as subsequent commits
add necessary changes in these alg frameworks.
However, this is being recommended for use in all crypto algs
instead of setting reqsize using crypto_*_set_reqsize(). Using
cra_reqsize in aead algorithms, hence, causes memory corruptions and
crashes as the underlying functions in the algorithm framework have not
been updated to set the reqsize properly from cra_reqsize. [1]
Add proper set_reqsize calls in the aead init function to properly
initialize reqsize for these algorithms in the framework.
[1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
afddce13ce81d52a13898fa0700917835c71acd6 , < 64377e66e187164bd6737112d07257f5f0feb681
(git)
Affected: afddce13ce81d52a13898fa0700917835c71acd6 , < 12b413f5460c393d1151a37f591140693eca0f84 (git) Affected: afddce13ce81d52a13898fa0700917835c71acd6 , < 9b04d8f00569573796dd05397f5779135593eb24 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64377e66e187164bd6737112d07257f5f0feb681",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
},
{
"lessThan": "12b413f5460c393d1151a37f591140693eca0f84",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
},
{
"lessThan": "9b04d8f00569573796dd05397f5779135593eb24",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead - Fix reqsize handling\n\nCommit afddce13ce81d (\"crypto: api - Add reqsize to crypto_alg\")\nintroduced cra_reqsize field in crypto_alg struct to replace type\nspecific reqsize fields. It looks like this was introduced specifically\nfor ahash and acomp from the commit description as subsequent commits\nadd necessary changes in these alg frameworks.\n\nHowever, this is being recommended for use in all crypto algs\ninstead of setting reqsize using crypto_*_set_reqsize(). Using\ncra_reqsize in aead algorithms, hence, causes memory corruptions and\ncrashes as the underlying functions in the algorithm framework have not\nbeen updated to set the reqsize properly from cra_reqsize. [1]\n\nAdd proper set_reqsize calls in the aead init function to properly\ninitialize reqsize for these algorithms in the framework.\n\n[1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:10.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64377e66e187164bd6737112d07257f5f0feb681"
},
{
"url": "https://git.kernel.org/stable/c/12b413f5460c393d1151a37f591140693eca0f84"
},
{
"url": "https://git.kernel.org/stable/c/9b04d8f00569573796dd05397f5779135593eb24"
}
],
"title": "crypto: aead - Fix reqsize handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68726",
"datePublished": "2025-12-24T10:33:10.364Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2025-12-24T10:33:10.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50700 (GCVE-0-2022-50700)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
wifi: ath10k: Delay the unmapping of the buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: Delay the unmapping of the buffer
On WCN3990, we are seeing a rare scenario where copy engine hardware is
sending a copy complete interrupt to the host driver while still
processing the buffer that the driver has sent, this is leading into an
SMMU fault triggering kernel panic. This is happening on copy engine
channel 3 (CE3) where the driver normally enqueues WMI commands to the
firmware. Upon receiving a copy complete interrupt, host driver will
immediately unmap and frees the buffer presuming that hardware has
processed the buffer. In the issue case, upon receiving copy complete
interrupt, host driver will unmap and free the buffer but since hardware
is still accessing the buffer (which in this case got unmapped in
parallel), SMMU hardware will trigger an SMMU fault resulting in a
kernel panic.
In order to avoid this, as a work around, add a delay before unmapping
the copy engine source DMA buffer. This is conditionally done for
WCN3990 and only for the CE3 channel where issue is seen.
Below is the crash signature:
wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled
context fault: fsr=0x402, iova=0x7fdfd8ac0,
fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled
context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,
cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error
received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:
cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149
remoteproc remoteproc0: crash detected in
4080000.remoteproc: type fatal error <3> remoteproc remoteproc0:
handling crash #1 in 4080000.remoteproc
pc : __arm_lpae_unmap+0x500/0x514
lr : __arm_lpae_unmap+0x4bc/0x514
sp : ffffffc011ffb530
x29: ffffffc011ffb590 x28: 0000000000000000
x27: 0000000000000000 x26: 0000000000000004
x25: 0000000000000003 x24: ffffffc011ffb890
x23: ffffffa762ef9be0 x22: ffffffa77244ef00
x21: 0000000000000009 x20: 00000007fff7c000
x19: 0000000000000003 x18: 0000000000000000
x17: 0000000000000004 x16: ffffffd7a357d9f0
x15: 0000000000000000 x14: 00fd5d4fa7ffffff
x13: 000000000000000e x12: 0000000000000000
x11: 00000000ffffffff x10: 00000000fffffe00
x9 : 000000000000017c x8 : 000000000000000c
x7 : 0000000000000000 x6 : ffffffa762ef9000
x5 : 0000000000000003 x4 : 0000000000000004
x3 : 0000000000001000 x2 : 00000007fff7c000
x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:
__arm_lpae_unmap+0x500/0x514
__arm_lpae_unmap+0x4bc/0x514
__arm_lpae_unmap+0x4bc/0x514
arm_lpae_unmap_pages+0x78/0xa4
arm_smmu_unmap_pages+0x78/0x104
__iommu_unmap+0xc8/0x1e4
iommu_unmap_fast+0x38/0x48
__iommu_dma_unmap+0x84/0x104
iommu_dma_free+0x34/0x50
dma_free_attrs+0xa4/0xd0
ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c
[ath10k_core]
ath10k_halt+0x11c/0x180 [ath10k_core]
ath10k_stop+0x54/0x94 [ath10k_core]
drv_stop+0x48/0x1c8 [mac80211]
ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c
[mac80211]
__dev_open+0xb4/0x174
__dev_change_flags+0xc4/0x1dc
dev_change_flags+0x3c/0x7c
devinet_ioctl+0x2b4/0x580
inet_ioctl+0xb0/0x1b4
sock_do_ioctl+0x4c/0x16c
compat_ifreq_ioctl+0x1cc/0x35c
compat_sock_ioctl+0x110/0x2ac
__arm64_compat_sys_ioctl+0xf4/0x3e0
el0_svc_common+0xb4/0x17c
el0_svc_compat_handler+0x2c/0x58
el0_svc_compat+0x8/0x2c
Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d390509bdf501c9c8c6e61248e4bc9314c86d854 , < c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a
(git)
Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < 79a124b588aadb5a22695542778de14366ff3219 (git) Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < acd4324e5f1f11351630234297f95076f0ac9a2f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/core.c",
"drivers/net/wireless/ath/ath10k/htc.c",
"drivers/net/wireless/ath/ath10k/hw.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a",
"status": "affected",
"version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
"versionType": "git"
},
{
"lessThan": "79a124b588aadb5a22695542778de14366ff3219",
"status": "affected",
"version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
"versionType": "git"
},
{
"lessThan": "acd4324e5f1f11351630234297f95076f0ac9a2f",
"status": "affected",
"version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/core.c",
"drivers/net/wireless/ath/ath10k/htc.c",
"drivers/net/wireless/ath/ath10k/hw.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Delay the unmapping of the buffer\n\nOn WCN3990, we are seeing a rare scenario where copy engine hardware is\nsending a copy complete interrupt to the host driver while still\nprocessing the buffer that the driver has sent, this is leading into an\nSMMU fault triggering kernel panic. This is happening on copy engine\nchannel 3 (CE3) where the driver normally enqueues WMI commands to the\nfirmware. Upon receiving a copy complete interrupt, host driver will\nimmediately unmap and frees the buffer presuming that hardware has\nprocessed the buffer. In the issue case, upon receiving copy complete\ninterrupt, host driver will unmap and free the buffer but since hardware\nis still accessing the buffer (which in this case got unmapped in\nparallel), SMMU hardware will trigger an SMMU fault resulting in a\nkernel panic.\n\nIn order to avoid this, as a work around, add a delay before unmapping\nthe copy engine source DMA buffer. This is conditionally done for\nWCN3990 and only for the CE3 channel where issue is seen.\n\nBelow is the crash signature:\n\nwifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled\ncontext fault: fsr=0x402, iova=0x7fdfd8ac0,\nfsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled\ncontext fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,\ncbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error\nreceived: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:\ncmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149\nremoteproc remoteproc0: crash detected in\n4080000.remoteproc: type fatal error \u003c3\u003e remoteproc remoteproc0:\nhandling crash #1 in 4080000.remoteproc\n\npc : __arm_lpae_unmap+0x500/0x514\nlr : __arm_lpae_unmap+0x4bc/0x514\nsp : ffffffc011ffb530\nx29: ffffffc011ffb590 x28: 0000000000000000\nx27: 0000000000000000 x26: 0000000000000004\nx25: 0000000000000003 x24: ffffffc011ffb890\nx23: ffffffa762ef9be0 x22: ffffffa77244ef00\nx21: 0000000000000009 x20: 00000007fff7c000\nx19: 0000000000000003 x18: 0000000000000000\nx17: 0000000000000004 x16: ffffffd7a357d9f0\nx15: 0000000000000000 x14: 00fd5d4fa7ffffff\nx13: 000000000000000e x12: 0000000000000000\nx11: 00000000ffffffff x10: 00000000fffffe00\nx9 : 000000000000017c x8 : 000000000000000c\nx7 : 0000000000000000 x6 : ffffffa762ef9000\nx5 : 0000000000000003 x4 : 0000000000000004\nx3 : 0000000000001000 x2 : 00000007fff7c000\nx1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:\n__arm_lpae_unmap+0x500/0x514\n__arm_lpae_unmap+0x4bc/0x514\n__arm_lpae_unmap+0x4bc/0x514\narm_lpae_unmap_pages+0x78/0xa4\narm_smmu_unmap_pages+0x78/0x104\n__iommu_unmap+0xc8/0x1e4\niommu_unmap_fast+0x38/0x48\n__iommu_dma_unmap+0x84/0x104\niommu_dma_free+0x34/0x50\ndma_free_attrs+0xa4/0xd0\nath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c\n[ath10k_core]\nath10k_halt+0x11c/0x180 [ath10k_core]\nath10k_stop+0x54/0x94 [ath10k_core]\ndrv_stop+0x48/0x1c8 [mac80211]\nieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c\n[mac80211]\n__dev_open+0xb4/0x174\n__dev_change_flags+0xc4/0x1dc\ndev_change_flags+0x3c/0x7c\ndevinet_ioctl+0x2b4/0x580\ninet_ioctl+0xb0/0x1b4\nsock_do_ioctl+0x4c/0x16c\ncompat_ifreq_ioctl+0x1cc/0x35c\ncompat_sock_ioctl+0x110/0x2ac\n__arm64_compat_sys_ioctl+0xf4/0x3e0\nel0_svc_common+0xb4/0x17c\nel0_svc_compat_handler+0x2c/0x58\nel0_svc_compat+0x8/0x2c\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:55.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a"
},
{
"url": "https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219"
},
{
"url": "https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f"
}
],
"title": "wifi: ath10k: Delay the unmapping of the buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50700",
"datePublished": "2025-12-24T10:55:16.257Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2026-01-02T15:03:55.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53994 (GCVE-0-2023-53994)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ionic: remove WARN_ON to prevent panic_on_warn
Summary
In the Linux kernel, the following vulnerability has been resolved:
ionic: remove WARN_ON to prevent panic_on_warn
Remove unnecessary early code development check and the WARN_ON
that it uses. The irq alloc and free paths have long been
cleaned up and this check shouldn't have stuck around so long.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < 4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb
(git)
Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < f8cc4fd99a325505e15c3da95d6de266efd3d9b5 (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < 1417dd787a5e55b410a00a28231b0dcb19172457 (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < dc470466753ad0dd3a8c48aaefa05a992c119b9c (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < daeaad114cb163ec51bcf14326cb7fe37d368459 (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < abfb2a58a5377ebab717d4362d6180f901b6e5c1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_lif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "f8cc4fd99a325505e15c3da95d6de266efd3d9b5",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "1417dd787a5e55b410a00a28231b0dcb19172457",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "dc470466753ad0dd3a8c48aaefa05a992c119b9c",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "daeaad114cb163ec51bcf14326cb7fe37d368459",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "abfb2a58a5377ebab717d4362d6180f901b6e5c1",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_lif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: remove WARN_ON to prevent panic_on_warn\n\nRemove unnecessary early code development check and the WARN_ON\nthat it uses. The irq alloc and free paths have long been\ncleaned up and this check shouldn\u0027t have stuck around so long."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:32.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb"
},
{
"url": "https://git.kernel.org/stable/c/f8cc4fd99a325505e15c3da95d6de266efd3d9b5"
},
{
"url": "https://git.kernel.org/stable/c/1417dd787a5e55b410a00a28231b0dcb19172457"
},
{
"url": "https://git.kernel.org/stable/c/dc470466753ad0dd3a8c48aaefa05a992c119b9c"
},
{
"url": "https://git.kernel.org/stable/c/daeaad114cb163ec51bcf14326cb7fe37d368459"
},
{
"url": "https://git.kernel.org/stable/c/abfb2a58a5377ebab717d4362d6180f901b6e5c1"
}
],
"title": "ionic: remove WARN_ON to prevent panic_on_warn",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53994",
"datePublished": "2025-12-24T10:55:32.024Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:32.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50709 (GCVE-0-2022-50709)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
with uninitialized memory and ath9k_htc_rx_msg() is reading from
uninitialized memory.
Since bytes accessed by ath9k_htc_rx_msg() is not known until
ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
ath9k_hif_usb_rx_stream().
We have two choices. One is to workaround by adding __GFP_ZERO so that
ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
the latter.
Note that I'm not sure threshold condition is correct, for I can't find
details on possible packet length used by this protocol.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 84242f15f911f34aec9b22f99d1e9bff19723dbe (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 2c485f4f2a64258acc5228e78ffb828c68d9e770 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 9661724f6206bd606ecf13acada676a9975d230b (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < b1b4144508adfc585e43856b31baaf9008a3beb4 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 0d2649b288b7b9484e3d4380c0d6c4720a17e473 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 4891a50f5ed8bfcb8f2a4b816b0676f398687783 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < b383e8abed41cc6ff1a3b34de75df9397fa4878c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "84242f15f911f34aec9b22f99d1e9bff19723dbe",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "2c485f4f2a64258acc5228e78ffb828c68d9e770",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9661724f6206bd606ecf13acada676a9975d230b",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "b1b4144508adfc585e43856b31baaf9008a3beb4",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "0d2649b288b7b9484e3d4380c0d6c4720a17e473",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "4891a50f5ed8bfcb8f2a4b816b0676f398687783",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "b383e8abed41cc6ff1a3b34de75df9397fa4878c",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()\n\nsyzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for\nioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with\npkt_len = 0 but ath9k_hif_usb_rx_stream() uses\n__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that\npkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb\nwith uninitialized memory and ath9k_htc_rx_msg() is reading from\nuninitialized memory.\n\nSince bytes accessed by ath9k_htc_rx_msg() is not known until\nath9k_htc_rx_msg() is called, it would be difficult to check minimal valid\npkt_len at \"if (pkt_len \u003e 2 * MAX_RX_BUF_SIZE) {\" line in\nath9k_hif_usb_rx_stream().\n\nWe have two choices. One is to workaround by adding __GFP_ZERO so that\nath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let\nath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose\nthe latter.\n\nNote that I\u0027m not sure threshold condition is correct, for I can\u0027t find\ndetails on possible packet length used by this protocol."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:58.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a"
},
{
"url": "https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe"
},
{
"url": "https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770"
},
{
"url": "https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b"
},
{
"url": "https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4"
},
{
"url": "https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473"
},
{
"url": "https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783"
},
{
"url": "https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c"
}
],
"title": "wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50709",
"datePublished": "2025-12-24T10:55:23.194Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2026-01-02T15:03:58.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54034 (GCVE-0-2023-54034)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
Missed a zero initialization here. Most of the struct is filled with
a copy_from_user(), however minsz for that copy is smaller than the
actual struct by 8 bytes, thus we don't fill the padding.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/vfio_compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7adcec686e4d699c169d34c722132b2bce5232cb",
"status": "affected",
"version": "d624d6652a65ad4f47a58b8651a1ec1163bb81d3",
"versionType": "git"
},
{
"lessThan": "b3551ead616318ea155558cdbe7e91495b8d9b33",
"status": "affected",
"version": "d624d6652a65ad4f47a58b8651a1ec1163bb81d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/vfio_compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Make sure to zero vfio_iommu_type1_info before copying to user\n\nMissed a zero initialization here. Most of the struct is filled with\na copy_from_user(), however minsz for that copy is smaller than the\nactual struct by 8 bytes, thus we don\u0027t fill the padding."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:01.509Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7adcec686e4d699c169d34c722132b2bce5232cb"
},
{
"url": "https://git.kernel.org/stable/c/b3551ead616318ea155558cdbe7e91495b8d9b33"
}
],
"title": "iommufd: Make sure to zero vfio_iommu_type1_info before copying to user",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54034",
"datePublished": "2025-12-24T10:56:01.509Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:56:01.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53996 (GCVE-0-2023-53996)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
x86/sev: Make enc_dec_hypercall() accept a size instead of npages
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/sev: Make enc_dec_hypercall() accept a size instead of npages
enc_dec_hypercall() accepted a page count instead of a size, which
forced its callers to round up. As a result, non-page aligned
vaddrs caused pages to be spuriously marked as decrypted via the
encryption status hypercall, which in turn caused consistent
corruption of pages during live migration. Live migration requires
accurate encryption status information to avoid migrating pages
from the wrong perspective.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < ba50e7773a99a109a1ea6f753b766a080d3b21cc
(git)
Affected: 064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < 6615212d8e131b45bd9705b0d69cc0d2f624666f (git) Affected: 064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < 8ae7457e71a320867d868f2622d7c643596e4f43 (git) Affected: 064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/mem_encrypt.h",
"arch/x86/kernel/kvm.c",
"arch/x86/mm/mem_encrypt_amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba50e7773a99a109a1ea6f753b766a080d3b21cc",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
},
{
"lessThan": "6615212d8e131b45bd9705b0d69cc0d2f624666f",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
},
{
"lessThan": "8ae7457e71a320867d868f2622d7c643596e4f43",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
},
{
"lessThan": "ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/mem_encrypt.h",
"arch/x86/kernel/kvm.c",
"arch/x86/mm/mem_encrypt_amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Make enc_dec_hypercall() accept a size instead of npages\n\nenc_dec_hypercall() accepted a page count instead of a size, which\nforced its callers to round up. As a result, non-page aligned\nvaddrs caused pages to be spuriously marked as decrypted via the\nencryption status hypercall, which in turn caused consistent\ncorruption of pages during live migration. Live migration requires\naccurate encryption status information to avoid migrating pages\nfrom the wrong perspective."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:33.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba50e7773a99a109a1ea6f753b766a080d3b21cc"
},
{
"url": "https://git.kernel.org/stable/c/6615212d8e131b45bd9705b0d69cc0d2f624666f"
},
{
"url": "https://git.kernel.org/stable/c/8ae7457e71a320867d868f2622d7c643596e4f43"
},
{
"url": "https://git.kernel.org/stable/c/ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2"
}
],
"title": "x86/sev: Make enc_dec_hypercall() accept a size instead of npages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53996",
"datePublished": "2025-12-24T10:55:33.402Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:33.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68372 (GCVE-0-2025-68372)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
nbd: defer config put in recv_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config put in recv_work
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
nbd_genl_connect // conf_ref=2 (connect and recv_work A)
nbd_open // conf_ref=3
recv_work A done // conf_ref=2
NBD_CLEAR_SOCK // conf_ref=1
nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
close nbd // conf_ref=1
recv_work B
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK:
nbd_genl_connect // conf_ref=2
nbd_open // conf_ref=3
NBD_CLEAR_SOCK // conf_ref=2
close nbd
nbd_release
config_put // conf_ref=1
recv_work
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=1 (trigger recv_work)
open nbd // nbd_refs=2
NBD_CLEAR_SOCK
close nbd
nbd_release
nbd_disconnect_and_put
flush_workqueue // recv_work done
nbd_config_put
nbd_put // nbd_refs=1
nbd_put // nbd_refs=0
queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=2 (trigger recv_work)
open nbd // nbd_refs=3
NBD_CLEAR_SOCK // conf_refs=2
close nbd
nbd_release
nbd_config_put // conf_refs=1
nbd_put // nbd_refs=2
recv_work done // conf_refs=0, nbd_refs=1
rmmod // nbd_refs=0
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 3692884bd6187d89d41eef81e5a9724519fd01c1
(git)
Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 6b69593f72e1bfba6ca47ca8d9b619341fded7d6 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 443a1721806b6ff6303b5229e9811d68172d622f (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 742012f6bf29553fdc460bf646a58df3a7b43d01 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 9517b82d8d422d426a988b213fdd45c6b417b86d (git) Affected: 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8 (git) Affected: 2ef6f4bd60411934e3fc2715442c2afe70f84bf3 (git) Affected: 742fd49cf811ca164489e339b862e3fb8e240a73 (git) Affected: 14df8724aeeef338172e2a2d6efadc989921ca0f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3692884bd6187d89d41eef81e5a9724519fd01c1",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "6b69593f72e1bfba6ca47ca8d9b619341fded7d6",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "443a1721806b6ff6303b5229e9811d68172d622f",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "742012f6bf29553fdc460bf646a58df3a7b43d01",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "9517b82d8d422d426a988b213fdd45c6b417b86d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"status": "affected",
"version": "0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8",
"versionType": "git"
},
{
"status": "affected",
"version": "2ef6f4bd60411934e3fc2715442c2afe70f84bf3",
"versionType": "git"
},
{
"status": "affected",
"version": "742fd49cf811ca164489e339b862e3fb8e240a73",
"versionType": "git"
},
{
"status": "affected",
"version": "14df8724aeeef338172e2a2d6efadc989921ca0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n nbd_genl_connect // conf_ref=2 (connect and recv_work A)\n nbd_open\t // conf_ref=3\n recv_work A done // conf_ref=2\n NBD_CLEAR_SOCK // conf_ref=1\n nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n close nbd\t // conf_ref=1\n recv_work B\n config_put // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nOr only running NBD_CLEAR_SOCK:\n nbd_genl_connect // conf_ref=2\n nbd_open \t // conf_ref=3\n NBD_CLEAR_SOCK // conf_ref=2\n close nbd\n nbd_release\n config_put // conf_ref=1\n recv_work\n config_put \t // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd-\u003etask_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don\u0027t need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=1 (trigger recv_work)\n open nbd // nbd_refs=2\n NBD_CLEAR_SOCK\n close nbd\n nbd_release\n nbd_disconnect_and_put\n flush_workqueue // recv_work done\n nbd_config_put\n nbd_put // nbd_refs=1\n nbd_put // nbd_refs=0\n queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=2 (trigger recv_work)\n open nbd // nbd_refs=3\n NBD_CLEAR_SOCK // conf_refs=2\n close nbd\n nbd_release\n nbd_config_put // conf_refs=1\n nbd_put // nbd_refs=2\n recv_work done // conf_refs=0, nbd_refs=1\n rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:08.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3692884bd6187d89d41eef81e5a9724519fd01c1"
},
{
"url": "https://git.kernel.org/stable/c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509"
},
{
"url": "https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6"
},
{
"url": "https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f"
},
{
"url": "https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01"
},
{
"url": "https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d"
}
],
"title": "nbd: defer config put in recv_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68372",
"datePublished": "2025-12-24T10:33:02.679Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-01-11T16:30:08.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68364 (GCVE-0-2025-68364)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just
to avoid crashing the whole kernel due to a filesystem corruption.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f603e567aa7a243e68ca48b4f105b990851360f , < 1ad2f81a099b8df5f72bce0a3e9f531263a846b8
(git)
Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < bcb94288d95cfc52f4d7cead260f4db54c8c741a (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < e5c2503696ec2e0dc7b2aee902dc859ccde39ddf (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 7abbe41d22a06aae00fd46d29f59dd40a01e988f (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < e5c52c320577cd405b251943ef77842dc6f303bf (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1ad2f81a099b8df5f72bce0a3e9f531263a846b8",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "bcb94288d95cfc52f4d7cead260f4db54c8c741a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c2503696ec2e0dc7b2aee902dc859ccde39ddf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "7abbe41d22a06aae00fd46d29f59dd40a01e988f",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c52c320577cd405b251943ef77842dc6f303bf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()\n\nIn \u0027__ocfs2_move_extent()\u0027, relax \u0027BUG()\u0027 to \u0027ocfs2_error()\u0027 just\nto avoid crashing the whole kernel due to a filesystem corruption."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:59.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ad2f81a099b8df5f72bce0a3e9f531263a846b8"
},
{
"url": "https://git.kernel.org/stable/c/bcb94288d95cfc52f4d7cead260f4db54c8c741a"
},
{
"url": "https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf"
},
{
"url": "https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f"
},
{
"url": "https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf"
},
{
"url": "https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d"
}
],
"title": "ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68364",
"datePublished": "2025-12-24T10:32:51.922Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-01-11T16:29:59.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68375 (GCVE-0-2025-68375)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
perf/x86: Fix NULL event access and potential PEBS record loss
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86: Fix NULL event access and potential PEBS record loss
When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the
perf_event_overflow() could be called to process the last PEBS record.
While perf_event_overflow() could trigger the interrupt throttle and
stop all events of the group, like what the below call-chain shows.
perf_event_overflow()
-> __perf_event_overflow()
->__perf_event_account_interrupt()
-> perf_event_throttle_group()
-> perf_event_throttle()
-> event->pmu->stop()
-> x86_pmu_stop()
The side effect of stopping the events is that all corresponding event
pointers in cpuc->events[] array are cleared to NULL.
Assume there are two PEBS events (event a and event b) in a group. When
intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the
last PEBS record of PEBS event a, interrupt throttle is triggered and
all pointers of event a and event b are cleared to NULL. Then
intel_pmu_drain_pebs_icl() tries to process the last PEBS record of
event b and encounters NULL pointer access.
To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop()
to x86_pmu_del(). It's safe since cpuc->active_mask or
cpuc->pebs_enabled is always checked before access the event pointer
from cpuc->events[].
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9734e25fbf5ae68eb04234b2cd14a4b36ab89141 , < cf69b99805c263117305ac6dffbc85aaf9259d32
(git)
Affected: 9734e25fbf5ae68eb04234b2cd14a4b36ab89141 , < 6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e (git) Affected: 9734e25fbf5ae68eb04234b2cd14a4b36ab89141 , < 7e772a93eb61cb6265bdd1c5bde17d0f2718b452 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf69b99805c263117305ac6dffbc85aaf9259d32",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
},
{
"lessThan": "6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
},
{
"lessThan": "7e772a93eb61cb6265bdd1c5bde17d0f2718b452",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Fix NULL event access and potential PEBS record loss\n\nWhen intel_pmu_drain_pebs_icl() is called to drain PEBS records, the\nperf_event_overflow() could be called to process the last PEBS record.\n\nWhile perf_event_overflow() could trigger the interrupt throttle and\nstop all events of the group, like what the below call-chain shows.\n\nperf_event_overflow()\n -\u003e __perf_event_overflow()\n -\u003e__perf_event_account_interrupt()\n -\u003e perf_event_throttle_group()\n -\u003e perf_event_throttle()\n -\u003e event-\u003epmu-\u003estop()\n -\u003e x86_pmu_stop()\n\nThe side effect of stopping the events is that all corresponding event\npointers in cpuc-\u003eevents[] array are cleared to NULL.\n\nAssume there are two PEBS events (event a and event b) in a group. When\nintel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the\nlast PEBS record of PEBS event a, interrupt throttle is triggered and\nall pointers of event a and event b are cleared to NULL. Then\nintel_pmu_drain_pebs_icl() tries to process the last PEBS record of\nevent b and encounters NULL pointer access.\n\nTo avoid this issue, move cpuc-\u003eevents[] clearing from x86_pmu_stop()\nto x86_pmu_del(). It\u0027s safe since cpuc-\u003eactive_mask or\ncpuc-\u003epebs_enabled is always checked before access the event pointer\nfrom cpuc-\u003eevents[]."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:04.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf69b99805c263117305ac6dffbc85aaf9259d32"
},
{
"url": "https://git.kernel.org/stable/c/6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e"
},
{
"url": "https://git.kernel.org/stable/c/7e772a93eb61cb6265bdd1c5bde17d0f2718b452"
}
],
"title": "perf/x86: Fix NULL event access and potential PEBS record loss",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68375",
"datePublished": "2025-12-24T10:33:04.819Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2025-12-24T10:33:04.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53997 (GCVE-0-2023-53997)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
thermal: of: fix double-free on unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: of: fix double-free on unregistration
Since commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal
zone parameters structure"), thermal_zone_device_register() allocates
a copy of the tzp argument and frees it when unregistering, so
thermal_of_zone_register() now ends up leaking its original tzp and
double-freeing the tzp copy. Fix this by locating tzp on stack instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adce49089412a9ae28f5c666e0bb12fbcd86b3f7",
"status": "affected",
"version": "3d439b1a2ad36c8b4ea151c8de25309d60d17407",
"versionType": "git"
},
{
"lessThan": "ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6",
"status": "affected",
"version": "3d439b1a2ad36c8b4ea151c8de25309d60d17407",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: of: fix double-free on unregistration\n\nSince commit 3d439b1a2ad3 (\"thermal/core: Alloc-copy-free the thermal\nzone parameters structure\"), thermal_zone_device_register() allocates\na copy of the tzp argument and frees it when unregistering, so\nthermal_of_zone_register() now ends up leaking its original tzp and\ndouble-freeing the tzp copy. Fix this by locating tzp on stack instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:34.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adce49089412a9ae28f5c666e0bb12fbcd86b3f7"
},
{
"url": "https://git.kernel.org/stable/c/ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6"
}
],
"title": "thermal: of: fix double-free on unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53997",
"datePublished": "2025-12-24T10:55:34.077Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:34.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68355 (GCVE-0-2025-68355)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
bpf: Fix exclusive map memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix exclusive map memory leak
When excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also
needs to be freed. Otherwise, the map memory will not be reclaimed, just
like the memory leak problem reported by syzbot [1].
syzbot reported:
BUG: memory leak
backtrace (crc 7b9fb9b4):
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0022551745d72fc0e7bc8601234d690dee2178d",
"status": "affected",
"version": "baefdbdf6812e120c9fba9cfb101d3656f478026",
"versionType": "git"
},
{
"lessThan": "688b745401ab16e2e1a3b504863f0a45fd345638",
"status": "affected",
"version": "baefdbdf6812e120c9fba9cfb101d3656f478026",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exclusive map memory leak\n\nWhen excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also\nneeds to be freed. Otherwise, the map memory will not be reclaimed, just\nlike the memory leak problem reported by syzbot [1].\n\nsyzbot reported:\nBUG: memory leak\n backtrace (crc 7b9fb9b4):\n map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512\n __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:45.505Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0022551745d72fc0e7bc8601234d690dee2178d"
},
{
"url": "https://git.kernel.org/stable/c/688b745401ab16e2e1a3b504863f0a45fd345638"
}
],
"title": "bpf: Fix exclusive map memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68355",
"datePublished": "2025-12-24T10:32:45.505Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2025-12-24T10:32:45.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50704 (GCVE-0-2022-50704)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
USB: gadget: Fix use-after-free during usb config switch
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix use-after-free during usb config switch
In the process of switching USB config from rndis to other config,
if the hardware does not support the ->pullup callback, or the
hardware encounters a low probability fault, both of them may cause
the ->pullup callback to fail, which will then cause a system panic
(use after free).
The gadget drivers sometimes need to be unloaded regardless of the
hardware's behavior.
Analysis as follows:
=======================================================================
(1) write /config/usb_gadget/g1/UDC "none"
gether_disconnect+0x2c/0x1f8
rndis_disable+0x4c/0x74
composite_disconnect+0x74/0xb0
configfs_composite_disconnect+0x60/0x7c
usb_gadget_disconnect+0x70/0x124
usb_gadget_unregister_driver+0xc8/0x1d8
gadget_dev_desc_UDC_store+0xec/0x1e4
(2) rm /config/usb_gadget/g1/configs/b.1/f1
rndis_deregister+0x28/0x54
rndis_free+0x44/0x7c
usb_put_function+0x14/0x1c
config_usb_cfg_unlink+0xc4/0xe0
configfs_unlink+0x124/0x1c8
vfs_unlink+0x114/0x1dc
(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
panic+0x1fc/0x3d0
do_page_fault+0xa8/0x46c
do_mem_abort+0x3c/0xac
el1_sync_handler+0x40/0x78
0xffffff801138f880
rndis_close+0x28/0x34
eth_stop+0x74/0x110
dev_close_many+0x48/0x194
rollback_registered_many+0x118/0x814
unregister_netdev+0x20/0x30
gether_cleanup+0x1c/0x38
rndis_attr_release+0xc/0x14
kref_put+0x74/0xb8
configfs_rmdir+0x314/0x374
If gadget->ops->pullup() return an error, function rndis_close() will be
called, then it will causes a use-after-free problem.
=======================================================================
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0a55187a1ec8c03d0619e7ce41d10fdc39cff036 , < 30e926aa835ac2e6ad05822e4cb75833feb0d99f
(git)
Affected: 0a55187a1ec8c03d0619e7ce41d10fdc39cff036 , < 99a58ac42d9b6911834b0224b6782aea0c311346 (git) Affected: 0a55187a1ec8c03d0619e7ce41d10fdc39cff036 , < afdc12887f2b2ecf20d065a7d81ad29824155083 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30e926aa835ac2e6ad05822e4cb75833feb0d99f",
"status": "affected",
"version": "0a55187a1ec8c03d0619e7ce41d10fdc39cff036",
"versionType": "git"
},
{
"lessThan": "99a58ac42d9b6911834b0224b6782aea0c311346",
"status": "affected",
"version": "0a55187a1ec8c03d0619e7ce41d10fdc39cff036",
"versionType": "git"
},
{
"lessThan": "afdc12887f2b2ecf20d065a7d81ad29824155083",
"status": "affected",
"version": "0a55187a1ec8c03d0619e7ce41d10fdc39cff036",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free during usb config switch\n\nIn the process of switching USB config from rndis to other config,\nif the hardware does not support the -\u003epullup callback, or the\nhardware encounters a low probability fault, both of them may cause\nthe -\u003epullup callback to fail, which will then cause a system panic\n(use after free).\n\nThe gadget drivers sometimes need to be unloaded regardless of the\nhardware\u0027s behavior.\n\nAnalysis as follows:\n=======================================================================\n(1) write /config/usb_gadget/g1/UDC \"none\"\n\ngether_disconnect+0x2c/0x1f8\nrndis_disable+0x4c/0x74\ncomposite_disconnect+0x74/0xb0\nconfigfs_composite_disconnect+0x60/0x7c\nusb_gadget_disconnect+0x70/0x124\nusb_gadget_unregister_driver+0xc8/0x1d8\ngadget_dev_desc_UDC_store+0xec/0x1e4\n\n(2) rm /config/usb_gadget/g1/configs/b.1/f1\n\nrndis_deregister+0x28/0x54\nrndis_free+0x44/0x7c\nusb_put_function+0x14/0x1c\nconfig_usb_cfg_unlink+0xc4/0xe0\nconfigfs_unlink+0x124/0x1c8\nvfs_unlink+0x114/0x1dc\n\n(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4\n\npanic+0x1fc/0x3d0\ndo_page_fault+0xa8/0x46c\ndo_mem_abort+0x3c/0xac\nel1_sync_handler+0x40/0x78\n0xffffff801138f880\nrndis_close+0x28/0x34\neth_stop+0x74/0x110\ndev_close_many+0x48/0x194\nrollback_registered_many+0x118/0x814\nunregister_netdev+0x20/0x30\ngether_cleanup+0x1c/0x38\nrndis_attr_release+0xc/0x14\nkref_put+0x74/0xb8\nconfigfs_rmdir+0x314/0x374\n\nIf gadget-\u003eops-\u003epullup() return an error, function rndis_close() will be\ncalled, then it will causes a use-after-free problem.\n======================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:19.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30e926aa835ac2e6ad05822e4cb75833feb0d99f"
},
{
"url": "https://git.kernel.org/stable/c/99a58ac42d9b6911834b0224b6782aea0c311346"
},
{
"url": "https://git.kernel.org/stable/c/afdc12887f2b2ecf20d065a7d81ad29824155083"
}
],
"title": "USB: gadget: Fix use-after-free during usb config switch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50704",
"datePublished": "2025-12-24T10:55:19.295Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:19.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54002 (GCVE-0-2023-54002)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
btrfs: fix assertion of exclop condition when starting balance
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix assertion of exclop condition when starting balance
Balance as exclusive state is compatible with paused balance and device
add, which makes some things more complicated. The assertion of valid
states when starting from paused balance needs to take into account two
more states, the combinations can be hit when there are several threads
racing to start balance and device add. This won't typically happen when
the commands are started from command line.
Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.
Concurrently adding multiple devices to the same mount point and
btrfs_exclop_finish executed finishes before assertion in
btrfs_exclop_balance, exclusive_operation will changed to
BTRFS_EXCLOP_NONE state which lead to assertion failed:
fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||
fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD,
in fs/btrfs/ioctl.c:456
Call Trace:
<TASK>
btrfs_exclop_balance+0x13c/0x310
? memdup_user+0xab/0xc0
? PTR_ERR+0x17/0x20
btrfs_ioctl_add_dev+0x2ee/0x320
btrfs_ioctl+0x9d5/0x10d0
? btrfs_ioctl_encoded_write+0xb80/0xb80
__x64_sys_ioctl+0x197/0x210
do_syscall_64+0x3c/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.
Concurrently adding multiple devices to the same mount point and
btrfs_exclop_balance executed finish before the latter thread execute
assertion in btrfs_exclop_balance, exclusive_operation will changed to
BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:
fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||
fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD ||
fs_info->exclusive_operation == BTRFS_EXCLOP_NONE,
fs/btrfs/ioctl.c:458
Call Trace:
<TASK>
btrfs_exclop_balance+0x240/0x410
? memdup_user+0xab/0xc0
? PTR_ERR+0x17/0x20
btrfs_ioctl_add_dev+0x2ee/0x320
btrfs_ioctl+0x9d5/0x10d0
? btrfs_ioctl_encoded_write+0xb80/0xb80
__x64_sys_ioctl+0x197/0x210
do_syscall_64+0x3c/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
An example of the failed assertion is below, which shows that the
paused balance is also needed to be checked.
root@syzkaller:/home/xsk# ./repro
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
Failed to add device /dev/vda, errno 14
[ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0
Failed to add device /dev/vda, errno 14
[ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3
Failed to add device /dev/vda, errno 14
[ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3
[ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3
Fai
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a174c0a2e857081195db6888323802f0fae793ef , < 17eaeee4c5f24946aad0298d51f32981c3161d13
(git)
Affected: a174c0a2e857081195db6888323802f0fae793ef , < 7877dc1136ada770622d22041be306539902951b (git) Affected: a174c0a2e857081195db6888323802f0fae793ef , < 6062e9e335a3bf409b5118bfe4cc10aff4b6adb1 (git) Affected: a174c0a2e857081195db6888323802f0fae793ef , < ac868bc9d136cde6e3eb5de77019a63d57a540ff (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17eaeee4c5f24946aad0298d51f32981c3161d13",
"status": "affected",
"version": "a174c0a2e857081195db6888323802f0fae793ef",
"versionType": "git"
},
{
"lessThan": "7877dc1136ada770622d22041be306539902951b",
"status": "affected",
"version": "a174c0a2e857081195db6888323802f0fae793ef",
"versionType": "git"
},
{
"lessThan": "6062e9e335a3bf409b5118bfe4cc10aff4b6adb1",
"status": "affected",
"version": "a174c0a2e857081195db6888323802f0fae793ef",
"versionType": "git"
},
{
"lessThan": "ac868bc9d136cde6e3eb5de77019a63d57a540ff",
"status": "affected",
"version": "a174c0a2e857081195db6888323802f0fae793ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion of exclop condition when starting balance\n\nBalance as exclusive state is compatible with paused balance and device\nadd, which makes some things more complicated. The assertion of valid\nstates when starting from paused balance needs to take into account two\nmore states, the combinations can be hit when there are several threads\nracing to start balance and device add. This won\u0027t typically happen when\nthe commands are started from command line.\n\nScenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.\n\nConcurrently adding multiple devices to the same mount point and\nbtrfs_exclop_finish executed finishes before assertion in\nbtrfs_exclop_balance, exclusive_operation will changed to\nBTRFS_EXCLOP_NONE state which lead to assertion failed:\n\n fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE ||\n fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_DEV_ADD,\n in fs/btrfs/ioctl.c:456\n Call Trace:\n \u003cTASK\u003e\n btrfs_exclop_balance+0x13c/0x310\n ? memdup_user+0xab/0xc0\n ? PTR_ERR+0x17/0x20\n btrfs_ioctl_add_dev+0x2ee/0x320\n btrfs_ioctl+0x9d5/0x10d0\n ? btrfs_ioctl_encoded_write+0xb80/0xb80\n __x64_sys_ioctl+0x197/0x210\n do_syscall_64+0x3c/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nScenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.\n\nConcurrently adding multiple devices to the same mount point and\nbtrfs_exclop_balance executed finish before the latter thread execute\nassertion in btrfs_exclop_balance, exclusive_operation will changed to\nBTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:\n\n fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE ||\n fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_DEV_ADD ||\n fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_NONE,\n fs/btrfs/ioctl.c:458\n Call Trace:\n \u003cTASK\u003e\n btrfs_exclop_balance+0x240/0x410\n ? memdup_user+0xab/0xc0\n ? PTR_ERR+0x17/0x20\n btrfs_ioctl_add_dev+0x2ee/0x320\n btrfs_ioctl+0x9d5/0x10d0\n ? btrfs_ioctl_encoded_write+0xb80/0xb80\n __x64_sys_ioctl+0x197/0x210\n do_syscall_64+0x3c/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAn example of the failed assertion is below, which shows that the\npaused balance is also needed to be checked.\n\n root@syzkaller:/home/xsk# ./repro\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0\n Failed to add device /dev/vda, errno 14\n [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3\n [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Fai\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:23.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17eaeee4c5f24946aad0298d51f32981c3161d13"
},
{
"url": "https://git.kernel.org/stable/c/7877dc1136ada770622d22041be306539902951b"
},
{
"url": "https://git.kernel.org/stable/c/6062e9e335a3bf409b5118bfe4cc10aff4b6adb1"
},
{
"url": "https://git.kernel.org/stable/c/ac868bc9d136cde6e3eb5de77019a63d57a540ff"
}
],
"title": "btrfs: fix assertion of exclop condition when starting balance",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54002",
"datePublished": "2025-12-24T10:55:37.699Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2026-01-05T10:33:23.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54017 (GCVE-0-2023-54017)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
If device_register() returns error in ibmebus_bus_init(), name of kobject
which is allocated in dev_set_name() called in device_add() is leaked.
As comment of device_add() says, it should call put_device() to drop
the reference count that was set in device_initialize() when it fails,
so the name can be freed in kobject_cleanup().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < e4ff88548defafb1ef84facd9856ec252da7b008
(git)
Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 7ffe14fce7425c32e735bdc44bce425f18976a49 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 9f3b2b666833ebef6d0ce5a40e189f38e70342a1 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < d35e7ae10eb8917883da2a0b1823c620a1be42d6 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 96f27ff732208dce6468016e7a7d5032bd1bfc23 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < ebd8dc974fcc59e2851a0d89ee7935b55142dc8e (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < afda85b963c12947e298ad85d757e333aa40fd74 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/ibmebus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4ff88548defafb1ef84facd9856ec252da7b008",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "7ffe14fce7425c32e735bdc44bce425f18976a49",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "9f3b2b666833ebef6d0ce5a40e189f38e70342a1",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "d35e7ae10eb8917883da2a0b1823c620a1be42d6",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "96f27ff732208dce6468016e7a7d5032bd1bfc23",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "ebd8dc974fcc59e2851a0d89ee7935b55142dc8e",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "afda85b963c12947e298ad85d757e333aa40fd74",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/ibmebus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: fix possible memory leak in ibmebus_bus_init()\n\nIf device_register() returns error in ibmebus_bus_init(), name of kobject\nwhich is allocated in dev_set_name() called in device_add() is leaked.\n\nAs comment of device_add() says, it should call put_device() to drop\nthe reference count that was set in device_initialize() when it fails,\nso the name can be freed in kobject_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:29.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4ff88548defafb1ef84facd9856ec252da7b008"
},
{
"url": "https://git.kernel.org/stable/c/3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c"
},
{
"url": "https://git.kernel.org/stable/c/7ffe14fce7425c32e735bdc44bce425f18976a49"
},
{
"url": "https://git.kernel.org/stable/c/9f3b2b666833ebef6d0ce5a40e189f38e70342a1"
},
{
"url": "https://git.kernel.org/stable/c/d35e7ae10eb8917883da2a0b1823c620a1be42d6"
},
{
"url": "https://git.kernel.org/stable/c/96f27ff732208dce6468016e7a7d5032bd1bfc23"
},
{
"url": "https://git.kernel.org/stable/c/ebd8dc974fcc59e2851a0d89ee7935b55142dc8e"
},
{
"url": "https://git.kernel.org/stable/c/afda85b963c12947e298ad85d757e333aa40fd74"
}
],
"title": "powerpc/pseries: fix possible memory leak in ibmebus_bus_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54017",
"datePublished": "2025-12-24T10:55:48.364Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:29.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68373 (GCVE-0-2025-68373)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
md: avoid repeated calls to del_gendisk
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: avoid repeated calls to del_gendisk
There is a uaf problem which is found by case 23rdev-lifetime:
Oops: general protection fault, probably for non-canonical address 0xdead000000000122
RIP: 0010:bdi_unregister+0x4b/0x170
Call Trace:
<TASK>
__del_gendisk+0x356/0x3e0
mddev_unlock+0x351/0x360
rdev_attr_store+0x217/0x280
kernfs_fop_write_iter+0x14a/0x210
vfs_write+0x29e/0x550
ksys_write+0x74/0xf0
do_syscall_64+0xbb/0x380
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff5250a177e
The sequence is:
1. rdev remove path gets reconfig_mutex
2. rdev remove path release reconfig_mutex in mddev_unlock
3. md stop calls do_md_stop and sets MD_DELETED
4. rdev remove path calls del_gendisk because MD_DELETED is set
5. md stop path release reconfig_mutex and calls del_gendisk again
So there is a race condition we should resolve. This patch adds a
flag MD_DO_DELETE to avoid the race condition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9e59d609763f70a992a8f3808dabcce60f14eb5c , < b4c5cf406062ad44cd178269571530c6435b2f3b
(git)
Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < f0fae1debeb9102398ddf2ef69b4f5d395afafed (git) Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < 90e3bb44c0a86e245d8e5c6520206fa113acb1ee (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4c5cf406062ad44cd178269571530c6435b2f3b",
"status": "affected",
"version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
"versionType": "git"
},
{
"lessThan": "f0fae1debeb9102398ddf2ef69b4f5d395afafed",
"status": "affected",
"version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
"versionType": "git"
},
{
"lessThan": "90e3bb44c0a86e245d8e5c6520206fa113acb1ee",
"status": "affected",
"version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: avoid repeated calls to del_gendisk\n\nThere is a uaf problem which is found by case 23rdev-lifetime:\n\nOops: general protection fault, probably for non-canonical address 0xdead000000000122\nRIP: 0010:bdi_unregister+0x4b/0x170\nCall Trace:\n \u003cTASK\u003e\n __del_gendisk+0x356/0x3e0\n mddev_unlock+0x351/0x360\n rdev_attr_store+0x217/0x280\n kernfs_fop_write_iter+0x14a/0x210\n vfs_write+0x29e/0x550\n ksys_write+0x74/0xf0\n do_syscall_64+0xbb/0x380\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff5250a177e\n\nThe sequence is:\n1. rdev remove path gets reconfig_mutex\n2. rdev remove path release reconfig_mutex in mddev_unlock\n3. md stop calls do_md_stop and sets MD_DELETED\n4. rdev remove path calls del_gendisk because MD_DELETED is set\n5. md stop path release reconfig_mutex and calls del_gendisk again\n\nSo there is a race condition we should resolve. This patch adds a\nflag MD_DO_DELETE to avoid the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:03.375Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4c5cf406062ad44cd178269571530c6435b2f3b"
},
{
"url": "https://git.kernel.org/stable/c/f0fae1debeb9102398ddf2ef69b4f5d395afafed"
},
{
"url": "https://git.kernel.org/stable/c/90e3bb44c0a86e245d8e5c6520206fa113acb1ee"
}
],
"title": "md: avoid repeated calls to del_gendisk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68373",
"datePublished": "2025-12-24T10:33:03.375Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2025-12-24T10:33:03.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68350 (GCVE-0-2025-68350)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
exfat: fix divide-by-zero in exfat_allocate_bitmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix divide-by-zero in exfat_allocate_bitmap
The variable max_ra_count can be 0 in exfat_allocate_bitmap(),
which causes a divide-by-zero error in the subsequent modulo operation
(i % max_ra_count), leading to a system crash.
When max_ra_count is 0, it means that readahead is not used. This patch
load the bitmap without readahead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88fc3dd6e631b3e2975f898c6c2b6bc6f7058b44",
"status": "affected",
"version": "9fd688678dd86e3be32a35e3b2c5cc3ef0c4e257",
"versionType": "git"
},
{
"lessThan": "d70a5804c563b5e34825353ba9927509df709651",
"status": "affected",
"version": "9fd688678dd86e3be32a35e3b2c5cc3ef0c4e257",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix divide-by-zero in exfat_allocate_bitmap\n\nThe variable max_ra_count can be 0 in exfat_allocate_bitmap(),\nwhich causes a divide-by-zero error in the subsequent modulo operation\n(i % max_ra_count), leading to a system crash.\nWhen max_ra_count is 0, it means that readahead is not used. This patch\nload the bitmap without readahead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:41.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88fc3dd6e631b3e2975f898c6c2b6bc6f7058b44"
},
{
"url": "https://git.kernel.org/stable/c/d70a5804c563b5e34825353ba9927509df709651"
}
],
"title": "exfat: fix divide-by-zero in exfat_allocate_bitmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68350",
"datePublished": "2025-12-24T10:32:41.931Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2025-12-24T10:32:41.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50697 (GCVE-0-2022-50697)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
mrp: introduce active flags to prevent UAF when applicant uninit
Summary
In the Linux kernel, the following vulnerability has been resolved:
mrp: introduce active flags to prevent UAF when applicant uninit
The caller of del_timer_sync must prevent restarting of the timer, If
we have no this synchronization, there is a small probability that the
cancellation will not be successful.
And syzbot report the fellowing crash:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
Write at addr f9ff000024df6058 by task syz-fuzzer/2256
Pointer tag: [f9], memory tag: [fe]
CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
ge01d50cbd6ee #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x1a8/0x4a0 mm/kasan/report.c:395
kasan_report+0x94/0xb4 mm/kasan/report.c:495
__do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
do_bad_area arch/arm64/mm/fault.c:473 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
hlist_add_head include/linux/list.h:929 [inline]
enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
mod_timer+0x14/0x20 kernel/time/timer.c:1161
mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
expire_timers+0x98/0xc4 kernel/time/timer.c:1519
To fix it, we can introduce a new active flags to make sure the timer will
not restart.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
febf018d22347b5df94066bca05d0c11a84e839d , < 98f53e591940e4c3818be358c5dc684d5b30cb56
(git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 78d48bc41f7726113c9f114268d3ab11212814da (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < aadb1507a77b060c529edfeaf67f803e31461f24 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 755eb0879224ffc2a43de724554aeaf0e51e5a64 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 5d5a481a7fd0234f617535dc464ea010804a1129 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 563e45fd5046045cc194af3ba17f5423e1c98170 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < ab0377803dafc58f1e22296708c1c28e309414d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/mrp.h",
"net/802/mrp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98f53e591940e4c3818be358c5dc684d5b30cb56",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "78d48bc41f7726113c9f114268d3ab11212814da",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "aadb1507a77b060c529edfeaf67f803e31461f24",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "755eb0879224ffc2a43de724554aeaf0e51e5a64",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "5d5a481a7fd0234f617535dc464ea010804a1129",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "563e45fd5046045cc194af3ba17f5423e1c98170",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "ab0377803dafc58f1e22296708c1c28e309414d6",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/mrp.h",
"net/802/mrp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmrp: introduce active flags to prevent UAF when applicant uninit\n\nThe caller of del_timer_sync must prevent restarting of the timer, If\nwe have no this synchronization, there is a small probability that the\ncancellation will not be successful.\n\nAnd syzbot report the fellowing crash:\n==================================================================\nBUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]\nBUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\nWrite at addr f9ff000024df6058 by task syz-fuzzer/2256\nPointer tag: [f9], memory tag: [fe]\n\nCPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-\nge01d50cbd6ee #0\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156\n dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]\n show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x1a8/0x4a0 mm/kasan/report.c:395\n kasan_report+0x94/0xb4 mm/kasan/report.c:495\n __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320\n do_bad_area arch/arm64/mm/fault.c:473 [inline]\n do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749\n do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825\n el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367\n el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427\n el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576\n hlist_add_head include/linux/list.h:929 [inline]\n enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\n mod_timer+0x14/0x20 kernel/time/timer.c:1161\n mrp_periodic_timer_arm net/802/mrp.c:614 [inline]\n mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627\n call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474\n expire_timers+0x98/0xc4 kernel/time/timer.c:1519\n\nTo fix it, we can introduce a new active flags to make sure the timer will\nnot restart."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:54.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56"
},
{
"url": "https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9"
},
{
"url": "https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da"
},
{
"url": "https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24"
},
{
"url": "https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64"
},
{
"url": "https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129"
},
{
"url": "https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6"
},
{
"url": "https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170"
},
{
"url": "https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6"
}
],
"title": "mrp: introduce active flags to prevent UAF when applicant uninit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50697",
"datePublished": "2025-12-24T10:55:13.762Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2026-01-02T15:03:54.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53986 (GCVE-0-2023-53986)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
mips: bmips: BCM6358: disable RAC flush for TP1
Summary
In the Linux kernel, the following vulnerability has been resolved:
mips: bmips: BCM6358: disable RAC flush for TP1
RAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1:
[ 3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform
[ 3.895011] Reserved instruction in kernel code[#1]:
[ 3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0
[ 3.905829] $ 0 : 00000000 10008700 00000000 77d94060
[ 3.911238] $ 4 : 7fd1f088 00000000 81431cac 81431ca0
[ 3.916641] $ 8 : 00000000 ffffefff 8075cd34 00000000
[ 3.922043] $12 : 806f8d40 f3e812b7 00000000 000d9aaa
[ 3.927446] $16 : 7fd1f068 7fd1f080 7ff559b8 81428470
[ 3.932848] $20 : 00000000 00000000 55590000 77d70000
[ 3.938251] $24 : 00000018 00000010
[ 3.943655] $28 : 81430000 81431e60 81431f28 800157fc
[ 3.949058] Hi : 00000000
[ 3.952013] Lo : 00000000
[ 3.955019] epc : 80015808 setup_sigcontext+0x54/0x24c
[ 3.960464] ra : 800157fc setup_sigcontext+0x48/0x24c
[ 3.965913] Status: 10008703 KERNEL EXL IE
[ 3.970216] Cause : 00800028 (ExcCode 0a)
[ 3.974340] PrId : 0002a010 (Broadcom BMIPS4350)
[ 3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common
[ 3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8)
[ 4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470
[ 4.009467] 81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74
[ 4.018149] 08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003
[ 4.026831] ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000
[ 4.035512] 77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000
[ 4.044196] ...
[ 4.046706] Call Trace:
[ 4.049238] [<80015808>] setup_sigcontext+0x54/0x24c
[ 4.054356] [<80015c70>] setup_frame+0xdc/0x124
[ 4.059015] [<80016414>] do_notify_resume+0x1dc/0x288
[ 4.064207] [<80011b50>] work_notifysig+0x10/0x18
[ 4.069036]
[ 4.070538] Code: 8fc300b4 00001025 26240008 <ac820000> ac830004 3c048063 0c0228aa 24846a00 26240010
[ 4.080686]
[ 4.082517] ---[ end trace 22a8edb41f5f983b ]---
[ 4.087374] Kernel panic - not syncing: Fatal exception
[ 4.092753] Rebooting in 1 seconds..
Because the bootloader (CFE) is not initializing the Read-ahead cache properly
on the second thread (TP1). Since the RAC was not initialized properly, we
should avoid flushing it at the risk of corrupting the instruction stream as
seen in the trace above.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d59098a0e9cb3c7767090e935c909b37a30629ab , < d65de5ee8b72868fbbbd39ca73017d0e526fa13a
(git)
Affected: d59098a0e9cb3c7767090e935c909b37a30629ab , < 47a449ec09b4479b89dcc6b27ec3829fc82ffafb (git) Affected: d59098a0e9cb3c7767090e935c909b37a30629ab , < 65b723644294f1d79770704162c0e8d1f700b6f1 (git) Affected: d59098a0e9cb3c7767090e935c909b37a30629ab , < 2cdbcff99f15db86a10672fb220379a1ae46ccae (git) Affected: d59098a0e9cb3c7767090e935c909b37a30629ab , < 288c96aa5b5526cd4a946e84ef85e165857693b5 (git) Affected: d59098a0e9cb3c7767090e935c909b37a30629ab , < ab327f8acdf8d06601fbf058859a539a9422afff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/bmips/dma.c",
"arch/mips/bmips/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d65de5ee8b72868fbbbd39ca73017d0e526fa13a",
"status": "affected",
"version": "d59098a0e9cb3c7767090e935c909b37a30629ab",
"versionType": "git"
},
{
"lessThan": "47a449ec09b4479b89dcc6b27ec3829fc82ffafb",
"status": "affected",
"version": "d59098a0e9cb3c7767090e935c909b37a30629ab",
"versionType": "git"
},
{
"lessThan": "65b723644294f1d79770704162c0e8d1f700b6f1",
"status": "affected",
"version": "d59098a0e9cb3c7767090e935c909b37a30629ab",
"versionType": "git"
},
{
"lessThan": "2cdbcff99f15db86a10672fb220379a1ae46ccae",
"status": "affected",
"version": "d59098a0e9cb3c7767090e935c909b37a30629ab",
"versionType": "git"
},
{
"lessThan": "288c96aa5b5526cd4a946e84ef85e165857693b5",
"status": "affected",
"version": "d59098a0e9cb3c7767090e935c909b37a30629ab",
"versionType": "git"
},
{
"lessThan": "ab327f8acdf8d06601fbf058859a539a9422afff",
"status": "affected",
"version": "d59098a0e9cb3c7767090e935c909b37a30629ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/bmips/dma.c",
"arch/mips/bmips/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: disable RAC flush for TP1\n\nRAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1:\n[ 3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform\n[ 3.895011] Reserved instruction in kernel code[#1]:\n[ 3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0\n[ 3.905829] $ 0 : 00000000 10008700 00000000 77d94060\n[ 3.911238] $ 4 : 7fd1f088 00000000 81431cac 81431ca0\n[ 3.916641] $ 8 : 00000000 ffffefff 8075cd34 00000000\n[ 3.922043] $12 : 806f8d40 f3e812b7 00000000 000d9aaa\n[ 3.927446] $16 : 7fd1f068 7fd1f080 7ff559b8 81428470\n[ 3.932848] $20 : 00000000 00000000 55590000 77d70000\n[ 3.938251] $24 : 00000018 00000010\n[ 3.943655] $28 : 81430000 81431e60 81431f28 800157fc\n[ 3.949058] Hi : 00000000\n[ 3.952013] Lo : 00000000\n[ 3.955019] epc : 80015808 setup_sigcontext+0x54/0x24c\n[ 3.960464] ra : 800157fc setup_sigcontext+0x48/0x24c\n[ 3.965913] Status: 10008703\tKERNEL EXL IE\n[ 3.970216] Cause : 00800028 (ExcCode 0a)\n[ 3.974340] PrId : 0002a010 (Broadcom BMIPS4350)\n[ 3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common\n[ 3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8)\n[ 4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470\n[ 4.009467] 81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74\n[ 4.018149] 08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003\n[ 4.026831] ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000\n[ 4.035512] 77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000\n[ 4.044196] ...\n[ 4.046706] Call Trace:\n[ 4.049238] [\u003c80015808\u003e] setup_sigcontext+0x54/0x24c\n[ 4.054356] [\u003c80015c70\u003e] setup_frame+0xdc/0x124\n[ 4.059015] [\u003c80016414\u003e] do_notify_resume+0x1dc/0x288\n[ 4.064207] [\u003c80011b50\u003e] work_notifysig+0x10/0x18\n[ 4.069036]\n[ 4.070538] Code: 8fc300b4 00001025 26240008 \u003cac820000\u003e ac830004 3c048063 0c0228aa 24846a00 26240010\n[ 4.080686]\n[ 4.082517] ---[ end trace 22a8edb41f5f983b ]---\n[ 4.087374] Kernel panic - not syncing: Fatal exception\n[ 4.092753] Rebooting in 1 seconds..\n\nBecause the bootloader (CFE) is not initializing the Read-ahead cache properly\non the second thread (TP1). Since the RAC was not initialized properly, we\nshould avoid flushing it at the risk of corrupting the instruction stream as\nseen in the trace above."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:26.282Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d65de5ee8b72868fbbbd39ca73017d0e526fa13a"
},
{
"url": "https://git.kernel.org/stable/c/47a449ec09b4479b89dcc6b27ec3829fc82ffafb"
},
{
"url": "https://git.kernel.org/stable/c/65b723644294f1d79770704162c0e8d1f700b6f1"
},
{
"url": "https://git.kernel.org/stable/c/2cdbcff99f15db86a10672fb220379a1ae46ccae"
},
{
"url": "https://git.kernel.org/stable/c/288c96aa5b5526cd4a946e84ef85e165857693b5"
},
{
"url": "https://git.kernel.org/stable/c/ab327f8acdf8d06601fbf058859a539a9422afff"
}
],
"title": "mips: bmips: BCM6358: disable RAC flush for TP1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53986",
"datePublished": "2025-12-24T10:55:26.282Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2025-12-24T10:55:26.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53995 (GCVE-0-2023-53995)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net: ipv4: fix one memleak in __inet_del_ifa()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv4: fix one memleak in __inet_del_ifa()
I got the below warning when do fuzzing test:
unregister_netdevice: waiting for bond0 to become free. Usage count = 2
It can be repoduced via:
ip link add bond0 type bond
sysctl -w net.ipv4.conf.bond0.promote_secondaries=1
ip addr add 4.117.174.103/0 scope 0x40 dev bond0
ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0
ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0
ip addr del 4.117.174.103/0 scope 0x40 dev bond0
ip link delete bond0 type bond
In this reproduction test case, an incorrect 'last_prim' is found in
__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)
is lost. The memory of the secondary address is leaked and the reference of
in_device and net_device is leaked.
Fix this problem:
Look for 'last_prim' starting at location of the deleted IP and inserting
the promoted IP into the location of 'last_prim'.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0ff60a45678e67b2547256a636fd00c1667ce4fa , < 5624f26a3574500ce23929cb2c9976a0dec9920a
(git)
Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 7c8ddcdab1b900bed69cad6beef477fff116289e (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 2f1e86014d0cc084886c36a2d77bc620e2d42618 (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 980f8445479814509a3cd55a8eabaae1c9030a4c (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 42652af5360d30b43b06057c193739e7dfb18f42 (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < ac28b1ec6135649b5d78b028e47264cb3ebca5ea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/devinet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5624f26a3574500ce23929cb2c9976a0dec9920a",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "7c8ddcdab1b900bed69cad6beef477fff116289e",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "2f1e86014d0cc084886c36a2d77bc620e2d42618",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "980f8445479814509a3cd55a8eabaae1c9030a4c",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "42652af5360d30b43b06057c193739e7dfb18f42",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "ac28b1ec6135649b5d78b028e47264cb3ebca5ea",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/devinet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix one memleak in __inet_del_ifa()\n\nI got the below warning when do fuzzing test:\nunregister_netdevice: waiting for bond0 to become free. Usage count = 2\n\nIt can be repoduced via:\n\nip link add bond0 type bond\nsysctl -w net.ipv4.conf.bond0.promote_secondaries=1\nip addr add 4.117.174.103/0 scope 0x40 dev bond0\nip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0\nip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0\nip addr del 4.117.174.103/0 scope 0x40 dev bond0\nip link delete bond0 type bond\n\nIn this reproduction test case, an incorrect \u0027last_prim\u0027 is found in\n__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)\nis lost. The memory of the secondary address is leaked and the reference of\nin_device and net_device is leaked.\n\nFix this problem:\nLook for \u0027last_prim\u0027 starting at location of the deleted IP and inserting\nthe promoted IP into the location of \u0027last_prim\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:32.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920a"
},
{
"url": "https://git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289e"
},
{
"url": "https://git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618"
},
{
"url": "https://git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4c"
},
{
"url": "https://git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42"
},
{
"url": "https://git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5ea"
}
],
"title": "net: ipv4: fix one memleak in __inet_del_ifa()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53995",
"datePublished": "2025-12-24T10:55:32.713Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:32.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53987 (GCVE-0-2023-53987)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ping: Fix potentail NULL deref for /proc/net/icmp.
Summary
In the Linux kernel, the following vulnerability has been resolved:
ping: Fix potentail NULL deref for /proc/net/icmp.
After commit dbca1596bbb0 ("ping: convert to RCU lookups, get rid
of rwlock"), we use RCU for ping sockets, but we should use spinlock
for /proc/net/icmp to avoid a potential NULL deref mentioned in
the previous patch.
Let's go back to using spinlock there.
Note we can convert ping sockets to use hlist instead of hlist_nulls
because we do not use SLAB_TYPESAFE_BY_RCU for ping sockets.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65 , < 5a08a32e624908890aa0a2eb442bb6a7669891a8
(git)
Affected: dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65 , < 176cbb6da28f36506cc60a4bec4ab8df0c16713a (git) Affected: dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65 , < ab5fb73ffa01072b4d8031cc05801fa1cb653bee (git) Affected: de3d723a3985f282a8c9e468d1e198616eb291c8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ping.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a08a32e624908890aa0a2eb442bb6a7669891a8",
"status": "affected",
"version": "dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65",
"versionType": "git"
},
{
"lessThan": "176cbb6da28f36506cc60a4bec4ab8df0c16713a",
"status": "affected",
"version": "dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65",
"versionType": "git"
},
{
"lessThan": "ab5fb73ffa01072b4d8031cc05801fa1cb653bee",
"status": "affected",
"version": "dbca1596bbb08318f5e3b3b99f8ca0a0d3830a65",
"versionType": "git"
},
{
"status": "affected",
"version": "de3d723a3985f282a8c9e468d1e198616eb291c8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ping.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nping: Fix potentail NULL deref for /proc/net/icmp.\n\nAfter commit dbca1596bbb0 (\"ping: convert to RCU lookups, get rid\nof rwlock\"), we use RCU for ping sockets, but we should use spinlock\nfor /proc/net/icmp to avoid a potential NULL deref mentioned in\nthe previous patch.\n\nLet\u0027s go back to using spinlock there.\n\nNote we can convert ping sockets to use hlist instead of hlist_nulls\nbecause we do not use SLAB_TYPESAFE_BY_RCU for ping sockets."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:27.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a08a32e624908890aa0a2eb442bb6a7669891a8"
},
{
"url": "https://git.kernel.org/stable/c/176cbb6da28f36506cc60a4bec4ab8df0c16713a"
},
{
"url": "https://git.kernel.org/stable/c/ab5fb73ffa01072b4d8031cc05801fa1cb653bee"
}
],
"title": "ping: Fix potentail NULL deref for /proc/net/icmp.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53987",
"datePublished": "2025-12-24T10:55:27.032Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2025-12-24T10:55:27.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54010 (GCVE-0-2023-54010)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4
ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause
null pointer dereference later.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9957510255724c1c746c9a6264c849e9fdd4cd24 , < c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968
(git)
Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < 35d67ffad6f5d78dbd800d354f5334c7b71a19e0 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < 978e0d05547ae707d51a942fc7e85a34e181ee6f (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < d997c920a5305b37f0b8a40501b5aca10d099ecd (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < fee6133490091492dc66bcf71479bd53bd17a7d2 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < ed2e1e85644ca3d351324e9927a538c8af4df654 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < ae5a0eccc85fc960834dd66e3befc2728284b86c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dbnames.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "35d67ffad6f5d78dbd800d354f5334c7b71a19e0",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "978e0d05547ae707d51a942fc7e85a34e181ee6f",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "d997c920a5305b37f0b8a40501b5aca10d099ecd",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "fee6133490091492dc66bcf71479bd53bd17a7d2",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "ed2e1e85644ca3d351324e9927a538c8af4df654",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "ae5a0eccc85fc960834dd66e3befc2728284b86c",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dbnames.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects\n\nACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4\n\nACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause\nnull pointer dereference later."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:24.967Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968"
},
{
"url": "https://git.kernel.org/stable/c/35d67ffad6f5d78dbd800d354f5334c7b71a19e0"
},
{
"url": "https://git.kernel.org/stable/c/c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88"
},
{
"url": "https://git.kernel.org/stable/c/978e0d05547ae707d51a942fc7e85a34e181ee6f"
},
{
"url": "https://git.kernel.org/stable/c/d997c920a5305b37f0b8a40501b5aca10d099ecd"
},
{
"url": "https://git.kernel.org/stable/c/fee6133490091492dc66bcf71479bd53bd17a7d2"
},
{
"url": "https://git.kernel.org/stable/c/ed2e1e85644ca3d351324e9927a538c8af4df654"
},
{
"url": "https://git.kernel.org/stable/c/ae5a0eccc85fc960834dd66e3befc2728284b86c"
}
],
"title": "ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54010",
"datePublished": "2025-12-24T10:55:43.386Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:24.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54039 (GCVE-0-2023-54039)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access
could occur during the memcpy() operation if the size of skb->cb is
larger than the size of struct j1939_sk_buff_cb. This is because the
memcpy() operation uses the size of skb->cb, leading to a read beyond
the struct j1939_sk_buff_cb.
Updated the memcpy() operation to use the size of struct
j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the
memcpy() operation only reads the memory within the bounds of struct
j1939_sk_buff_cb, preventing out-of-bounds memory access.
Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb
is greater than or equal to the size of struct j1939_sk_buff_cb. This
ensures that the skb->cb buffer is large enough to hold the
j1939_sk_buff_cb structure.
[mkl: rephrase commit message]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d71dd0c70099914fcd063135da3c580865e924c , < d2136f05690c272dfc9f9d6efcc51d5f53494b33
(git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 70caa596d158a5d84b117f722d58f3ea503a5ba9 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 4fe1d9b6231a68ffc91318f57fd8e4982f028cf7 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 4c3fb22a6ec68258ee129a2e6b720f43dffc562f (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 36befc9aed6202b4a9b906529aea13eacd7e34ff (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < b45193cb4df556fe6251b285a5ce44046dd36b4a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2136f05690c272dfc9f9d6efcc51d5f53494b33",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "70caa596d158a5d84b117f722d58f3ea503a5ba9",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "4fe1d9b6231a68ffc91318f57fd8e4982f028cf7",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "4c3fb22a6ec68258ee129a2e6b720f43dffc562f",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "36befc9aed6202b4a9b906529aea13eacd7e34ff",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "b45193cb4df556fe6251b285a5ce44046dd36b4a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access\n\nIn the j1939_tp_tx_dat_new() function, an out-of-bounds memory access\ncould occur during the memcpy() operation if the size of skb-\u003ecb is\nlarger than the size of struct j1939_sk_buff_cb. This is because the\nmemcpy() operation uses the size of skb-\u003ecb, leading to a read beyond\nthe struct j1939_sk_buff_cb.\n\nUpdated the memcpy() operation to use the size of struct\nj1939_sk_buff_cb instead of the size of skb-\u003ecb. This ensures that the\nmemcpy() operation only reads the memory within the bounds of struct\nj1939_sk_buff_cb, preventing out-of-bounds memory access.\n\nAdditionally, add a BUILD_BUG_ON() to check that the size of skb-\u003ecb\nis greater than or equal to the size of struct j1939_sk_buff_cb. This\nensures that the skb-\u003ecb buffer is large enough to hold the\nj1939_sk_buff_cb structure.\n\n[mkl: rephrase commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:05.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2136f05690c272dfc9f9d6efcc51d5f53494b33"
},
{
"url": "https://git.kernel.org/stable/c/70caa596d158a5d84b117f722d58f3ea503a5ba9"
},
{
"url": "https://git.kernel.org/stable/c/4fe1d9b6231a68ffc91318f57fd8e4982f028cf7"
},
{
"url": "https://git.kernel.org/stable/c/4c3fb22a6ec68258ee129a2e6b720f43dffc562f"
},
{
"url": "https://git.kernel.org/stable/c/36befc9aed6202b4a9b906529aea13eacd7e34ff"
},
{
"url": "https://git.kernel.org/stable/c/b45193cb4df556fe6251b285a5ce44046dd36b4a"
}
],
"title": "can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54039",
"datePublished": "2025-12-24T10:56:05.365Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:05.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68348 (GCVE-0-2025-68348)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
EPSS
Title
block: fix memory leak in __blkdev_issue_zero_pages
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix memory leak in __blkdev_issue_zero_pages
Move the fatal signal check before bio_alloc() to prevent a memory
leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending.
Previously, the bio was allocated before checking for a fatal signal.
If a signal was pending, the code would break out of the loop without
freeing or chaining the just-allocated bio, causing a memory leak.
This matches the pattern already used in __blkdev_issue_write_zeroes()
where the signal check precedes the allocation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bf86bcdb40123ee99669ee91b67e023669433a1a , < 453e4b0c84d0db1454ff0adf655d91179e6fca3a
(git)
Affected: bf86bcdb40123ee99669ee91b67e023669433a1a , < 7957635c679e8a01147163a3a4a1f16e1210fa03 (git) Affected: bf86bcdb40123ee99669ee91b67e023669433a1a , < 7193407bc4457212fa38ec3aff9c640e63a8dbef (git) Affected: bf86bcdb40123ee99669ee91b67e023669433a1a , < f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "453e4b0c84d0db1454ff0adf655d91179e6fca3a",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
},
{
"lessThan": "7957635c679e8a01147163a3a4a1f16e1210fa03",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
},
{
"lessThan": "7193407bc4457212fa38ec3aff9c640e63a8dbef",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
},
{
"lessThan": "f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf",
"status": "affected",
"version": "bf86bcdb40123ee99669ee91b67e023669433a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix memory leak in __blkdev_issue_zero_pages\n\nMove the fatal signal check before bio_alloc() to prevent a memory\nleak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending.\n\nPreviously, the bio was allocated before checking for a fatal signal.\nIf a signal was pending, the code would break out of the loop without\nfreeing or chaining the just-allocated bio, causing a memory leak.\n\nThis matches the pattern already used in __blkdev_issue_write_zeroes()\nwhere the signal check precedes the allocation."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:32:40.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/453e4b0c84d0db1454ff0adf655d91179e6fca3a"
},
{
"url": "https://git.kernel.org/stable/c/7957635c679e8a01147163a3a4a1f16e1210fa03"
},
{
"url": "https://git.kernel.org/stable/c/7193407bc4457212fa38ec3aff9c640e63a8dbef"
},
{
"url": "https://git.kernel.org/stable/c/f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf"
}
],
"title": "block: fix memory leak in __blkdev_issue_zero_pages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68348",
"datePublished": "2025-12-24T10:32:40.561Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2025-12-24T10:32:40.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68378 (GCVE-0-2025-68378)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
contains more stack entries than the stack map bucket can hold,
leading to an out-of-bounds write in the bucket's data array.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < d1f424a77b6bd27b361737ed73df49a0158f1590
(git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 2a008f6de163279deffd488c1deab081bce5667c (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 4669a8db976c8cbd5427fe9945f12c5fa5168ff3 (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 23f852daa4bab4d579110e034e4d513f7d490846 (git) Affected: 90805175a206f784b6a77f16f07b07f6803e286b (git) Affected: 398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e (git) Affected: e750f78c4ed7cefbcefb9769b3b9e08033db39da (git) Affected: 6c4f243b58f5362e983386488b2d563764c567af (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1f424a77b6bd27b361737ed73df49a0158f1590",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "2a008f6de163279deffd488c1deab081bce5667c",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "4669a8db976c8cbd5427fe9945f12c5fa5168ff3",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "23f852daa4bab4d579110e034e4d513f7d490846",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"status": "affected",
"version": "90805175a206f784b6a77f16f07b07f6803e286b",
"versionType": "git"
},
{
"status": "affected",
"version": "398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e",
"versionType": "git"
},
{
"status": "affected",
"version": "e750f78c4ed7cefbcefb9769b3b9e08033db39da",
"versionType": "git"
},
{
"status": "affected",
"version": "6c4f243b58f5362e983386488b2d563764c567af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket\u0027s data array."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:06.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590"
},
{
"url": "https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c"
},
{
"url": "https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3"
},
{
"url": "https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846"
}
],
"title": "bpf: Fix stackmap overflow check in __bpf_get_stackid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68378",
"datePublished": "2025-12-24T10:33:06.859Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2025-12-24T10:33:06.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53999 (GCVE-0-2023-53999)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net/mlx5e: TC, Fix internal port memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: TC, Fix internal port memory leak
The flow rule can be splited, and the extra post_act rules are added
to post_act table. It's possible to trigger memleak when the rule
forwards packets from internal port and over tunnel, in the case that,
for example, CT 'new' state offload is allowed. As int_port object is
assigned to the flow attribute of post_act rule, and its refcnt is
incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is
not called, the refcnt is never decremented, then int_port is never
freed.
The kmemleak reports the following error:
unreferenced object 0xffff888128204b80 (size 64):
comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s)
hex dump (first 32 bytes):
01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................
98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....
backtrace:
[<00000000e992680d>] kmalloc_trace+0x27/0x120
[<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]
[<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]
[<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]
[<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]
[<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]
[<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]
[<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410
[<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower]
[<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower]
[<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010
[<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0
[<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360
[<0000000082dd6c8b>] netlink_unicast+0x438/0x710
[<00000000fc568f70>] netlink_sendmsg+0x794/0xc50
[<0000000016e92590>] sock_sendmsg+0xc5/0x190
So fix this by moving int_port cleanup code to the flow attribute
free helper, which is used by all the attribute free cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc1918bac0f30e3f551ef5649b53062917db55fa",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "ac5da544a3c2047cbfd715acd9cec8380d7fe5c6",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix internal port memory leak\n\nThe flow rule can be splited, and the extra post_act rules are added\nto post_act table. It\u0027s possible to trigger memleak when the rule\nforwards packets from internal port and over tunnel, in the case that,\nfor example, CT \u0027new\u0027 state offload is allowed. As int_port object is\nassigned to the flow attribute of post_act rule, and its refcnt is\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\nnot called, the refcnt is never decremented, then int_port is never\nfreed.\n\nThe kmemleak reports the following error:\nunreferenced object 0xffff888128204b80 (size 64):\n comm \"handler20\", pid 50121, jiffies 4296973009 (age 642.932s)\n hex dump (first 32 bytes):\n 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................\n 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....\n backtrace:\n [\u003c00000000e992680d\u003e] kmalloc_trace+0x27/0x120\n [\u003c000000009e945a98\u003e] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\n [\u003c0000000035a537f0\u003e] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\n [\u003c0000000070c2cec6\u003e] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\n [\u003c000000005cc84048\u003e] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\n [\u003c000000004f8a2031\u003e] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\n [\u003c000000007df797dc\u003e] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\n [\u003c0000000016c15cc3\u003e] tc_setup_cb_add+0x1cf/0x410\n [\u003c00000000a63305b4\u003e] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\n [\u003c000000008bc9e77c\u003e] fl_change+0x1fd5/0x4430 [cls_flower]\n [\u003c00000000e7f766e4\u003e] tc_new_tfilter+0x867/0x2010\n [\u003c00000000e101c0ef\u003e] rtnetlink_rcv_msg+0x6fc/0x9f0\n [\u003c00000000e1111d44\u003e] netlink_rcv_skb+0x12c/0x360\n [\u003c0000000082dd6c8b\u003e] netlink_unicast+0x438/0x710\n [\u003c00000000fc568f70\u003e] netlink_sendmsg+0x794/0xc50\n [\u003c0000000016e92590\u003e] sock_sendmsg+0xc5/0x190\n\nSo fix this by moving int_port cleanup code to the flow attribute\nfree helper, which is used by all the attribute free cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:35.523Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa"
},
{
"url": "https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6"
}
],
"title": "net/mlx5e: TC, Fix internal port memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53999",
"datePublished": "2025-12-24T10:55:35.523Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:35.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68354 (GCVE-0-2025-68354)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a06ccd9c3785fa5550917ae036944f4e080b5749 , < a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61
(git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 09811a83b214cc15521e0d818e43ae9043e9a28d (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a9864d42ebcdd394ebb864643b961b36e7b515be (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 431a1d44ad4866362cc28fc1cc4ca93d84989239 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "09811a83b214cc15521e0d818e43ae9043e9a28d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a9864d42ebcdd394ebb864643b961b36e7b515be",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "431a1d44ad4866362cc28fc1cc4ca93d84989239",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:54.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61"
},
{
"url": "https://git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28d"
},
{
"url": "https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be"
},
{
"url": "https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239"
},
{
"url": "https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf"
},
{
"url": "https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d"
}
],
"title": "regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68354",
"datePublished": "2025-12-24T10:32:44.840Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-01-11T16:29:54.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54000 (GCVE-0-2023-54000)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net: hns3: fix deadlock issue when externel_lb and reset are executed together
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: fix deadlock issue when externel_lb and reset are executed together
When externel_lb and reset are executed together, a deadlock may
occur:
[ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds.
[ 3147.230483] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008
[ 3147.248045] Workqueue: hclge hclge_service_task [hclge]
[ 3147.253957] Call trace:
[ 3147.257093] __switch_to+0x7c/0xbc
[ 3147.261183] __schedule+0x338/0x6f0
[ 3147.265357] schedule+0x50/0xe0
[ 3147.269185] schedule_preempt_disabled+0x18/0x24
[ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc
[ 3147.279880] __mutex_lock_slowpath+0x1c/0x30
[ 3147.284839] mutex_lock+0x50/0x60
[ 3147.288841] rtnl_lock+0x20/0x2c
[ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge]
[ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge]
[ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge]
[ 3147.309718] hclge_service_task+0x2c/0x70 [hclge]
[ 3147.315109] process_one_work+0x1d0/0x490
[ 3147.319805] worker_thread+0x158/0x3d0
[ 3147.324240] kthread+0x108/0x13c
[ 3147.328154] ret_from_fork+0x10/0x18
In externel_lb process, the hns3 driver call napi_disable()
first, then the reset happen, then the restore process of the
externel_lb will fail, and will not call napi_enable(). When
doing externel_lb again, napi_disable() will be double call,
cause a deadlock of rtnl_lock().
This patch use the HNS3_NIC_STATE_DOWN state to protect the
calling of napi_disable() and napi_enable() in externel_lb
process, just as the usage in ndo_stop() and ndo_start().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
85fc1d802edf36123ae1bd0a13892bb3772c197f , < d9f609cb50ebab4aa6341112f406bf9d3928ac81
(git)
Affected: 04b6ba143521f4485b7f2c36c655b262a79dae97 , < 743f7c1762e098048ede8cdf8c89a118f8d12391 (git) Affected: 04b6ba143521f4485b7f2c36c655b262a79dae97 , < ef2d6bf9695669d31ece9f2ef39dec84874a87c7 (git) Affected: 04b6ba143521f4485b7f2c36c655b262a79dae97 , < ac6257a3ae5db5193b1f19c268e4f72d274ddb88 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9f609cb50ebab4aa6341112f406bf9d3928ac81",
"status": "affected",
"version": "85fc1d802edf36123ae1bd0a13892bb3772c197f",
"versionType": "git"
},
{
"lessThan": "743f7c1762e098048ede8cdf8c89a118f8d12391",
"status": "affected",
"version": "04b6ba143521f4485b7f2c36c655b262a79dae97",
"versionType": "git"
},
{
"lessThan": "ef2d6bf9695669d31ece9f2ef39dec84874a87c7",
"status": "affected",
"version": "04b6ba143521f4485b7f2c36c655b262a79dae97",
"versionType": "git"
},
{
"lessThan": "ac6257a3ae5db5193b1f19c268e4f72d274ddb88",
"status": "affected",
"version": "04b6ba143521f4485b7f2c36c655b262a79dae97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix deadlock issue when externel_lb and reset are executed together\n\nWhen externel_lb and reset are executed together, a deadlock may\noccur:\n[ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds.\n[ 3147.230483] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008\n[ 3147.248045] Workqueue: hclge hclge_service_task [hclge]\n[ 3147.253957] Call trace:\n[ 3147.257093] __switch_to+0x7c/0xbc\n[ 3147.261183] __schedule+0x338/0x6f0\n[ 3147.265357] schedule+0x50/0xe0\n[ 3147.269185] schedule_preempt_disabled+0x18/0x24\n[ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 3147.279880] __mutex_lock_slowpath+0x1c/0x30\n[ 3147.284839] mutex_lock+0x50/0x60\n[ 3147.288841] rtnl_lock+0x20/0x2c\n[ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge]\n[ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge]\n[ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge]\n[ 3147.309718] hclge_service_task+0x2c/0x70 [hclge]\n[ 3147.315109] process_one_work+0x1d0/0x490\n[ 3147.319805] worker_thread+0x158/0x3d0\n[ 3147.324240] kthread+0x108/0x13c\n[ 3147.328154] ret_from_fork+0x10/0x18\n\nIn externel_lb process, the hns3 driver call napi_disable()\nfirst, then the reset happen, then the restore process of the\nexternel_lb will fail, and will not call napi_enable(). When\ndoing externel_lb again, napi_disable() will be double call,\ncause a deadlock of rtnl_lock().\n\nThis patch use the HNS3_NIC_STATE_DOWN state to protect the\ncalling of napi_disable() and napi_enable() in externel_lb\nprocess, just as the usage in ndo_stop() and ndo_start()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:36.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9f609cb50ebab4aa6341112f406bf9d3928ac81"
},
{
"url": "https://git.kernel.org/stable/c/743f7c1762e098048ede8cdf8c89a118f8d12391"
},
{
"url": "https://git.kernel.org/stable/c/ef2d6bf9695669d31ece9f2ef39dec84874a87c7"
},
{
"url": "https://git.kernel.org/stable/c/ac6257a3ae5db5193b1f19c268e4f72d274ddb88"
}
],
"title": "net: hns3: fix deadlock issue when externel_lb and reset are executed together",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54000",
"datePublished": "2025-12-24T10:55:36.216Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:36.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68733 (GCVE-0-2025-68733)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
smack: fix bug: unprivileged task can create labels
Summary
In the Linux kernel, the following vulnerability has been resolved:
smack: fix bug: unprivileged task can create labels
If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.
This change ensures that the "relabel-self" list
is checked before importing the label.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
38416e53936ecf896948fdeffc36b76979117952 , < 4a7a7621619a366712fb9cefcb6e69f956c247ce
(git)
Affected: 38416e53936ecf896948fdeffc36b76979117952 , < f8fd5491100f920847a3338d5fba22db19c72773 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < ac9fce2efabad37c338aac86fbe100f77a080e59 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 64aa81250171b6bb6803e97ea7a5d73bfa061f6e (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 60e8d49989410a7ade60f5dadfcd979c117d05c0 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a7a7621619a366712fb9cefcb6e69f956c247ce",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "f8fd5491100f920847a3338d5fba22db19c72773",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "ac9fce2efabad37c338aac86fbe100f77a080e59",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "64aa81250171b6bb6803e97ea7a5d73bfa061f6e",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "60e8d49989410a7ade60f5dadfcd979c117d05c0",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: fix bug: unprivileged task can create labels\n\nIf an unprivileged task is allowed to relabel itself\n(/smack/relabel-self is not empty),\nit can freely create new labels by writing their\nnames into own /proc/PID/attr/smack/current\n\nThis occurs because do_setattr() imports\nthe provided label in advance,\nbefore checking \"relabel-self\" list.\n\nThis change ensures that the \"relabel-self\" list\nis checked before importing the label."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:17.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a7a7621619a366712fb9cefcb6e69f956c247ce"
},
{
"url": "https://git.kernel.org/stable/c/f8fd5491100f920847a3338d5fba22db19c72773"
},
{
"url": "https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59"
},
{
"url": "https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e"
},
{
"url": "https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0"
},
{
"url": "https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3"
}
],
"title": "smack: fix bug: unprivileged task can create labels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68733",
"datePublished": "2025-12-24T10:33:15.347Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-01-11T16:30:17.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54003 (GCVE-0-2023-54003)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
RDMA/core: Fix GID entry ref leak when create_ah fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix GID entry ref leak when create_ah fails
If AH create request fails, release sgid_attr to avoid GID entry
referrence leak reported while releasing GID table
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1a1f460ff151710289c2f8d4badd8b603b87d610 , < 9c46c49ad3ffe84121715d392b5a0a94f9f10669
(git)
Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < d1b9b3191697a80aca8e247320eba46f24d41d18 (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < e97ff11b396c320d2cc025b09741ba432fcb20a2 (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < 370280c65c28a515b841c9f2c08524f06182510c (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < 632d6baf8884d803e598bf5164008d23fd9b736c (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c46c49ad3ffe84121715d392b5a0a94f9f10669",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "d1b9b3191697a80aca8e247320eba46f24d41d18",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "e97ff11b396c320d2cc025b09741ba432fcb20a2",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "370280c65c28a515b841c9f2c08524f06182510c",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "632d6baf8884d803e598bf5164008d23fd9b736c",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix GID entry ref leak when create_ah fails\n\nIf AH create request fails, release sgid_attr to avoid GID entry\nreferrence leak reported while releasing GID table"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:38.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c46c49ad3ffe84121715d392b5a0a94f9f10669"
},
{
"url": "https://git.kernel.org/stable/c/d1b9b3191697a80aca8e247320eba46f24d41d18"
},
{
"url": "https://git.kernel.org/stable/c/e97ff11b396c320d2cc025b09741ba432fcb20a2"
},
{
"url": "https://git.kernel.org/stable/c/370280c65c28a515b841c9f2c08524f06182510c"
},
{
"url": "https://git.kernel.org/stable/c/632d6baf8884d803e598bf5164008d23fd9b736c"
},
{
"url": "https://git.kernel.org/stable/c/aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0"
}
],
"title": "RDMA/core: Fix GID entry ref leak when create_ah fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54003",
"datePublished": "2025-12-24T10:55:38.425Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:38.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54023 (GCVE-0-2023-54023)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
btrfs: fix race between balance and cancel/pause
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race between balance and cancel/pause
Syzbot reported a panic that looks like this:
assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465
------------[ cut here ]------------
kernel BUG at fs/btrfs/messages.c:259!
RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259
Call Trace:
<TASK>
btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]
btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]
btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The reproducer is running a balance and a cancel or pause in parallel.
The way balance finishes is a bit wonky, if we were paused we need to
save the balance_ctl in the fs_info, but clear it otherwise and cleanup.
However we rely on the return values being specific errors, or having a
cancel request or no pause request. If balance completes and returns 0,
but we have a pause or cancel request we won't do the appropriate
cleanup, and then the next time we try to start a balance we'll trip
this ASSERT.
The error handling is just wrong here, we always want to clean up,
unless we got -ECANCELLED and we set the appropriate pause flag in the
exclusive op. With this patch the reproducer ran for an hour without
tripping, previously it would trip in less than a few minutes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 , < ddf7e8984c83aee9122552529f4e77291903f8d9
(git)
Affected: 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 , < 72efe5d44821e38540888a5fe3ff3d0faab6acad (git) Affected: 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 , < b19c98f237cd76981aaded52c258ce93f7daa8cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddf7e8984c83aee9122552529f4e77291903f8d9",
"status": "affected",
"version": "837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961",
"versionType": "git"
},
{
"lessThan": "72efe5d44821e38540888a5fe3ff3d0faab6acad",
"status": "affected",
"version": "837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961",
"versionType": "git"
},
{
"lessThan": "b19c98f237cd76981aaded52c258ce93f7daa8cb",
"status": "affected",
"version": "837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between balance and cancel/pause\n\nSyzbot reported a panic that looks like this:\n\n assertion failed: fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/messages.c:259!\n RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259\n Call Trace:\n \u003cTASK\u003e\n btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]\n btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]\n btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe reproducer is running a balance and a cancel or pause in parallel.\nThe way balance finishes is a bit wonky, if we were paused we need to\nsave the balance_ctl in the fs_info, but clear it otherwise and cleanup.\nHowever we rely on the return values being specific errors, or having a\ncancel request or no pause request. If balance completes and returns 0,\nbut we have a pause or cancel request we won\u0027t do the appropriate\ncleanup, and then the next time we try to start a balance we\u0027ll trip\nthis ASSERT.\n\nThe error handling is just wrong here, we always want to clean up,\nunless we got -ECANCELLED and we set the appropriate pause flag in the\nexclusive op. With this patch the reproducer ran for an hour without\ntripping, previously it would trip in less than a few minutes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:33.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9"
},
{
"url": "https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad"
},
{
"url": "https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb"
}
],
"title": "btrfs: fix race between balance and cancel/pause",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54023",
"datePublished": "2025-12-24T10:55:52.835Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2026-01-05T10:33:33.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68344 (GCVE-0-2025-68344)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ALSA: wavefront: Fix integer overflow in sample size validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: wavefront: Fix integer overflow in sample size validation
The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f811071e702fbb74933526e2fbadf8c4ed0c0c4
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 02b63f3bc29265bd9e83191792d200ed563acacf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5588b7c86effffa9bb55383a38800649d7b40778 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bca11de0a277b8baeb7d006f93b543c907b6e782 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1823e08f76c68b9e1d26f6d5ef831b96f61a62a0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c4a13ba88594fd4a27292853e736c6b4349823d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f811071e702fbb74933526e2fbadf8c4ed0c0c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02b63f3bc29265bd9e83191792d200ed563acacf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5588b7c86effffa9bb55383a38800649d7b40778",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bca11de0a277b8baeb7d006f93b543c907b6e782",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1823e08f76c68b9e1d26f6d5ef831b96f61a62a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4a13ba88594fd4a27292853e736c6b4349823d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: wavefront: Fix integer overflow in sample size validation\n\nThe wavefront_send_sample() function has an integer overflow issue\nwhen validating sample size. The header-\u003esize field is u32 but gets\ncast to int for comparison with dev-\u003efreemem\n\nFix by using unsigned comparison to avoid integer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:48.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f811071e702fbb74933526e2fbadf8c4ed0c0c4"
},
{
"url": "https://git.kernel.org/stable/c/02b63f3bc29265bd9e83191792d200ed563acacf"
},
{
"url": "https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778"
},
{
"url": "https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782"
},
{
"url": "https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0"
},
{
"url": "https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d"
}
],
"title": "ALSA: wavefront: Fix integer overflow in sample size validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68344",
"datePublished": "2025-12-24T10:32:37.615Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-11T16:29:48.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54040 (GCVE-0-2023-54040)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
ice: fix wrong fallback logic for FDIR
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix wrong fallback logic for FDIR
When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure,
the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr
returns failure, the fdir context info for irq handler will not be cleared
which may lead to inconsistent or memory leak issue. This patch refines
failure cases to resolve this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < 391d28c0e38c0e5b11a4240a2b4976cf63e87f45
(git)
Affected: 1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < aad3b871efe26f36f45f8b4649653b5d3fd9c35e (git) Affected: 1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < cbfed5f114b5310f221979fc8190f55c6abc3400 (git) Affected: 1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < b4a01ace20f5c93c724abffc0a83ec84f514b98d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "391d28c0e38c0e5b11a4240a2b4976cf63e87f45",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
},
{
"lessThan": "aad3b871efe26f36f45f8b4649653b5d3fd9c35e",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
},
{
"lessThan": "cbfed5f114b5310f221979fc8190f55c6abc3400",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
},
{
"lessThan": "b4a01ace20f5c93c724abffc0a83ec84f514b98d",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix wrong fallback logic for FDIR\n\nWhen adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure,\nthe inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr\nreturns failure, the fdir context info for irq handler will not be cleared\nwhich may lead to inconsistent or memory leak issue. This patch refines\nfailure cases to resolve this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:06.094Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/391d28c0e38c0e5b11a4240a2b4976cf63e87f45"
},
{
"url": "https://git.kernel.org/stable/c/aad3b871efe26f36f45f8b4649653b5d3fd9c35e"
},
{
"url": "https://git.kernel.org/stable/c/cbfed5f114b5310f221979fc8190f55c6abc3400"
},
{
"url": "https://git.kernel.org/stable/c/b4a01ace20f5c93c724abffc0a83ec84f514b98d"
}
],
"title": "ice: fix wrong fallback logic for FDIR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54040",
"datePublished": "2025-12-24T10:56:06.094Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:06.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68731 (GCVE-0-2025-68731)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()
The unpublished smatch static checker reported a warning.
drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array()
warn: potential user controlled sizeof overflow
'args->num_element * args->element_size' '1-u32max(user) * 1-u32max(user)'
Even this will not cause a real issue, it is better to put a reasonable
limitation for element_size and num_element. Add condition to make sure
the input element_size <= 4K and num_element <= 1K.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/amdxdna/aie2_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "359653edd5374fbba28f93043554dcc494aee85f",
"status": "affected",
"version": "2f509fe6a42cda845890273fe759fb7ba9edad97",
"versionType": "git"
},
{
"lessThan": "9e16c8bf9aebf629344cfd4cd5e3dc7d8c3f7d82",
"status": "affected",
"version": "2f509fe6a42cda845890273fe759fb7ba9edad97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/amdxdna/aie2_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()\n\nThe unpublished smatch static checker reported a warning.\n\ndrivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array()\nwarn: potential user controlled sizeof overflow\n\u0027args-\u003enum_element * args-\u003eelement_size\u0027 \u00271-u32max(user) * 1-u32max(user)\u0027\n\nEven this will not cause a real issue, it is better to put a reasonable\nlimitation for element_size and num_element. Add condition to make sure\nthe input element_size \u003c= 4K and num_element \u003c= 1K."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:13.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/359653edd5374fbba28f93043554dcc494aee85f"
},
{
"url": "https://git.kernel.org/stable/c/9e16c8bf9aebf629344cfd4cd5e3dc7d8c3f7d82"
}
],
"title": "accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68731",
"datePublished": "2025-12-24T10:33:13.964Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:33:13.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54041 (GCVE-0-2023-54041)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
io_uring: fix memory leak when removing provided buffers
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix memory leak when removing provided buffers
When removing provided buffers, io_buffer structs are not being disposed
of, leading to a memory leak. They can't be freed individually, because
they are allocated in page-sized groups. They need to be added to some
free list instead, such as io_buffers_cache. All callers already hold
the lock protecting it, apart from when destroying buffers, so had to
extend the lock there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cc3cec8367cba76a8ae4c271eba8450f3efc1ba3 , < ac48787f58d1068f4e06d627c1135784d64b4c72
(git)
Affected: cc3cec8367cba76a8ae4c271eba8450f3efc1ba3 , < c117c15927772d1624c29c092b6bd3f47c7faa48 (git) Affected: cc3cec8367cba76a8ae4c271eba8450f3efc1ba3 , < b4a72c0589fdea6259720375426179888969d6a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c",
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac48787f58d1068f4e06d627c1135784d64b4c72",
"status": "affected",
"version": "cc3cec8367cba76a8ae4c271eba8450f3efc1ba3",
"versionType": "git"
},
{
"lessThan": "c117c15927772d1624c29c092b6bd3f47c7faa48",
"status": "affected",
"version": "cc3cec8367cba76a8ae4c271eba8450f3efc1ba3",
"versionType": "git"
},
{
"lessThan": "b4a72c0589fdea6259720375426179888969d6a2",
"status": "affected",
"version": "cc3cec8367cba76a8ae4c271eba8450f3efc1ba3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c",
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memory leak when removing provided buffers\n\nWhen removing provided buffers, io_buffer structs are not being disposed\nof, leading to a memory leak. They can\u0027t be freed individually, because\nthey are allocated in page-sized groups. They need to be added to some\nfree list instead, such as io_buffers_cache. All callers already hold\nthe lock protecting it, apart from when destroying buffers, so had to\nextend the lock there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:06.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac48787f58d1068f4e06d627c1135784d64b4c72"
},
{
"url": "https://git.kernel.org/stable/c/c117c15927772d1624c29c092b6bd3f47c7faa48"
},
{
"url": "https://git.kernel.org/stable/c/b4a72c0589fdea6259720375426179888969d6a2"
}
],
"title": "io_uring: fix memory leak when removing provided buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54041",
"datePublished": "2025-12-24T10:56:06.858Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:06.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54027 (GCVE-0-2023-54027)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
iio: core: Prevent invalid memory access when there is no parent
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: core: Prevent invalid memory access when there is no parent
Commit 813665564b3d ("iio: core: Convert to use firmware node handle
instead of OF node") switched the kind of nodes to use for label
retrieval in device registration. Probably an unwanted change in that
commit was that if the device has no parent then NULL pointer is
accessed. This is what happens in the stock IIO dummy driver when a
new entry is created in configfs:
# mkdir /sys/kernel/config/iio/devices/dummy/foo
BUG: kernel NULL pointer dereference, address: ...
...
Call Trace:
__iio_device_register
iio_dummy_probe
Since there seems to be no reason to make a parent device of an IIO
dummy device mandatory, let’s prevent the invalid memory access in
__iio_device_register when the parent device is NULL. With this
change, the IIO dummy driver works fine with configfs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
813665564b3d7c74412fe2877520f1d254ce948a , < 312f04ede209f0a186799fe8e64a19b49700d5dc
(git)
Affected: 813665564b3d7c74412fe2877520f1d254ce948a , < a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97 (git) Affected: 813665564b3d7c74412fe2877520f1d254ce948a , < b2a69969908fcaf68596dfc04369af0fe2e1d2f7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/industrialio-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "312f04ede209f0a186799fe8e64a19b49700d5dc",
"status": "affected",
"version": "813665564b3d7c74412fe2877520f1d254ce948a",
"versionType": "git"
},
{
"lessThan": "a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97",
"status": "affected",
"version": "813665564b3d7c74412fe2877520f1d254ce948a",
"versionType": "git"
},
{
"lessThan": "b2a69969908fcaf68596dfc04369af0fe2e1d2f7",
"status": "affected",
"version": "813665564b3d7c74412fe2877520f1d254ce948a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/industrialio-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: Prevent invalid memory access when there is no parent\n\nCommit 813665564b3d (\"iio: core: Convert to use firmware node handle\ninstead of OF node\") switched the kind of nodes to use for label\nretrieval in device registration. Probably an unwanted change in that\ncommit was that if the device has no parent then NULL pointer is\naccessed. This is what happens in the stock IIO dummy driver when a\nnew entry is created in configfs:\n\n # mkdir /sys/kernel/config/iio/devices/dummy/foo\n BUG: kernel NULL pointer dereference, address: ...\n ...\n Call Trace:\n __iio_device_register\n iio_dummy_probe\n\nSince there seems to be no reason to make a parent device of an IIO\ndummy device mandatory, let\u2019s prevent the invalid memory access in\n__iio_device_register when the parent device is NULL. With this\nchange, the IIO dummy driver works fine with configfs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:55.890Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/312f04ede209f0a186799fe8e64a19b49700d5dc"
},
{
"url": "https://git.kernel.org/stable/c/a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97"
},
{
"url": "https://git.kernel.org/stable/c/b2a69969908fcaf68596dfc04369af0fe2e1d2f7"
}
],
"title": "iio: core: Prevent invalid memory access when there is no parent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54027",
"datePublished": "2025-12-24T10:55:55.890Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:55.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54011 (GCVE-0-2023-54011)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
scsi: mpi3mr: Fix an issue found by KASAN
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix an issue found by KASAN
Write only correct size (32 instead of 64 bytes).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
42fc9fee116fc6a225a1f738adf86689d5c39d49 , < abfe73c16b295f2213e9bfc0a1df232056032448
(git)
Affected: 42fc9fee116fc6a225a1f738adf86689d5c39d49 , < c8755f913a2fc9c168d108ea8c5af04716e8c4a5 (git) Affected: 42fc9fee116fc6a225a1f738adf86689d5c39d49 , < ae7d45f5283d30274039b95d3e6d53d33c66e991 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abfe73c16b295f2213e9bfc0a1df232056032448",
"status": "affected",
"version": "42fc9fee116fc6a225a1f738adf86689d5c39d49",
"versionType": "git"
},
{
"lessThan": "c8755f913a2fc9c168d108ea8c5af04716e8c4a5",
"status": "affected",
"version": "42fc9fee116fc6a225a1f738adf86689d5c39d49",
"versionType": "git"
},
{
"lessThan": "ae7d45f5283d30274039b95d3e6d53d33c66e991",
"status": "affected",
"version": "42fc9fee116fc6a225a1f738adf86689d5c39d49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix an issue found by KASAN\n\nWrite only correct size (32 instead of 64 bytes)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:44.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abfe73c16b295f2213e9bfc0a1df232056032448"
},
{
"url": "https://git.kernel.org/stable/c/c8755f913a2fc9c168d108ea8c5af04716e8c4a5"
},
{
"url": "https://git.kernel.org/stable/c/ae7d45f5283d30274039b95d3e6d53d33c66e991"
}
],
"title": "scsi: mpi3mr: Fix an issue found by KASAN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54011",
"datePublished": "2025-12-24T10:55:44.063Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2025-12-24T10:55:44.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54035 (GCVE-0-2023-54035)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
netfilter: nf_tables: fix underflow in chain reference counter
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix underflow in chain reference counter
Set element addition error path decrements reference counter on chains
twice: once on element release and again via nft_data_release().
Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object
reference counter") incorrectly fixed this by removing the stateful
object reference count decrement.
Restore the stateful object decrement as in b91d90368837 ("netfilter:
nf_tables: fix leaking object reference count") and let
nft_data_release() decrement the chain reference counter, so this is
done only once.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
35651fde1a7bb54dde0a46d35cd0d7136869ae86 , < b068314fd8ce751a7f906e55bb90f3551815f1a0
(git)
Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 9c959671abc7d4ffdf34eed10c64492d43cb6a3c (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < b389139f12f287b8ed2e2628b72df89a081f0b59 (git) Affected: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 (git) Affected: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 (git) Affected: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 (git) Affected: 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 (git) Affected: d60be2da67d172aecf866302c91ea11533eca4d9 (git) Affected: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b068314fd8ce751a7f906e55bb90f3551815f1a0",
"status": "affected",
"version": "35651fde1a7bb54dde0a46d35cd0d7136869ae86",
"versionType": "git"
},
{
"lessThan": "9c959671abc7d4ffdf34eed10c64492d43cb6a3c",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "b389139f12f287b8ed2e2628b72df89a081f0b59",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"status": "affected",
"version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
"versionType": "git"
},
{
"status": "affected",
"version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
"versionType": "git"
},
{
"status": "affected",
"version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
"versionType": "git"
},
{
"status": "affected",
"version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
"versionType": "git"
},
{
"status": "affected",
"version": "d60be2da67d172aecf866302c91ea11533eca4d9",
"versionType": "git"
},
{
"status": "affected",
"version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix underflow in chain reference counter\n\nSet element addition error path decrements reference counter on chains\ntwice: once on element release and again via nft_data_release().\n\nThen, d6b478666ffa (\"netfilter: nf_tables: fix underflow in object\nreference counter\") incorrectly fixed this by removing the stateful\nobject reference count decrement.\n\nRestore the stateful object decrement as in b91d90368837 (\"netfilter:\nnf_tables: fix leaking object reference count\") and let\nnft_data_release() decrement the chain reference counter, so this is\ndone only once."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:02.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b068314fd8ce751a7f906e55bb90f3551815f1a0"
},
{
"url": "https://git.kernel.org/stable/c/9c959671abc7d4ffdf34eed10c64492d43cb6a3c"
},
{
"url": "https://git.kernel.org/stable/c/b389139f12f287b8ed2e2628b72df89a081f0b59"
}
],
"title": "netfilter: nf_tables: fix underflow in chain reference counter",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54035",
"datePublished": "2025-12-24T10:56:02.358Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:56:02.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54016 (GCVE-0-2023-54016)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
wifi: ath12k: Fix memory leak in rx_desc and tx_desc
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Fix memory leak in rx_desc and tx_desc
Currently when ath12k_dp_cc_desc_init() is called we allocate
memory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during
descriptor cleanup rx_descs and tx_descs memory is not freed.
This is cause of memory leak. These allocated memory should be
freed in ath12k_dp_cc_cleanup.
In ath12k_dp_cc_desc_init(), we can save base address of rx_descs
and tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and
tx_descs memory using their base address.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c",
"drivers/net/wireless/ath/ath12k/dp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e16be2d34883eecfe7fd888fcdb76c7a5db5d187",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "afb522b36e76acaa9f8fc06d0a9742d841c47c16",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c",
"drivers/net/wireless/ath/ath12k/dp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix memory leak in rx_desc and tx_desc\n\nCurrently when ath12k_dp_cc_desc_init() is called we allocate\nmemory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during\ndescriptor cleanup rx_descs and tx_descs memory is not freed.\n\nThis is cause of memory leak. These allocated memory should be\nfreed in ath12k_dp_cc_cleanup.\n\nIn ath12k_dp_cc_desc_init(), we can save base address of rx_descs\nand tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and\ntx_descs memory using their base address.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:28.474Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e16be2d34883eecfe7fd888fcdb76c7a5db5d187"
},
{
"url": "https://git.kernel.org/stable/c/afb522b36e76acaa9f8fc06d0a9742d841c47c16"
}
],
"title": "wifi: ath12k: Fix memory leak in rx_desc and tx_desc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54016",
"datePublished": "2025-12-24T10:55:47.691Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:28.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…